| /* |
| * seccomp example for x86 (32-bit and 64-bit) with BPF macros |
| * |
| * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org> |
| * Authors: |
| * Will Drewry <wad@chromium.org> |
| * Kees Cook <keescook@chromium.org> |
| * |
| * Use of this source code is governed by a BSD-style license that can be |
| * found in the LICENSE file. |
| */ |
| #ifndef _SECCOMP_BPF_H_ |
| #define _SECCOMP_BPF_H_ |
| |
| #define _GNU_SOURCE 1 |
| #include <stdio.h> |
| #include <stddef.h> |
| #include <stdlib.h> |
| #include <errno.h> |
| #include <signal.h> |
| #include <string.h> |
| #include <unistd.h> |
| |
| #include <sys/prctl.h> |
| #ifndef PR_SET_NO_NEW_PRIVS |
| # define PR_SET_NO_NEW_PRIVS 38 |
| #endif |
| |
| #include <linux/unistd.h> |
| #include <linux/audit.h> |
| #include <linux/filter.h> |
| #include <linux/seccomp.h> |
| |
| #define syscall_nr (offsetof(struct seccomp_data, nr)) |
| #define arch_nr (offsetof(struct seccomp_data, arch)) |
| #define arg_offset_0 (offsetof(struct seccomp_data, args[0])) |
| #define arg_offset_1 (offsetof(struct seccomp_data, args[1])) |
| #define arg_offset_2 (offsetof(struct seccomp_data, args[2])) |
| #define arg_offset_3 (offsetof(struct seccomp_data, args[3])) |
| #define arg_offset_4 (offsetof(struct seccomp_data, args[4])) |
| #define arg_offset_5 (offsetof(struct seccomp_data, args[5])) |
| |
| #if defined(__x86_64__) |
| #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)]) |
| #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_RAX) |
| #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_RAX) |
| #define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_RIP) |
| #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_RDI) |
| #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_RSI) |
| #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_RDX) |
| #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_R10) |
| #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_R8) |
| #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_R9) |
| # define REG_SYSCALL REG_RAX |
| # define ARCH_NR AUDIT_ARCH_X86_64 |
| #else |
| # warning "Platform does not support seccomp filter yet" |
| # define REG_SYSCALL 0 |
| # define ARCH_NR 0 |
| #endif |
| |
| #define VALIDATE_ARCHITECTURE \ |
| BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), \ |
| BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \ |
| BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) |
| |
| #define EXAMINE_SYSCALL \ |
| BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr) |
| |
| #define ALLOW_SYSCALL(name) \ |
| BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \ |
| BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| |
| #define TRACE_OPENS_FOR_READS_ONLY(name, arg_index) \ |
| BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 5), \ |
| BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arg_offset_##arg_index), \ |
| BPF_STMT(BPF_ALU+BPF_AND+BPF_K, O_ACCMODE), \ |
| BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, O_RDONLY, 0, 1), \ |
| BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRACE), \ |
| BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) |
| |
| #define TRACE_SYSCALL(name) \ |
| BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \ |
| BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRACE) |
| |
| #define KILL_PROCESS \ |
| BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) |
| |
| #define ALLOW_ALL \ |
| BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| |
| #define TRACE_ALL \ |
| BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_TRACE) |
| |
| #endif /* _SECCOMP_BPF_H_ */ |
