Home | History | Annotate | Download | only in system_headers
      1 // Copyright 2015 The Chromium Authors. All rights reserved.
      2 // Use of this source code is governed by a BSD-style license that can be
      3 // found in the LICENSE file.
      4 
      5 #ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_
      6 #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_
      7 
      8 // The Seccomp2 kernel ABI is not part of older versions of glibc.
      9 // As we can't break compilation with these versions of the library,
     10 // we explicitly define all missing symbols.
     11 // If we ever decide that we can now rely on system headers, the following
     12 // include files should be enabled:
     13 // #include <linux/audit.h>
     14 // #include <linux/seccomp.h>
     15 
     16 // For audit.h
     17 #ifndef EM_ARM
     18 #define EM_ARM    40
     19 #endif
     20 #ifndef EM_386
     21 #define EM_386    3
     22 #endif
     23 #ifndef EM_X86_64
     24 #define EM_X86_64 62
     25 #endif
     26 #ifndef EM_MIPS
     27 #define EM_MIPS   8
     28 #endif
     29 #ifndef EM_AARCH64
     30 #define EM_AARCH64 183
     31 #endif
     32 
     33 #ifndef __AUDIT_ARCH_64BIT
     34 #define __AUDIT_ARCH_64BIT 0x80000000
     35 #endif
     36 #ifndef __AUDIT_ARCH_LE
     37 #define __AUDIT_ARCH_LE    0x40000000
     38 #endif
     39 #ifndef AUDIT_ARCH_ARM
     40 #define AUDIT_ARCH_ARM    (EM_ARM|__AUDIT_ARCH_LE)
     41 #endif
     42 #ifndef AUDIT_ARCH_I386
     43 #define AUDIT_ARCH_I386   (EM_386|__AUDIT_ARCH_LE)
     44 #endif
     45 #ifndef AUDIT_ARCH_X86_64
     46 #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE)
     47 #endif
     48 #ifndef AUDIT_ARCH_MIPSEL
     49 #define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE)
     50 #endif
     51 #ifndef AUDIT_ARCH_AARCH64
     52 #define AUDIT_ARCH_AARCH64 (EM_AARCH64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE)
     53 #endif
     54 
     55 // For prctl.h
     56 #ifndef PR_SET_SECCOMP
     57 #define PR_SET_SECCOMP               22
     58 #define PR_GET_SECCOMP               21
     59 #endif
     60 #ifndef PR_SET_NO_NEW_PRIVS
     61 #define PR_SET_NO_NEW_PRIVS          38
     62 #define PR_GET_NO_NEW_PRIVS          39
     63 #endif
     64 #ifndef IPC_64
     65 #define IPC_64                   0x0100
     66 #endif
     67 
     68 // In order to build will older tool chains, we currently have to avoid
     69 // including <linux/seccomp.h>. Until that can be fixed (if ever). Rely on
     70 // our own definitions of the seccomp kernel ABI.
     71 #ifndef SECCOMP_MODE_FILTER
     72 #define SECCOMP_MODE_DISABLED         0
     73 #define SECCOMP_MODE_STRICT           1
     74 #define SECCOMP_MODE_FILTER           2  // User user-supplied filter
     75 #endif
     76 
     77 #ifndef SECCOMP_SET_MODE_STRICT
     78 #define SECCOMP_SET_MODE_STRICT 0
     79 #endif
     80 #ifndef SECCOMP_SET_MODE_FILTER
     81 #define SECCOMP_SET_MODE_FILTER 1
     82 #endif
     83 #ifndef SECCOMP_FILTER_FLAG_TSYNC
     84 #define SECCOMP_FILTER_FLAG_TSYNC 1
     85 #endif
     86 
     87 #ifndef SECCOMP_RET_KILL
     88 // Return values supported for BPF filter programs. Please note that the
     89 // "illegal" SECCOMP_RET_INVALID is not supported by the kernel, should only
     90 // ever be used internally, and would result in the kernel killing our process.
     91 #define SECCOMP_RET_KILL    0x00000000U  // Kill the task immediately
     92 #define SECCOMP_RET_INVALID 0x00010000U  // Illegal return value
     93 #define SECCOMP_RET_TRAP    0x00030000U  // Disallow and force a SIGSYS
     94 #define SECCOMP_RET_ERRNO   0x00050000U  // Returns an errno
     95 #define SECCOMP_RET_TRACE   0x7ff00000U  // Pass to a tracer or disallow
     96 #define SECCOMP_RET_ALLOW   0x7fff0000U  // Allow
     97 #define SECCOMP_RET_ACTION  0xffff0000U  // Masks for the return value
     98 #define SECCOMP_RET_DATA    0x0000ffffU  //   sections
     99 #else
    100 #define SECCOMP_RET_INVALID 0x00010000U  // Illegal return value
    101 #endif
    102 
    103 #ifndef SYS_SECCOMP
    104 #define SYS_SECCOMP                   1
    105 #endif
    106 
    107 #endif  // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_
    108