blob: 4054b0994071cada2d95bdbe0964a3b22cfe2590 [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -07001#ifndef _LINUX_SECCOMP_H
2#define _LINUX_SECCOMP_H
3
David Howells607ca462012-10-13 10:46:48 +01004#include <uapi/linux/seccomp.h>
Linus Torvalds1da177e2005-04-16 15:20:36 -07005
6#ifdef CONFIG_SECCOMP
7
Linus Torvalds1da177e2005-04-16 15:20:36 -07008#include <linux/thread_info.h>
9#include <asm/seccomp.h>
10
Will Drewrye2cfabdf2012-04-12 16:47:57 -050011struct seccomp_filter;
12/**
13 * struct seccomp - the state of a seccomp'ed process
14 *
15 * @mode: indicates one of the valid values above for controlled
16 * system calls available to a process.
17 * @filter: The metadata and ruleset for determining what system calls
18 * are allowed for a task.
19 *
20 * @filter must only be accessed from the context of current as there
21 * is no locking.
22 */
Will Drewry932eceb2012-04-12 16:47:54 -050023struct seccomp {
24 int mode;
Will Drewrye2cfabdf2012-04-12 16:47:57 -050025 struct seccomp_filter *filter;
Will Drewry932eceb2012-04-12 16:47:54 -050026};
Linus Torvalds1da177e2005-04-16 15:20:36 -070027
Will Drewryacf3b2c2012-04-12 16:47:59 -050028extern int __secure_computing(int);
29static inline int secure_computing(int this_syscall)
Linus Torvalds1da177e2005-04-16 15:20:36 -070030{
31 if (unlikely(test_thread_flag(TIF_SECCOMP)))
Will Drewryacf3b2c2012-04-12 16:47:59 -050032 return __secure_computing(this_syscall);
33 return 0;
Linus Torvalds1da177e2005-04-16 15:20:36 -070034}
35
Will Drewrye4da89d2012-04-17 14:48:57 -050036/* A wrapper for architectures supporting only SECCOMP_MODE_STRICT. */
37static inline void secure_computing_strict(int this_syscall)
38{
39 BUG_ON(secure_computing(this_syscall) != 0);
40}
41
Andrea Arcangeli1d9d02f2007-07-15 23:41:32 -070042extern long prctl_get_seccomp(void);
Will Drewrye2cfabdf2012-04-12 16:47:57 -050043extern long prctl_set_seccomp(unsigned long, char __user *);
Andrea Arcangeli1d9d02f2007-07-15 23:41:32 -070044
Will Drewry932eceb2012-04-12 16:47:54 -050045static inline int seccomp_mode(struct seccomp *s)
Andy Lutomirski5cec93c2011-06-05 13:50:24 -040046{
47 return s->mode;
48}
49
Linus Torvalds1da177e2005-04-16 15:20:36 -070050#else /* CONFIG_SECCOMP */
51
Ralf Baechle42a17ad2009-04-18 11:30:56 +020052#include <linux/errno.h>
53
Will Drewry932eceb2012-04-12 16:47:54 -050054struct seccomp { };
Will Drewrye2cfabdf2012-04-12 16:47:57 -050055struct seccomp_filter { };
Linus Torvalds1da177e2005-04-16 15:20:36 -070056
Stephen Rothwellb1fa6502012-04-17 12:08:48 +100057static inline int secure_computing(int this_syscall) { return 0; }
Will Drewrye4da89d2012-04-17 14:48:57 -050058static inline void secure_computing_strict(int this_syscall) { return; }
Linus Torvalds1da177e2005-04-16 15:20:36 -070059
Andrea Arcangeli1d9d02f2007-07-15 23:41:32 -070060static inline long prctl_get_seccomp(void)
61{
62 return -EINVAL;
63}
64
Will Drewrye2cfabdf2012-04-12 16:47:57 -050065static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
Andrea Arcangeli1d9d02f2007-07-15 23:41:32 -070066{
67 return -EINVAL;
68}
69
Will Drewry932eceb2012-04-12 16:47:54 -050070static inline int seccomp_mode(struct seccomp *s)
Andy Lutomirski5cec93c2011-06-05 13:50:24 -040071{
72 return 0;
73}
Linus Torvalds1da177e2005-04-16 15:20:36 -070074#endif /* CONFIG_SECCOMP */
75
Will Drewrye2cfabdf2012-04-12 16:47:57 -050076#ifdef CONFIG_SECCOMP_FILTER
77extern void put_seccomp_filter(struct task_struct *tsk);
78extern void get_seccomp_filter(struct task_struct *tsk);
Will Drewrye2cfabdf2012-04-12 16:47:57 -050079#else /* CONFIG_SECCOMP_FILTER */
80static inline void put_seccomp_filter(struct task_struct *tsk)
81{
82 return;
83}
84static inline void get_seccomp_filter(struct task_struct *tsk)
85{
86 return;
87}
88#endif /* CONFIG_SECCOMP_FILTER */
Linus Torvalds1da177e2005-04-16 15:20:36 -070089#endif /* _LINUX_SECCOMP_H */