1 // Copyright 2015 The Chromium Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style license that can be 3 // found in the LICENSE file. 4 5 #ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ 6 #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ 7 8 // The Seccomp2 kernel ABI is not part of older versions of glibc. 9 // As we can't break compilation with these versions of the library, 10 // we explicitly define all missing symbols. 11 // If we ever decide that we can now rely on system headers, the following 12 // include files should be enabled: 13 // #include <linux/audit.h> 14 // #include <linux/seccomp.h> 15 16 // For audit.h 17 #ifndef EM_ARM 18 #define EM_ARM 40 19 #endif 20 #ifndef EM_386 21 #define EM_386 3 22 #endif 23 #ifndef EM_X86_64 24 #define EM_X86_64 62 25 #endif 26 #ifndef EM_MIPS 27 #define EM_MIPS 8 28 #endif 29 #ifndef EM_AARCH64 30 #define EM_AARCH64 183 31 #endif 32 33 #ifndef __AUDIT_ARCH_64BIT 34 #define __AUDIT_ARCH_64BIT 0x80000000 35 #endif 36 #ifndef __AUDIT_ARCH_LE 37 #define __AUDIT_ARCH_LE 0x40000000 38 #endif 39 #ifndef AUDIT_ARCH_ARM 40 #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) 41 #endif 42 #ifndef AUDIT_ARCH_I386 43 #define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE) 44 #endif 45 #ifndef AUDIT_ARCH_X86_64 46 #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) 47 #endif 48 #ifndef AUDIT_ARCH_MIPSEL 49 #define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE) 50 #endif 51 #ifndef AUDIT_ARCH_AARCH64 52 #define AUDIT_ARCH_AARCH64 (EM_AARCH64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE) 53 #endif 54 55 // For prctl.h 56 #ifndef PR_SET_SECCOMP 57 #define PR_SET_SECCOMP 22 58 #define PR_GET_SECCOMP 21 59 #endif 60 #ifndef PR_SET_NO_NEW_PRIVS 61 #define PR_SET_NO_NEW_PRIVS 38 62 #define PR_GET_NO_NEW_PRIVS 39 63 #endif 64 #ifndef IPC_64 65 #define IPC_64 0x0100 66 #endif 67 68 // In order to build will older tool chains, we currently have to avoid 69 // including <linux/seccomp.h>. Until that can be fixed (if ever). Rely on 70 // our own definitions of the seccomp kernel ABI. 71 #ifndef SECCOMP_MODE_FILTER 72 #define SECCOMP_MODE_DISABLED 0 73 #define SECCOMP_MODE_STRICT 1 74 #define SECCOMP_MODE_FILTER 2 // User user-supplied filter 75 #endif 76 77 #ifndef SECCOMP_SET_MODE_STRICT 78 #define SECCOMP_SET_MODE_STRICT 0 79 #endif 80 #ifndef SECCOMP_SET_MODE_FILTER 81 #define SECCOMP_SET_MODE_FILTER 1 82 #endif 83 #ifndef SECCOMP_FILTER_FLAG_TSYNC 84 #define SECCOMP_FILTER_FLAG_TSYNC 1 85 #endif 86 87 #ifndef SECCOMP_RET_KILL 88 // Return values supported for BPF filter programs. Please note that the 89 // "illegal" SECCOMP_RET_INVALID is not supported by the kernel, should only 90 // ever be used internally, and would result in the kernel killing our process. 91 #define SECCOMP_RET_KILL 0x00000000U // Kill the task immediately 92 #define SECCOMP_RET_INVALID 0x00010000U // Illegal return value 93 #define SECCOMP_RET_TRAP 0x00030000U // Disallow and force a SIGSYS 94 #define SECCOMP_RET_ERRNO 0x00050000U // Returns an errno 95 #define SECCOMP_RET_TRACE 0x7ff00000U // Pass to a tracer or disallow 96 #define SECCOMP_RET_ALLOW 0x7fff0000U // Allow 97 #define SECCOMP_RET_ACTION 0xffff0000U // Masks for the return value 98 #define SECCOMP_RET_DATA 0x0000ffffU // sections 99 #else 100 #define SECCOMP_RET_INVALID 0x00010000U // Illegal return value 101 #endif 102 103 #ifndef SYS_SECCOMP 104 #define SYS_SECCOMP 1 105 #endif 106 107 #endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ 108