1 /* 2 * seccomp example for x86 (32-bit and 64-bit) with BPF macros 3 * 4 * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev (at) chromium.org> 5 * Authors: 6 * Will Drewry <wad (at) chromium.org> 7 * Kees Cook <keescook (at) chromium.org> 8 * 9 * Use of this source code is governed by a BSD-style license that can be 10 * found in the LICENSE file. 11 * 12 * A stripped down version of the file found in this tutorial: http://outflux.net/teach-seccomp/. 13 */ 14 #ifndef _SECCOMP_BPF_H_ 15 #define _SECCOMP_BPF_H_ 16 17 #define _GNU_SOURCE 1 18 #include <stdio.h> 19 #include <stddef.h> 20 #include <stdlib.h> 21 #include <errno.h> 22 #include <signal.h> 23 #include <string.h> 24 #include <unistd.h> 25 26 #include <sys/prctl.h> 27 #ifndef PR_SET_NO_NEW_PRIVS 28 # define PR_SET_NO_NEW_PRIVS 38 29 #endif 30 31 #include <linux/unistd.h> 32 #include <linux/audit.h> 33 #include <linux/filter.h> 34 #ifdef HAVE_LINUX_SECCOMP_H 35 # include <linux/seccomp.h> 36 #endif 37 #ifndef SECCOMP_MODE_FILTER 38 # define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ 39 # define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */ 40 # define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ 41 # define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ 42 struct seccomp_data { 43 int nr; 44 __u32 arch; 45 __u64 instruction_pointer; 46 __u64 args[6]; 47 }; 48 #endif 49 #ifndef SYS_SECCOMP 50 # define SYS_SECCOMP 1 51 #endif 52 53 #define syscall_nr (offsetof(struct seccomp_data, nr)) 54 55 #define EXAMINE_SYSCALL \ 56 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr) 57 58 #define ALLOW_SYSCALL(name) \ 59 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \ 60 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) 61 62 #define KILL_PROCESS \ 63 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) 64 65 #endif /* _SECCOMP_BPF_H_ */ 66
