xref: /linux-6.15/include/linux/seccomp.h (revision 6823ecab) 
1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _LINUX_SECCOMP_H
3 #define _LINUX_SECCOMP_H
4 
5 #include <uapi/linux/seccomp.h>
6 
7 #define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC | \
8 					 SECCOMP_FILTER_FLAG_LOG | \
9 					 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
10 					 SECCOMP_FILTER_FLAG_NEW_LISTENER | \
11 					 SECCOMP_FILTER_FLAG_TSYNC_ESRCH)
12 
13 #ifdef CONFIG_SECCOMP
14 
15 #include <linux/thread_info.h>
16 #include <asm/seccomp.h>
17 
18 struct seccomp_filter;
19 /**
20  * struct seccomp - the state of a seccomp'ed process
21  *
22  * @mode:  indicates one of the valid values above for controlled
23  *         system calls available to a process.
24  * @filter: must always point to a valid seccomp-filter or NULL as it is
25  *          accessed without locking during system call entry.
26  *
27  *          @filter must only be accessed from the context of current as there
28  *          is no read locking.
29  */
30 struct seccomp {
31 	int mode;
32 	struct seccomp_filter *filter;
33 };
34 
35 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
36 extern int __secure_computing(const struct seccomp_data *sd);
37 static inline int secure_computing(void)
38 {
39 	if (unlikely(test_thread_flag(TIF_SECCOMP)))
40 		return  __secure_computing(NULL);
41 	return 0;
42 }
43 #else
44 extern void secure_computing_strict(int this_syscall);
45 #endif
46 
47 extern long prctl_get_seccomp(void);
48 extern long prctl_set_seccomp(unsigned long, void __user *);
49 
50 static inline int seccomp_mode(struct seccomp *s)
51 {
52 	return s->mode;
53 }
54 
55 #else /* CONFIG_SECCOMP */
56 
57 #include <linux/errno.h>
58 
59 struct seccomp { };
60 struct seccomp_filter { };
61 
62 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
63 static inline int secure_computing(void) { return 0; }
64 static inline int __secure_computing(void) { return 0; }
65 #else
66 static inline void secure_computing_strict(int this_syscall) { return; }
67 #endif
68 
69 static inline long prctl_get_seccomp(void)
70 {
71 	return -EINVAL;
72 }
73 
74 static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
75 {
76 	return -EINVAL;
77 }
78 
79 static inline int seccomp_mode(struct seccomp *s)
80 {
81 	return SECCOMP_MODE_DISABLED;
82 }
83 #endif /* CONFIG_SECCOMP */
84 
85 #ifdef CONFIG_SECCOMP_FILTER
86 extern void put_seccomp_filter(struct task_struct *tsk);
87 extern void get_seccomp_filter(struct task_struct *tsk);
88 #else  /* CONFIG_SECCOMP_FILTER */
89 static inline void put_seccomp_filter(struct task_struct *tsk)
90 {
91 	return;
92 }
93 static inline void get_seccomp_filter(struct task_struct *tsk)
94 {
95 	return;
96 }
97 #endif /* CONFIG_SECCOMP_FILTER */
98 
99 #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE)
100 extern long seccomp_get_filter(struct task_struct *task,
101 			       unsigned long filter_off, void __user *data);
102 extern long seccomp_get_metadata(struct task_struct *task,
103 				 unsigned long filter_off, void __user *data);
104 #else
105 static inline long seccomp_get_filter(struct task_struct *task,
106 				      unsigned long n, void __user *data)
107 {
108 	return -EINVAL;
109 }
110 static inline long seccomp_get_metadata(struct task_struct *task,
111 					unsigned long filter_off,
112 					void __user *data)
113 {
114 	return -EINVAL;
115 }
116 #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */
117 #endif /* _LINUX_SECCOMP_H */
118