]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
57183d11 LP |
2 | #pragma once |
3 | ||
a60e9f7f | 4 | #include <seccomp.h> |
f6281133 | 5 | #include <stdbool.h> |
a8fbdf54 | 6 | #include <stdint.h> |
57183d11 | 7 | |
005bfaf1 TM |
8 | #include "errno-list.h" |
9 | #include "parse-util.h" | |
469830d1 | 10 | #include "set.h" |
005bfaf1 | 11 | #include "string-util.h" |
469830d1 | 12 | |
57183d11 LP |
13 | const char* seccomp_arch_to_string(uint32_t c); |
14 | int seccomp_arch_from_string(const char *n, uint32_t *ret); | |
e9642be2 | 15 | |
469830d1 | 16 | int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action); |
201c1cc2 | 17 | |
83f12b27 FS |
18 | bool is_seccomp_available(void); |
19 | ||
8130926d LP |
20 | typedef struct SyscallFilterSet { |
21 | const char *name; | |
d5efc18b | 22 | const char *help; |
201c1cc2 | 23 | const char *value; |
8130926d LP |
24 | } SyscallFilterSet; |
25 | ||
26 | enum { | |
95aac012 | 27 | /* Please leave DEFAULT first and KNOWN last, but sort the rest alphabetically */ |
40eb6a80 | 28 | SYSCALL_FILTER_SET_DEFAULT, |
44898c53 | 29 | SYSCALL_FILTER_SET_AIO, |
133ddbbe | 30 | SYSCALL_FILTER_SET_BASIC_IO, |
44898c53 | 31 | SYSCALL_FILTER_SET_CHOWN, |
8130926d LP |
32 | SYSCALL_FILTER_SET_CLOCK, |
33 | SYSCALL_FILTER_SET_CPU_EMULATION, | |
34 | SYSCALL_FILTER_SET_DEBUG, | |
1a1b13c9 | 35 | SYSCALL_FILTER_SET_FILE_SYSTEM, |
8130926d LP |
36 | SYSCALL_FILTER_SET_IO_EVENT, |
37 | SYSCALL_FILTER_SET_IPC, | |
38 | SYSCALL_FILTER_SET_KEYRING, | |
cd0ddf6f | 39 | SYSCALL_FILTER_SET_MEMLOCK, |
8130926d LP |
40 | SYSCALL_FILTER_SET_MODULE, |
41 | SYSCALL_FILTER_SET_MOUNT, | |
42 | SYSCALL_FILTER_SET_NETWORK_IO, | |
43 | SYSCALL_FILTER_SET_OBSOLETE, | |
9493b168 | 44 | SYSCALL_FILTER_SET_PKEY, |
8130926d LP |
45 | SYSCALL_FILTER_SET_PRIVILEGED, |
46 | SYSCALL_FILTER_SET_PROCESS, | |
47 | SYSCALL_FILTER_SET_RAW_IO, | |
bd2ab3f4 | 48 | SYSCALL_FILTER_SET_REBOOT, |
133ddbbe | 49 | SYSCALL_FILTER_SET_RESOURCES, |
6eaaeee9 | 50 | SYSCALL_FILTER_SET_SETUID, |
cd0ddf6f | 51 | SYSCALL_FILTER_SET_SIGNAL, |
bd2ab3f4 | 52 | SYSCALL_FILTER_SET_SWAP, |
44898c53 | 53 | SYSCALL_FILTER_SET_SYNC, |
70526841 | 54 | SYSCALL_FILTER_SET_SYSTEM_SERVICE, |
cd0ddf6f | 55 | SYSCALL_FILTER_SET_TIMER, |
95aac012 | 56 | SYSCALL_FILTER_SET_KNOWN, |
8130926d LP |
57 | _SYSCALL_FILTER_SET_MAX |
58 | }; | |
59 | ||
60 | extern const SyscallFilterSet syscall_filter_sets[]; | |
61 | ||
62 | const SyscallFilterSet *syscall_filter_set_find(const char *name); | |
63 | ||
8cfa775f | 64 | int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set); |
165a31c0 | 65 | |
000c0520 ZJS |
66 | int seccomp_add_syscall_filter_item( |
67 | scmp_filter_ctx *ctx, | |
68 | const char *name, | |
69 | uint32_t action, | |
70 | char **exclude, | |
71 | bool log_missing, | |
72 | char ***added); | |
69b1b241 | 73 | |
b54f36c6 ZJS |
74 | int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing); |
75 | int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing); | |
add00535 | 76 | |
13d92c63 | 77 | typedef enum SeccompParseFlags { |
ef31828d | 78 | SECCOMP_PARSE_INVERT = 1 << 0, |
6b000af4 | 79 | SECCOMP_PARSE_ALLOW_LIST = 1 << 1, |
ef31828d LP |
80 | SECCOMP_PARSE_LOG = 1 << 2, |
81 | SECCOMP_PARSE_PERMISSIVE = 1 << 3, | |
13d92c63 LP |
82 | } SeccompParseFlags; |
83 | ||
58f6ab44 ZJS |
84 | int seccomp_parse_syscall_filter( |
85 | const char *name, | |
86 | int errno_num, | |
87 | Hashmap *filter, | |
88 | SeccompParseFlags flags, | |
89 | const char *unit, | |
90 | const char *filename, unsigned line); | |
898748d8 | 91 | |
469830d1 | 92 | int seccomp_restrict_archs(Set *archs); |
add00535 | 93 | int seccomp_restrict_namespaces(unsigned long retain); |
469830d1 | 94 | int seccomp_protect_sysctl(void); |
620dbdd2 | 95 | int seccomp_protect_syslog(void); |
6b000af4 | 96 | int seccomp_restrict_address_families(Set *address_families, bool allow_list); |
469830d1 LP |
97 | int seccomp_restrict_realtime(void); |
98 | int seccomp_memory_deny_write_execute(void); | |
78e864e5 | 99 | int seccomp_lock_personality(unsigned long personality); |
aecd5ac6 | 100 | int seccomp_protect_hostname(void); |
3c27973b | 101 | int seccomp_restrict_suid_sgid(void); |
469830d1 | 102 | |
65976868 GDF |
103 | extern uint32_t seccomp_local_archs[]; |
104 | ||
105 | #define SECCOMP_LOCAL_ARCH_END UINT32_MAX | |
106 | ||
107 | /* Note: 0 is safe to use here because although SCMP_ARCH_NATIVE is 0, it would | |
108 | * never be in the seccomp_local_archs array anyway so we can use it as a | |
109 | * marker. */ | |
110 | #define SECCOMP_LOCAL_ARCH_BLOCKED 0 | |
469830d1 LP |
111 | |
112 | #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \ | |
113 | for (unsigned _i = ({ (arch) = seccomp_local_archs[0]; 0; }); \ | |
65976868 GDF |
114 | (arch) != SECCOMP_LOCAL_ARCH_END; \ |
115 | (arch) = seccomp_local_archs[++_i]) \ | |
116 | if ((arch) != SECCOMP_LOCAL_ARCH_BLOCKED) | |
469830d1 | 117 | |
7bc5e0b1 AZ |
118 | /* EACCES: does not have the CAP_SYS_ADMIN or no_new_privs == 1 |
119 | * ENOMEM: out of memory, failed to allocate space for a libseccomp structure, or would exceed a defined constant | |
120 | * EFAULT: addresses passed as args (by libseccomp) are invalid */ | |
121 | #define ERRNO_IS_SECCOMP_FATAL(r) \ | |
122 | IN_SET(abs(r), EPERM, EACCES, ENOMEM, EFAULT) | |
123 | ||
fd421c4a | 124 | DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(scmp_filter_ctx, seccomp_release, NULL); |
b16bd535 | 125 | |
de7fef4b | 126 | int parse_syscall_archs(char **l, Set **ret_archs); |
915fb324 LP |
127 | |
128 | uint32_t scmp_act_kill_process(void); | |
005bfaf1 TM |
129 | |
130 | /* This is a special value to be used where syscall filters otherwise expect errno numbers, will be | |
131 | replaced with real seccomp action. */ | |
132 | enum { | |
133 | SECCOMP_ERROR_NUMBER_KILL = INT_MAX - 1, | |
134 | }; | |
135 | ||
136 | static inline bool seccomp_errno_or_action_is_valid(int n) { | |
137 | return n == SECCOMP_ERROR_NUMBER_KILL || errno_is_valid(n); | |
138 | } | |
139 | ||
140 | static inline int seccomp_parse_errno_or_action(const char *p) { | |
141 | if (streq_ptr(p, "kill")) | |
142 | return SECCOMP_ERROR_NUMBER_KILL; | |
143 | return parse_errno(p); | |
144 | } | |
145 | ||
146 | static inline const char *seccomp_errno_or_action_to_string(int num) { | |
147 | if (num == SECCOMP_ERROR_NUMBER_KILL) | |
148 | return "kill"; | |
149 | return errno_to_name(num); | |
150 | } | |
22eadc28 YW |
151 | |
152 | int parse_syscall_and_errno(const char *in, char **name, int *error); |