| commit-bot@chromium.org | 6d036c2 | 2014-04-09 18:59:44 +0000 | [diff] [blame] | 1 | /* |
| 2 | * seccomp example for x86 (32-bit and 64-bit) with BPF macros |
| 3 | * |
| 4 | * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org> |
| 5 | * Authors: |
| 6 | * Will Drewry <wad@chromium.org> |
| 7 | * Kees Cook <keescook@chromium.org> |
| 8 | * |
| 9 | * Use of this source code is governed by a BSD-style license that can be |
| 10 | * found in the LICENSE file. |
| 11 | * |
| 12 | * A stripped down version of the file found in this tutorial: http://outflux.net/teach-seccomp/. |
| 13 | */ |
| 14 | #ifndef _SECCOMP_BPF_H_ |
| 15 | #define _SECCOMP_BPF_H_ |
| 16 | |
| 17 | #define _GNU_SOURCE 1 |
| 18 | #include <stdio.h> |
| 19 | #include <stddef.h> |
| 20 | #include <stdlib.h> |
| 21 | #include <errno.h> |
| 22 | #include <signal.h> |
| 23 | #include <string.h> |
| 24 | #include <unistd.h> |
| 25 | |
| 26 | #include <sys/prctl.h> |
| 27 | |
| 28 | #include <linux/unistd.h> |
| 29 | #include <linux/audit.h> |
| 30 | #include <linux/filter.h> |
| 31 | #include <linux/seccomp.h> |
| 32 | |
| 33 | #define syscall_nr (offsetof(struct seccomp_data, nr)) |
| 34 | |
| 35 | #define EXAMINE_SYSCALL \ |
| 36 | BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr) |
| 37 | |
| 38 | #define ALLOW_SYSCALL(name) \ |
| 39 | BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \ |
| 40 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW) |
| 41 | |
| 42 | #define KILL_PROCESS \ |
| 43 | BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL) |
| 44 | |
| 45 | #endif /* _SECCOMP_BPF_H_ */ |