src/shared/seccomp-util.h

   1 #pragma once
   2
   3 /***
   4   This file is part of systemd.
   5
   6   Copyright 2014 Lennart Poettering
   7
   8   systemd is free software; you can redistribute it and/or modify it
   9   under the terms of the GNU Lesser General Public License as published by
  10   the Free Software Foundation; either version 2.1 of the License, or
  11   (at your option) any later version.
  12
  13   systemd is distributed in the hope that it will be useful, but
  14   WITHOUT ANY WARRANTY; without even the implied warranty of
  15   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  16   Lesser General Public License for more details.
  17
  18   You should have received a copy of the GNU Lesser General Public License
  19   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  20 ***/
  21
  22 #include <seccomp.h>
  23 #include <stdbool.h>
  24 #include <stdint.h>
  25
  26 const char* seccomp_arch_to_string(uint32_t c);
  27 int seccomp_arch_from_string(const char *n, uint32_t *ret);
  28
  29 int seccomp_init_conservative(scmp_filter_ctx *ret, uint32_t default_action);
  30
  31 int seccomp_add_secondary_archs(scmp_filter_ctx c);
  32
  33 bool is_seccomp_available(void);
  34
  35 typedef struct SyscallFilterSet {
  36         const char *name;
  37         const char *help;
  38         const char *value;
  39 } SyscallFilterSet;
  40
  41 enum {
  42         /* Please leave DEFAULT first, but sort the rest alphabetically */
  43         SYSCALL_FILTER_SET_DEFAULT,
  44         SYSCALL_FILTER_SET_BASIC_IO,
  45         SYSCALL_FILTER_SET_CLOCK,
  46         SYSCALL_FILTER_SET_CPU_EMULATION,
  47         SYSCALL_FILTER_SET_DEBUG,
  48         SYSCALL_FILTER_SET_IO_EVENT,
  49         SYSCALL_FILTER_SET_IPC,
  50         SYSCALL_FILTER_SET_KEYRING,
  51         SYSCALL_FILTER_SET_MODULE,
  52         SYSCALL_FILTER_SET_MOUNT,
  53         SYSCALL_FILTER_SET_NETWORK_IO,
  54         SYSCALL_FILTER_SET_OBSOLETE,
  55         SYSCALL_FILTER_SET_PRIVILEGED,
  56         SYSCALL_FILTER_SET_PROCESS,
  57         SYSCALL_FILTER_SET_RAW_IO,
  58         SYSCALL_FILTER_SET_RESOURCES,
  59         _SYSCALL_FILTER_SET_MAX
  60 };
  61
  62 extern const SyscallFilterSet syscall_filter_sets[];
  63
  64 const SyscallFilterSet *syscall_filter_set_find(const char *name);
  65
  66 int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action);
  67
  68 int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action);
  69
  70 int seccomp_restrict_namespaces(unsigned long retain);