Branch data Line data Source code
1 : : /* SPDX-License-Identifier: LGPL-2.1+ */
2 : : #pragma once
3 : :
4 : : #include <seccomp.h>
5 : : #include <stdbool.h>
6 : : #include <stdint.h>
7 : :
8 : : #include "set.h"
9 : :
10 : : const char* seccomp_arch_to_string(uint32_t c);
11 : : int seccomp_arch_from_string(const char *n, uint32_t *ret);
12 : :
13 : : int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action);
14 : :
15 : : bool is_seccomp_available(void);
16 : :
17 : : typedef struct SyscallFilterSet {
18 : : const char *name;
19 : : const char *help;
20 : : const char *value;
21 : : } SyscallFilterSet;
22 : :
23 : : enum {
24 : : /* Please leave DEFAULT first, but sort the rest alphabetically */
25 : : SYSCALL_FILTER_SET_DEFAULT,
26 : : SYSCALL_FILTER_SET_AIO,
27 : : SYSCALL_FILTER_SET_BASIC_IO,
28 : : SYSCALL_FILTER_SET_CHOWN,
29 : : SYSCALL_FILTER_SET_CLOCK,
30 : : SYSCALL_FILTER_SET_CPU_EMULATION,
31 : : SYSCALL_FILTER_SET_DEBUG,
32 : : SYSCALL_FILTER_SET_FILE_SYSTEM,
33 : : SYSCALL_FILTER_SET_IO_EVENT,
34 : : SYSCALL_FILTER_SET_IPC,
35 : : SYSCALL_FILTER_SET_KEYRING,
36 : : SYSCALL_FILTER_SET_MEMLOCK,
37 : : SYSCALL_FILTER_SET_MODULE,
38 : : SYSCALL_FILTER_SET_MOUNT,
39 : : SYSCALL_FILTER_SET_NETWORK_IO,
40 : : SYSCALL_FILTER_SET_OBSOLETE,
41 : : SYSCALL_FILTER_SET_PRIVILEGED,
42 : : SYSCALL_FILTER_SET_PROCESS,
43 : : SYSCALL_FILTER_SET_RAW_IO,
44 : : SYSCALL_FILTER_SET_REBOOT,
45 : : SYSCALL_FILTER_SET_RESOURCES,
46 : : SYSCALL_FILTER_SET_SETUID,
47 : : SYSCALL_FILTER_SET_SIGNAL,
48 : : SYSCALL_FILTER_SET_SWAP,
49 : : SYSCALL_FILTER_SET_SYNC,
50 : : SYSCALL_FILTER_SET_SYSTEM_SERVICE,
51 : : SYSCALL_FILTER_SET_TIMER,
52 : : _SYSCALL_FILTER_SET_MAX
53 : : };
54 : :
55 : : extern const SyscallFilterSet syscall_filter_sets[];
56 : :
57 : : const SyscallFilterSet *syscall_filter_set_find(const char *name);
58 : :
59 : : int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);
60 : :
61 : : int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude, bool log_missing);
62 : :
63 : : int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
64 : : int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);
65 : :
66 : : typedef enum SeccompParseFlags {
67 : : SECCOMP_PARSE_INVERT = 1 << 0,
68 : : SECCOMP_PARSE_WHITELIST = 1 << 1,
69 : : SECCOMP_PARSE_LOG = 1 << 2,
70 : : SECCOMP_PARSE_PERMISSIVE = 1 << 3,
71 : : } SeccompParseFlags;
72 : :
73 : : int seccomp_parse_syscall_filter(
74 : : const char *name,
75 : : int errno_num,
76 : : Hashmap *filter,
77 : : SeccompParseFlags flags,
78 : : const char *unit,
79 : : const char *filename, unsigned line);
80 : :
81 : : int seccomp_restrict_archs(Set *archs);
82 : : int seccomp_restrict_namespaces(unsigned long retain);
83 : : int seccomp_protect_sysctl(void);
84 : : int seccomp_restrict_address_families(Set *address_families, bool whitelist);
85 : : int seccomp_restrict_realtime(void);
86 : : int seccomp_memory_deny_write_execute(void);
87 : : int seccomp_lock_personality(unsigned long personality);
88 : : int seccomp_protect_hostname(void);
89 : : int seccomp_restrict_suid_sgid(void);
90 : :
91 : : extern const uint32_t seccomp_local_archs[];
92 : :
93 : : #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
94 : : for (unsigned _i = ({ (arch) = seccomp_local_archs[0]; 0; }); \
95 : : seccomp_local_archs[_i] != (uint32_t) -1; \
96 : : (arch) = seccomp_local_archs[++_i])
97 : :
98 : : /* EACCES: does not have the CAP_SYS_ADMIN or no_new_privs == 1
99 : : * ENOMEM: out of memory, failed to allocate space for a libseccomp structure, or would exceed a defined constant
100 : : * EFAULT: addresses passed as args (by libseccomp) are invalid */
101 : : #define ERRNO_IS_SECCOMP_FATAL(r) \
102 : : IN_SET(abs(r), EPERM, EACCES, ENOMEM, EFAULT)
103 : :
104 [ - + ]: 16 : DEFINE_TRIVIAL_CLEANUP_FUNC(scmp_filter_ctx, seccomp_release);
105 : :
106 : : int parse_syscall_archs(char **l, Set **archs);
107 : :
108 : : uint32_t scmp_act_kill_process(void);
|
