2 This file is part of systemd.
4 Copyright 2014 Lennart Poettering
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
23 #include <sys/prctl.h>
24 #include <linux/seccomp.h>
27 #include "seccomp-util.h"
28 #include "string-util.h"
30 const char* seccomp_arch_to_string(uint32_t c
) {
32 if (c
== SCMP_ARCH_NATIVE
)
34 if (c
== SCMP_ARCH_X86
)
36 if (c
== SCMP_ARCH_X86_64
)
38 if (c
== SCMP_ARCH_X32
)
40 if (c
== SCMP_ARCH_ARM
)
46 int seccomp_arch_from_string(const char *n
, uint32_t *ret
) {
52 if (streq(n
, "native"))
53 *ret
= SCMP_ARCH_NATIVE
;
54 else if (streq(n
, "x86"))
56 else if (streq(n
, "x86-64"))
57 *ret
= SCMP_ARCH_X86_64
;
58 else if (streq(n
, "x32"))
60 else if (streq(n
, "arm"))
68 int seccomp_add_secondary_archs(scmp_filter_ctx
*c
) {
70 #if defined(__i386__) || defined(__x86_64__)
73 /* Add in all possible secondary archs we are aware of that
74 * this kernel might support. */
76 r
= seccomp_arch_add(c
, SCMP_ARCH_X86
);
77 if (r
< 0 && r
!= -EEXIST
)
80 r
= seccomp_arch_add(c
, SCMP_ARCH_X86_64
);
81 if (r
< 0 && r
!= -EEXIST
)
84 r
= seccomp_arch_add(c
, SCMP_ARCH_X32
);
85 if (r
< 0 && r
!= -EEXIST
)
94 static bool is_basic_seccomp_available(void) {
96 r
= prctl(PR_GET_SECCOMP
, 0, 0, 0, 0);
100 static bool is_seccomp_filter_available(void) {
102 r
= prctl(PR_SET_SECCOMP
, SECCOMP_MODE_FILTER
, NULL
, 0, 0);
103 return r
< 0 && errno
== EFAULT
;
106 bool is_seccomp_available(void) {
107 static int cached_enabled
= -1;
108 if (cached_enabled
< 0)
109 cached_enabled
= is_basic_seccomp_available() && is_seccomp_filter_available();
110 return cached_enabled
;
113 const SystemCallFilterSet syscall_filter_sets
[] = {
116 .set_name
= "@clock",
124 /* CPU emulation calls */
125 .set_name
= "@cpu-emulation",
133 /* Debugging/Performance Monitoring/Tracing */
134 .set_name
= "@debug",
139 "process_vm_writev\0"
142 "s390_runtime_instr\0"
143 "sys_debug_setcontext\0"
146 .set_name
= "@default",
151 "getrlimit\0" /* make sure processes can query stack size and such */
156 .set_name
= "@io-event",
173 /* Message queues, SYSV IPC or other IPC: unusual */
187 "process_vm_writev\0"
198 .set_name
= "@keyring",
204 /* Kernel module control */
205 .set_name
= "@module",
212 .set_name
= "@mount",
221 /* Network or Unix socket IO, should not be needed if not network facing */
222 .set_name
= "@network-io",
246 /* Unusual, obsolete or unimplemented, some unknown even to libseccomp */
247 .set_name
= "@obsolete",
274 /* Nice grab-bag of all system calls which need superuser capabilities */
275 .set_name
= "@privileged",
315 /* Process control, execution, namespaces */
316 .set_name
= "@process",
332 .set_name
= "@raw-io",
339 "s390_pci_mmio_read\0"
340 "s390_pci_mmio_write\0"