]> git.ipfire.org Git - thirdparty/systemd.git/blame - src/shared/seccomp-util.h
projects / thirdparty / systemd.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
seccomp: LockPersonality boolean (#6193)
[thirdparty/systemd.git] / src / shared / seccomp-util.h
CommitLineData
57183d11
LP		 1#pragma once
2
3/***
4 This file is part of systemd.
5
6 Copyright 2014 Lennart Poettering
7
8 systemd is free software; you can redistribute it and/or modify it
9 under the terms of the GNU Lesser General Public License as published by
10 the Free Software Foundation; either version 2.1 of the License, or
11 (at your option) any later version.
12
13 systemd is distributed in the hope that it will be useful, but
14 WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
16 Lesser General Public License for more details.
17
18 You should have received a copy of the GNU Lesser General Public License
19 along with systemd; If not, see <http://www.gnu.org/licenses/>.
20***/
21
a60e9f7f 22#include <seccomp.h>
f6281133 23#include <stdbool.h>
a8fbdf54 24#include <stdint.h>
57183d11 25
469830d1
LP		 26#include "set.h"
27
57183d11
LP		 28const char* seccomp_arch_to_string(uint32_t c);
29int seccomp_arch_from_string(const char *n, uint32_t *ret);
e9642be2 30
469830d1 31int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action);
201c1cc2 32
83f12b27
FS		 33bool is_seccomp_available(void);
34
8130926d
LP		 35typedef struct SyscallFilterSet {
36 const char *name;
d5efc18b 37 const char *help;
201c1cc2 38 const char *value;
8130926d
LP		 39} SyscallFilterSet;
40
41enum {
40eb6a80
ZJS		 42 /* Please leave DEFAULT first, but sort the rest alphabetically */
43 SYSCALL_FILTER_SET_DEFAULT,
133ddbbe 44 SYSCALL_FILTER_SET_BASIC_IO,
8130926d
LP		 45 SYSCALL_FILTER_SET_CLOCK,
46 SYSCALL_FILTER_SET_CPU_EMULATION,
47 SYSCALL_FILTER_SET_DEBUG,
1a1b13c9 48 SYSCALL_FILTER_SET_FILE_SYSTEM,
8130926d
LP		 49 SYSCALL_FILTER_SET_IO_EVENT,
50 SYSCALL_FILTER_SET_IPC,
51 SYSCALL_FILTER_SET_KEYRING,
52 SYSCALL_FILTER_SET_MODULE,
53 SYSCALL_FILTER_SET_MOUNT,
54 SYSCALL_FILTER_SET_NETWORK_IO,
55 SYSCALL_FILTER_SET_OBSOLETE,
56 SYSCALL_FILTER_SET_PRIVILEGED,
57 SYSCALL_FILTER_SET_PROCESS,
58 SYSCALL_FILTER_SET_RAW_IO,
bd2ab3f4 59 SYSCALL_FILTER_SET_REBOOT,
133ddbbe 60 SYSCALL_FILTER_SET_RESOURCES,
6eaaeee9 61 SYSCALL_FILTER_SET_SETUID,
bd2ab3f4 62 SYSCALL_FILTER_SET_SWAP,
8130926d
LP		 63 _SYSCALL_FILTER_SET_MAX
64};
65
66extern const SyscallFilterSet syscall_filter_sets[];
67
68const SyscallFilterSet *syscall_filter_set_find(const char *name);
69
165a31c0
LP		 70int seccomp_filter_set_add(Set *s, bool b, const SyscallFilterSet *set);
71
469830d1
LP		 72int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
73int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Set* set, uint32_t action);
add00535 74
469830d1 75int seccomp_restrict_archs(Set *archs);
add00535 76int seccomp_restrict_namespaces(unsigned long retain);
469830d1
LP		 77int seccomp_protect_sysctl(void);
78int seccomp_restrict_address_families(Set *address_families, bool whitelist);
79int seccomp_restrict_realtime(void);
80int seccomp_memory_deny_write_execute(void);
78e864e5 81int seccomp_lock_personality(unsigned long personality);
469830d1
LP		 82
83extern const uint32_t seccomp_local_archs[];
84
85#define SECCOMP_FOREACH_LOCAL_ARCH(arch) \
86 for (unsigned _i = ({ (arch) = seccomp_local_archs[0]; 0; }); \
87 seccomp_local_archs[_i] != (uint32_t) -1; \
88 (arch) = seccomp_local_archs[++_i])
89
90DEFINE_TRIVIAL_CLEANUP_FUNC(scmp_filter_ctx, seccomp_release);
b16bd535
YW		 91
92int parse_syscall_archs(char **l, Set **archs);
Unnamed repository; edit this file 'description' to name the repository.