1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__ 6 #define SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__ 7 8 // The Seccomp2 kernel ABI is not part of older versions of glibc. 9 // As we can't break compilation with these versions of the library, 10 // we explicitly define all missing symbols. 11 // If we ever decide that we can now rely on system headers, the following 12 // include files should be enabled: 13 // #include <linux/audit.h> 14 // #include <linux/seccomp.h> 15 16 #include <asm/unistd.h> 17 #include <linux/filter.h> 18 19 #include <sys/cdefs.h> 20 // Old Bionic versions do not have sys/user.h. The if can be removed once we no 21 // longer need to support these old Bionic versions. 22 // All x86_64 builds use a new enough bionic to have sys/user.h. 23 #if !defined(__BIONIC__) || defined(__x86_64__) 24 #include <sys/user.h> 25 #endif 26 27 // For audit.h 28 #ifndef EM_ARM 29 #define EM_ARM 40 30 #endif 31 #ifndef EM_386 32 #define EM_386 3 33 #endif 34 #ifndef EM_X86_64 35 #define EM_X86_64 62 36 #endif 37 38 #ifndef __AUDIT_ARCH_64BIT 39 #define __AUDIT_ARCH_64BIT 0x80000000 40 #endif 41 #ifndef __AUDIT_ARCH_LE 42 #define __AUDIT_ARCH_LE 0x40000000 43 #endif 44 #ifndef AUDIT_ARCH_ARM 45 #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) 46 #endif 47 #ifndef AUDIT_ARCH_I386 48 #define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE) 49 #endif 50 #ifndef AUDIT_ARCH_X86_64 51 #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) 52 #endif 53 54 // For prctl.h 55 #ifndef PR_SET_SECCOMP 56 #define PR_SET_SECCOMP 22 57 #define PR_GET_SECCOMP 21 58 #endif 59 #ifndef PR_SET_NO_NEW_PRIVS 60 #define PR_SET_NO_NEW_PRIVS 38 61 #define PR_GET_NO_NEW_PRIVS 39 62 #endif 63 #ifndef IPC_64 64 #define IPC_64 0x0100 65 #endif 66 67 #ifndef BPF_MOD 68 #define BPF_MOD 0x90 69 #endif 70 #ifndef BPF_XOR 71 #define BPF_XOR 0xA0 72 #endif 73 74 // In order to build will older tool chains, we currently have to avoid 75 // including <linux/seccomp.h>. Until that can be fixed (if ever). Rely on 76 // our own definitions of the seccomp kernel ABI. 77 #ifndef SECCOMP_MODE_FILTER 78 #define SECCOMP_MODE_DISABLED 0 79 #define SECCOMP_MODE_STRICT 1 80 #define SECCOMP_MODE_FILTER 2 // User user-supplied filter 81 #endif 82 83 #ifndef SECCOMP_RET_KILL 84 // Return values supported for BPF filter programs. Please note that the 85 // "illegal" SECCOMP_RET_INVALID is not supported by the kernel, should only 86 // ever be used internally, and would result in the kernel killing our process. 87 #define SECCOMP_RET_KILL 0x00000000U // Kill the task immediately 88 #define SECCOMP_RET_INVALID 0x00010000U // Illegal return value 89 #define SECCOMP_RET_TRAP 0x00030000U // Disallow and force a SIGSYS 90 #define SECCOMP_RET_ERRNO 0x00050000U // Returns an errno 91 #define SECCOMP_RET_TRACE 0x7ff00000U // Pass to a tracer or disallow 92 #define SECCOMP_RET_ALLOW 0x7fff0000U // Allow 93 #define SECCOMP_RET_ACTION 0xffff0000U // Masks for the return value 94 #define SECCOMP_RET_DATA 0x0000ffffU // sections 95 #else 96 #define SECCOMP_RET_INVALID 0x00010000U // Illegal return value 97 #endif 98 99 #ifndef SYS_SECCOMP 100 #define SYS_SECCOMP 1 101 #endif 102 103 // Impose some reasonable maximum BPF program size. Realistically, the 104 // kernel probably has much lower limits. But by limiting to less than 105 // 30 bits, we can ease requirements on some of our data types. 106 #define SECCOMP_MAX_PROGRAM_SIZE (1<<30) 107 108 #if defined(__i386__) 109 #define MIN_SYSCALL 0u 110 #define MAX_PUBLIC_SYSCALL 1024u 111 #define MAX_SYSCALL MAX_PUBLIC_SYSCALL 112 #define SECCOMP_ARCH AUDIT_ARCH_I386 113 114 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)]) 115 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_EAX) 116 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_EAX) 117 #define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_EIP) 118 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_EBX) 119 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_ECX) 120 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_EDX) 121 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_ESI) 122 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_EDI) 123 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_EBP) 124 #define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr)) 125 #define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch)) 126 #define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \ 127 instruction_pointer) + 4) 128 #define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \ 129 instruction_pointer) + 0) 130 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \ 131 8*(nr) + 4) 132 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \ 133 8*(nr) + 0) 134 135 136 #if defined(__BIONIC__) 137 // Old Bionic versions don't have sys/user.h, so we just define regs_struct 138 // directly. This can be removed once we no longer need to support these old 139 // Bionic versions. 140 struct regs_struct { 141 long int ebx; 142 long int ecx; 143 long int edx; 144 long int esi; 145 long int edi; 146 long int ebp; 147 long int eax; 148 long int xds; 149 long int xes; 150 long int xfs; 151 long int xgs; 152 long int orig_eax; 153 long int eip; 154 long int xcs; 155 long int eflags; 156 long int esp; 157 long int xss; 158 }; 159 #else 160 typedef user_regs_struct regs_struct; 161 #endif 162 163 #define SECCOMP_PT_RESULT(_regs) (_regs).eax 164 #define SECCOMP_PT_SYSCALL(_regs) (_regs).orig_eax 165 #define SECCOMP_PT_IP(_regs) (_regs).eip 166 #define SECCOMP_PT_PARM1(_regs) (_regs).ebx 167 #define SECCOMP_PT_PARM2(_regs) (_regs).ecx 168 #define SECCOMP_PT_PARM3(_regs) (_regs).edx 169 #define SECCOMP_PT_PARM4(_regs) (_regs).esi 170 #define SECCOMP_PT_PARM5(_regs) (_regs).edi 171 #define SECCOMP_PT_PARM6(_regs) (_regs).ebp 172 173 #elif defined(__x86_64__) 174 #define MIN_SYSCALL 0u 175 #define MAX_PUBLIC_SYSCALL 1024u 176 #define MAX_SYSCALL MAX_PUBLIC_SYSCALL 177 #define SECCOMP_ARCH AUDIT_ARCH_X86_64 178 179 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)]) 180 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_RAX) 181 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_RAX) 182 #define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_RIP) 183 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_RDI) 184 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_RSI) 185 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_RDX) 186 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_R10) 187 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_R8) 188 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_R9) 189 #define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr)) 190 #define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch)) 191 #define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \ 192 instruction_pointer) + 4) 193 #define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \ 194 instruction_pointer) + 0) 195 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \ 196 8*(nr) + 4) 197 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \ 198 8*(nr) + 0) 199 200 typedef user_regs_struct regs_struct; 201 #define SECCOMP_PT_RESULT(_regs) (_regs).rax 202 #define SECCOMP_PT_SYSCALL(_regs) (_regs).orig_rax 203 #define SECCOMP_PT_IP(_regs) (_regs).rip 204 #define SECCOMP_PT_PARM1(_regs) (_regs).rdi 205 #define SECCOMP_PT_PARM2(_regs) (_regs).rsi 206 #define SECCOMP_PT_PARM3(_regs) (_regs).rdx 207 #define SECCOMP_PT_PARM4(_regs) (_regs).r10 208 #define SECCOMP_PT_PARM5(_regs) (_regs).r8 209 #define SECCOMP_PT_PARM6(_regs) (_regs).r9 210 211 #elif defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__)) 212 // ARM EABI includes "ARM private" system calls starting at |__ARM_NR_BASE|, 213 // and a "ghost syscall private to the kernel", cmpxchg, 214 // at |__ARM_NR_BASE+0x00fff0|. 215 // See </arch/arm/include/asm/unistd.h> in the Linux kernel. 216 #define MIN_SYSCALL ((unsigned int)__NR_SYSCALL_BASE) 217 #define MAX_PUBLIC_SYSCALL (MIN_SYSCALL + 1024u) 218 #define MIN_PRIVATE_SYSCALL ((unsigned int)__ARM_NR_BASE) 219 #define MAX_PRIVATE_SYSCALL (MIN_PRIVATE_SYSCALL + 16u) 220 #define MIN_GHOST_SYSCALL ((unsigned int)__ARM_NR_BASE + 0xfff0u) 221 #define MAX_SYSCALL (MIN_GHOST_SYSCALL + 4u) 222 223 #define SECCOMP_ARCH AUDIT_ARCH_ARM 224 225 // ARM sigcontext_t is different from i386/x86_64. 226 // See </arch/arm/include/asm/sigcontext.h> in the Linux kernel. 227 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.arm_##_reg) 228 // ARM EABI syscall convention. 229 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, r0) 230 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, r7) 231 #define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, pc) 232 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, r0) 233 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, r1) 234 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, r2) 235 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, r3) 236 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, r4) 237 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, r5) 238 #define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr)) 239 #define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch)) 240 #define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \ 241 instruction_pointer) + 4) 242 #define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \ 243 instruction_pointer) + 0) 244 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \ 245 8*(nr) + 4) 246 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \ 247 8*(nr) + 0) 248 249 #if defined(__BIONIC__) 250 // Old Bionic versions don't have sys/user.h, so we just define regs_struct 251 // directly. This can be removed once we no longer need to support these old 252 // Bionic versions. 253 struct regs_struct { 254 unsigned long uregs[18]; 255 }; 256 #else 257 typedef user_regs regs_struct; 258 #endif 259 260 #define REG_cpsr uregs[16] 261 #define REG_pc uregs[15] 262 #define REG_lr uregs[14] 263 #define REG_sp uregs[13] 264 #define REG_ip uregs[12] 265 #define REG_fp uregs[11] 266 #define REG_r10 uregs[10] 267 #define REG_r9 uregs[9] 268 #define REG_r8 uregs[8] 269 #define REG_r7 uregs[7] 270 #define REG_r6 uregs[6] 271 #define REG_r5 uregs[5] 272 #define REG_r4 uregs[4] 273 #define REG_r3 uregs[3] 274 #define REG_r2 uregs[2] 275 #define REG_r1 uregs[1] 276 #define REG_r0 uregs[0] 277 #define REG_ORIG_r0 uregs[17] 278 279 #define SECCOMP_PT_RESULT(_regs) (_regs).REG_r0 280 #define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_r7 281 #define SECCOMP_PT_IP(_regs) (_regs).REG_pc 282 #define SECCOMP_PT_PARM1(_regs) (_regs).REG_r0 283 #define SECCOMP_PT_PARM2(_regs) (_regs).REG_r1 284 #define SECCOMP_PT_PARM3(_regs) (_regs).REG_r2 285 #define SECCOMP_PT_PARM4(_regs) (_regs).REG_r3 286 #define SECCOMP_PT_PARM5(_regs) (_regs).REG_r4 287 #define SECCOMP_PT_PARM6(_regs) (_regs).REG_r5 288 289 #else 290 #error Unsupported target platform 291 292 #endif 293 294 #endif // SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__ 295