xref: /linux-6.15/include/linux/seccomp.h (revision c818c03b) 
1 /* SPDX-License-Identifier: GPL-2.0 */
2 #ifndef _LINUX_SECCOMP_H
3 #define _LINUX_SECCOMP_H
4 
5 #include <uapi/linux/seccomp.h>
6 
7 #define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC | \
8 					 SECCOMP_FILTER_FLAG_LOG | \
9 					 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
10 					 SECCOMP_FILTER_FLAG_NEW_LISTENER | \
11 					 SECCOMP_FILTER_FLAG_TSYNC_ESRCH)
12 
13 #ifdef CONFIG_SECCOMP
14 
15 #include <linux/thread_info.h>
16 #include <linux/atomic.h>
17 #include <asm/seccomp.h>
18 
19 struct seccomp_filter;
20 /**
21  * struct seccomp - the state of a seccomp'ed process
22  *
23  * @mode:  indicates one of the valid values above for controlled
24  *         system calls available to a process.
25  * @filter: must always point to a valid seccomp-filter or NULL as it is
26  *          accessed without locking during system call entry.
27  *
28  *          @filter must only be accessed from the context of current as there
29  *          is no read locking.
30  */
31 struct seccomp {
32 	int mode;
33 	atomic_t filter_count;
34 	struct seccomp_filter *filter;
35 };
36 
37 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
38 extern int __secure_computing(const struct seccomp_data *sd);
39 static inline int secure_computing(void)
40 {
41 	if (unlikely(test_thread_flag(TIF_SECCOMP)))
42 		return  __secure_computing(NULL);
43 	return 0;
44 }
45 #else
46 extern void secure_computing_strict(int this_syscall);
47 #endif
48 
49 extern long prctl_get_seccomp(void);
50 extern long prctl_set_seccomp(unsigned long, void __user *);
51 
52 static inline int seccomp_mode(struct seccomp *s)
53 {
54 	return s->mode;
55 }
56 
57 #else /* CONFIG_SECCOMP */
58 
59 #include <linux/errno.h>
60 
61 struct seccomp { };
62 struct seccomp_filter { };
63 
64 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
65 static inline int secure_computing(void) { return 0; }
66 #else
67 static inline void secure_computing_strict(int this_syscall) { return; }
68 #endif
69 
70 static inline long prctl_get_seccomp(void)
71 {
72 	return -EINVAL;
73 }
74 
75 static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
76 {
77 	return -EINVAL;
78 }
79 
80 static inline int seccomp_mode(struct seccomp *s)
81 {
82 	return SECCOMP_MODE_DISABLED;
83 }
84 #endif /* CONFIG_SECCOMP */
85 
86 #ifdef CONFIG_SECCOMP_FILTER
87 extern void put_seccomp_filter(struct task_struct *tsk);
88 extern void get_seccomp_filter(struct task_struct *tsk);
89 #else  /* CONFIG_SECCOMP_FILTER */
90 static inline void put_seccomp_filter(struct task_struct *tsk)
91 {
92 	return;
93 }
94 static inline void get_seccomp_filter(struct task_struct *tsk)
95 {
96 	return;
97 }
98 #endif /* CONFIG_SECCOMP_FILTER */
99 
100 #if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE)
101 extern long seccomp_get_filter(struct task_struct *task,
102 			       unsigned long filter_off, void __user *data);
103 extern long seccomp_get_metadata(struct task_struct *task,
104 				 unsigned long filter_off, void __user *data);
105 #else
106 static inline long seccomp_get_filter(struct task_struct *task,
107 				      unsigned long n, void __user *data)
108 {
109 	return -EINVAL;
110 }
111 static inline long seccomp_get_metadata(struct task_struct *task,
112 					unsigned long filter_off,
113 					void __user *data)
114 {
115 	return -EINVAL;
116 }
117 #endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */
118 #endif /* _LINUX_SECCOMP_H */
119