Home | History | Annotate | Download | only in services 
      1 // Copyright 2014 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
      6 #define SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
      7 
      8 #include <signal.h>
      9 #include <stdint.h>
     10 #include <sys/types.h>
     11 
     12 #include <cstddef>
     13 
     14 #include "sandbox/sandbox_export.h"
     15 
     16 struct sock_fprog;
     17 struct rlimit64;
     18 struct cap_hdr;
     19 struct cap_data;
     20 
     21 namespace sandbox {
     22 
     23 // Provide direct system call wrappers for a few common system calls.
     24 // These are guaranteed to perform a system call and do not rely on things such
     25 // as caching the current pid (c.f. getpid()) unless otherwise specified.
     26 
     27 SANDBOX_EXPORT pid_t sys_getpid(void);
     28 
     29 SANDBOX_EXPORT pid_t sys_gettid(void);
     30 
     31 SANDBOX_EXPORT long sys_clone(unsigned long flags);
     32 
     33 // |regs| is not supported and must be passed as nullptr. |child_stack| must be
     34 // nullptr, since otherwise this function cannot safely return. As a
     35 // consequence, this function does not support CLONE_VM.
     36 SANDBOX_EXPORT long sys_clone(unsigned long flags,
     37                               std::nullptr_t child_stack,
     38                               pid_t* ptid,
     39                               pid_t* ctid,
     40                               std::nullptr_t regs);
     41 
     42 SANDBOX_EXPORT void sys_exit_group(int status);
     43 
     44 // The official system call takes |args| as void*  (in order to be extensible),
     45 // but add more typing for the cases that are currently used.
     46 SANDBOX_EXPORT int sys_seccomp(unsigned int operation,
     47                                unsigned int flags,
     48                                const struct sock_fprog* args);
     49 
     50 // Some libcs do not expose a prlimit64 wrapper.
     51 SANDBOX_EXPORT int sys_prlimit64(pid_t pid,
     52                                  int resource,
     53                                  const struct rlimit64* new_limit,
     54                                  struct rlimit64* old_limit);
     55 
     56 // Some libcs do not expose capget/capset wrappers. We want to use these
     57 // directly in order to avoid pulling in libcap2.
     58 SANDBOX_EXPORT int sys_capget(struct cap_hdr* hdrp, struct cap_data* datap);
     59 SANDBOX_EXPORT int sys_capset(struct cap_hdr* hdrp,
     60                               const struct cap_data* datap);
     61 
     62 // Some libcs do not expose getresuid/getresgid wrappers.
     63 SANDBOX_EXPORT int sys_getresuid(uid_t* ruid, uid_t* euid, uid_t* suid);
     64 SANDBOX_EXPORT int sys_getresgid(gid_t* rgid, gid_t* egid, gid_t* sgid);
     65 
     66 // Some libcs do not expose a chroot wrapper.
     67 SANDBOX_EXPORT int sys_chroot(const char* path);
     68 
     69 // Some libcs do not expose a unshare wrapper.
     70 SANDBOX_EXPORT int sys_unshare(int flags);
     71 
     72 // Some libcs do not expose a sigprocmask. Note that oldset must be a nullptr,
     73 // because of some ABI gap between toolchain's and Linux's.
     74 SANDBOX_EXPORT int sys_sigprocmask(int how,
     75                                    const sigset_t* set,
     76                                    std::nullptr_t oldset);
     77 
     78 // Some libcs do not expose a sigaction().
     79 SANDBOX_EXPORT int sys_sigaction(int signum,
     80                                  const struct sigaction* act,
     81                                  struct sigaction* oldact);
     82 
     83 }  // namespace sandbox
     84 
     85 #endif  // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
     86