[thirdparty/systemd.git] / src / shared / seccomp-util.h

#pragma once

/***
  This file is part of systemd.

  Copyright 2014 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <seccomp.h>
#include <stdbool.h>
#include <stdint.h>

const char* seccomp_arch_to_string(uint32_t c);
int seccomp_arch_from_string(const char *n, uint32_t *ret);

int seccomp_init_conservative(scmp_filter_ctx *ret, uint32_t default_action);

int seccomp_add_secondary_archs(scmp_filter_ctx c);

bool is_seccomp_available(void);

typedef struct SyscallFilterSet {
        const char *name;
        const char *help;
        const char *value;
} SyscallFilterSet;

enum {
        /* Please leave DEFAULT first, but sort the rest alphabetically */
        SYSCALL_FILTER_SET_DEFAULT,
        SYSCALL_FILTER_SET_BASIC_IO,
        SYSCALL_FILTER_SET_CLOCK,
        SYSCALL_FILTER_SET_CPU_EMULATION,
        SYSCALL_FILTER_SET_DEBUG,
        SYSCALL_FILTER_SET_FILE_SYSTEM,
        SYSCALL_FILTER_SET_IO_EVENT,
        SYSCALL_FILTER_SET_IPC,
        SYSCALL_FILTER_SET_KEYRING,
        SYSCALL_FILTER_SET_MODULE,
        SYSCALL_FILTER_SET_MOUNT,
        SYSCALL_FILTER_SET_NETWORK_IO,
        SYSCALL_FILTER_SET_OBSOLETE,
        SYSCALL_FILTER_SET_PRIVILEGED,
        SYSCALL_FILTER_SET_PROCESS,
        SYSCALL_FILTER_SET_RAW_IO,
        SYSCALL_FILTER_SET_RESOURCES,
        _SYSCALL_FILTER_SET_MAX
};

extern const SyscallFilterSet syscall_filter_sets[];

const SyscallFilterSet *syscall_filter_set_find(const char *name);

int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action);

int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);

int seccomp_restrict_namespaces(unsigned long retain);
Commit	Line	Data
57183d11 LP	1	#pragma once
	2
	3	/***
	4	This file is part of systemd.
	5
	6	Copyright 2014 Lennart Poettering
	7
	8	systemd is free software; you can redistribute it and/or modify it
	9	under the terms of the GNU Lesser General Public License as published by
	10	the Free Software Foundation; either version 2.1 of the License, or
	11	(at your option) any later version.
	12
	13	systemd is distributed in the hope that it will be useful, but
	14	WITHOUT ANY WARRANTY; without even the implied warranty of
	15	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	16	Lesser General Public License for more details.
	17
	18	You should have received a copy of the GNU Lesser General Public License
	19	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	20	***/
	21
a60e9f7f	22	#include <seccomp.h>
f6281133	23	#include <stdbool.h>
a8fbdf54	24	#include <stdint.h>
57183d11 LP	25
	26	const char* seccomp_arch_to_string(uint32_t c);
	27	int seccomp_arch_from_string(const char n, uint32_t ret);
e9642be2	28
8d7b0c8f LP	29	int seccomp_init_conservative(scmp_filter_ctx *ret, uint32_t default_action);
	30
	31	int seccomp_add_secondary_archs(scmp_filter_ctx c);
201c1cc2	32
83f12b27 FS	33	bool is_seccomp_available(void);
83f12b27 FS	34
8130926d LP	35	typedef struct SyscallFilterSet {
8130926d LP	36	const char *name;
d5efc18b	37	const char *help;
201c1cc2	38	const char *value;
8130926d LP	39	} SyscallFilterSet;
	40
	41	enum {
40eb6a80 ZJS	42	/* Please leave DEFAULT first, but sort the rest alphabetically */
40eb6a80 ZJS	43	SYSCALL_FILTER_SET_DEFAULT,
133ddbbe	44	SYSCALL_FILTER_SET_BASIC_IO,
8130926d LP	45	SYSCALL_FILTER_SET_CLOCK,
	46	SYSCALL_FILTER_SET_CPU_EMULATION,
	47	SYSCALL_FILTER_SET_DEBUG,
1a1b13c9	48	SYSCALL_FILTER_SET_FILE_SYSTEM,
8130926d LP	49	SYSCALL_FILTER_SET_IO_EVENT,
	50	SYSCALL_FILTER_SET_IPC,
	51	SYSCALL_FILTER_SET_KEYRING,
	52	SYSCALL_FILTER_SET_MODULE,
	53	SYSCALL_FILTER_SET_MOUNT,
	54	SYSCALL_FILTER_SET_NETWORK_IO,
	55	SYSCALL_FILTER_SET_OBSOLETE,
	56	SYSCALL_FILTER_SET_PRIVILEGED,
	57	SYSCALL_FILTER_SET_PROCESS,
	58	SYSCALL_FILTER_SET_RAW_IO,
133ddbbe	59	SYSCALL_FILTER_SET_RESOURCES,
8130926d LP	60	_SYSCALL_FILTER_SET_MAX
	61	};
	62
	63	extern const SyscallFilterSet syscall_filter_sets[];
	64
	65	const SyscallFilterSet syscall_filter_set_find(const char name);
	66
	67	int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action);
a3be2849 LP	68
a3be2849 LP	69	int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
add00535 LP	70
add00535 LP	71	int seccomp_restrict_namespaces(unsigned long retain);