include: introduce seccomp.h

It will be used by setpriv in a future commit.

Signed-off-by: Thomas Weißschuh <thomas@t-8ch.de>

diff --git a/include/Makemodule.am b/include/Makemodule.am
index c08e24c2dad075e892ef68874abf03effce22ee9..50a8546128edd44e6e13e5ac4d2f4215dc37b902 100644 (file)
--- a/include/Makemodule.am
+++ b/include/Makemodule.am
@@ -64,6 +64,7 @@ dist_noinst_HEADERS += \
        include/pt-sun.h \
        include/randutils.h \
        include/rpmatch.h \
+       include/seccomp.h \
        include/sha1.h \
        include/sha256.h \
        include/shells.h \

diff --git a/include/seccomp.h b/include/seccomp.h
new file mode 100644 (file)
index 0000000..2b21143
--- /dev/null
+++ b/include/seccomp.h
@@ -0,0 +1,24 @@
+/*
+ * SPDX-License-Identifier: GPL-2.0-or-later
+ *
+ * Copyright (C) 2024 Thomas Weißschuh <thomas@t-8ch.de>
+ */
+
+#ifndef UL_SECCOMP_H
+#define UL_SECCOMP_H
+
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <sys/prctl.h>
+
+static int ul_set_seccomp_filter_spec_allow(const struct sock_fprog *prog)
+{
+#if defined(__NR_seccomp) && defined(SECCOMP_SET_MODE_FILTER) && defined(SECCOMP_FILTER_FLAG_SPEC_ALLOW)
+       if (!syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_SPEC_ALLOW, prog))
+               return 0;
+#endif
+
+       return prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, prog);
+}
+
+#endif /* UL_SECCOMP_H */

diff --git a/misc-utils/enosys.c b/misc-utils/enosys.c
index 22096dfe0b2b5e06a6d6ee951302ab9e831dfcc7..b806c7054b147d61a8eb40e8028b5c23548907d6 100644 (file)
--- a/misc-utils/enosys.c
+++ b/misc-utils/enosys.c
@@ -21,8 +21,6 @@
 #include <getopt.h>
 
 #include <linux/unistd.h>
-#include <linux/filter.h>
-#include <linux/seccomp.h>
 #include <linux/audit.h>
 #include <sys/prctl.h>
 #include <sys/syscall.h>
@@ -36,6 +34,7 @@
 #include "list.h"
 #include "xalloc.h"
 #include "strutils.h"
+#include "seccomp.h"
 
 #define IS_LITTLE_ENDIAN (__BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__)
 
@@ -45,16 +44,6 @@
 #define syscall_arg_lower32(n) (_syscall_arg(n) + 4 * !IS_LITTLE_ENDIAN)
 #define syscall_arg_upper32(n) (_syscall_arg(n) + 4 * IS_LITTLE_ENDIAN)
 
-static int set_seccomp_filter(const void *prog)
-{
-#if defined(__NR_seccomp) && defined(SECCOMP_SET_MODE_FILTER) && defined(SECCOMP_FILTER_FLAG_SPEC_ALLOW)
-       if (!syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, SECCOMP_FILTER_FLAG_SPEC_ALLOW, prog))
-               return 0;
-#endif
-
-       return prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, prog);
-}
-
 struct syscall {
        const char *const name;
        long number;
@@ -258,7 +247,7 @@ int main(int argc, char **argv)
        if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0))
                err_nosys(EXIT_FAILURE, _("Could not run prctl(PR_SET_NO_NEW_PRIVS)"));
 
-       if (set_seccomp_filter(&prog))
+       if (ul_set_seccomp_filter_spec_allow(&prog))
                err_nosys(EXIT_FAILURE, _("Could not seccomp filter"));
 
        if (execvp(argv[optind], argv + optind))