[thirdparty/systemd.git] / src / shared / seccomp-util.c

/***
  This file is part of systemd.

  Copyright 2014 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/

#include <errno.h>
#include <seccomp.h>
#include <stddef.h>
#include <sys/prctl.h>
#include <linux/seccomp.h>

#include "alloc-util.h"
#include "macro.h"
#include "nsflags.h"
#include "seccomp-util.h"
#include "string-util.h"
#include "util.h"

const char* seccomp_arch_to_string(uint32_t c) {
        /* Maintain order used in <seccomp.h>.
         *
         * Names used here should be the same as those used for ConditionArchitecture=,
         * except for "subarchitectures" like x32. */

        switch(c) {
        case SCMP_ARCH_NATIVE:
                return "native";
        case SCMP_ARCH_X86:
                return "x86";
        case SCMP_ARCH_X86_64:
                return "x86-64";
        case SCMP_ARCH_X32:
                return "x32";
        case SCMP_ARCH_ARM:
                return "arm";
        case SCMP_ARCH_AARCH64:
                return "arm64";
        case SCMP_ARCH_MIPS:
                return "mips";
        case SCMP_ARCH_MIPS64:
                return "mips64";
        case SCMP_ARCH_MIPS64N32:
                return "mips64-n32";
        case SCMP_ARCH_MIPSEL:
                return "mips-le";
        case SCMP_ARCH_MIPSEL64:
                return "mips64-le";
        case SCMP_ARCH_MIPSEL64N32:
                return "mips64-le-n32";
        case SCMP_ARCH_PPC:
                return "ppc";
        case SCMP_ARCH_PPC64:
                return "ppc64";
        case SCMP_ARCH_PPC64LE:
                return "ppc64-le";
        case SCMP_ARCH_S390:
                return "s390";
        case SCMP_ARCH_S390X:
                return "s390x";
        default:
                return NULL;
        }
}

int seccomp_arch_from_string(const char *n, uint32_t *ret) {
        if (!n)
                return -EINVAL;

        assert(ret);

        if (streq(n, "native"))
                *ret = SCMP_ARCH_NATIVE;
        else if (streq(n, "x86"))
                *ret = SCMP_ARCH_X86;
        else if (streq(n, "x86-64"))
                *ret = SCMP_ARCH_X86_64;
        else if (streq(n, "x32"))
                *ret = SCMP_ARCH_X32;
        else if (streq(n, "arm"))
                *ret = SCMP_ARCH_ARM;
        else if (streq(n, "arm64"))
                *ret = SCMP_ARCH_AARCH64;
        else if (streq(n, "mips"))
                *ret = SCMP_ARCH_MIPS;
        else if (streq(n, "mips64"))
                *ret = SCMP_ARCH_MIPS64;
        else if (streq(n, "mips64-n32"))
                *ret = SCMP_ARCH_MIPS64N32;
        else if (streq(n, "mips-le"))
                *ret = SCMP_ARCH_MIPSEL;
        else if (streq(n, "mips64-le"))
                *ret = SCMP_ARCH_MIPSEL64;
        else if (streq(n, "mips64-le-n32"))
                *ret = SCMP_ARCH_MIPSEL64N32;
        else if (streq(n, "ppc"))
                *ret = SCMP_ARCH_PPC;
        else if (streq(n, "ppc64"))
                *ret = SCMP_ARCH_PPC64;
        else if (streq(n, "ppc64-le"))
                *ret = SCMP_ARCH_PPC64LE;
        else if (streq(n, "s390"))
                *ret = SCMP_ARCH_S390;
        else if (streq(n, "s390x"))
                *ret = SCMP_ARCH_S390X;
        else
                return -EINVAL;

        return 0;
}

int seccomp_init_conservative(scmp_filter_ctx *ret, uint32_t default_action) {
        scmp_filter_ctx seccomp;
        int r;

        /* Much like seccomp_init(), but tries to be a bit more conservative in its defaults: all secondary archs are
         * added by default, and NNP is turned off. */

        seccomp = seccomp_init(default_action);
        if (!seccomp)
                return -ENOMEM;

        r = seccomp_add_secondary_archs(seccomp);
        if (r < 0)
                goto finish;

        r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
        if (r < 0)
                goto finish;

        *ret = seccomp;
        return 0;

finish:
        seccomp_release(seccomp);
        return r;
}

int seccomp_add_secondary_archs(scmp_filter_ctx ctx) {

        /* Add in all possible secondary archs we are aware of that
         * this kernel might support. */

        static const int seccomp_arches[] = {
#if defined(__i386__) || defined(__x86_64__)
                SCMP_ARCH_X86,
                SCMP_ARCH_X86_64,
                SCMP_ARCH_X32,

#elif defined(__arm__) || defined(__aarch64__)
                SCMP_ARCH_ARM,
                SCMP_ARCH_AARCH64,

#elif defined(__arm__) || defined(__aarch64__)
                SCMP_ARCH_ARM,
                SCMP_ARCH_AARCH64,

#elif defined(__mips__) || defined(__mips64__)
                SCMP_ARCH_MIPS,
                SCMP_ARCH_MIPS64,
                SCMP_ARCH_MIPS64N32,
                SCMP_ARCH_MIPSEL,
                SCMP_ARCH_MIPSEL64,
                SCMP_ARCH_MIPSEL64N32,

#elif defined(__powerpc__) || defined(__powerpc64__)
                SCMP_ARCH_PPC,
                SCMP_ARCH_PPC64,
                SCMP_ARCH_PPC64LE,

#elif defined(__s390__) || defined(__s390x__)
                SCMP_ARCH_S390,
                SCMP_ARCH_S390X,
#endif
        };

        unsigned i;
        int r;

        for (i = 0; i < ELEMENTSOF(seccomp_arches); i++) {
                r = seccomp_arch_add(ctx, seccomp_arches[i]);
                if (r < 0 && r != -EEXIST)
                        return r;
        }

        return 0;
}

static bool is_basic_seccomp_available(void) {
        int r;
        r = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
        return r >= 0;
}

static bool is_seccomp_filter_available(void) {
        int r;
        r = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
        return r < 0 && errno == EFAULT;
}

bool is_seccomp_available(void) {
        static int cached_enabled = -1;
        if (cached_enabled < 0)
                cached_enabled = is_basic_seccomp_available() && is_seccomp_filter_available();
        return cached_enabled;
}

const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
        [SYSCALL_FILTER_SET_DEFAULT] = {
                .name = "@default",
                .help = "System calls that are always permitted",
                .value =
                "clock_getres\0"
                "clock_gettime\0"
                "clock_nanosleep\0"
                "execve\0"
                "exit\0"
                "exit_group\0"
                "getrlimit\0"      /* make sure processes can query stack size and such */
                "gettimeofday\0"
                "nanosleep\0"
                "pause\0"
                "rt_sigreturn\0"
                "sigreturn\0"
                "time\0"
        },
        [SYSCALL_FILTER_SET_BASIC_IO] = {
                .name = "@basic-io",
                .help = "Basic IO",
                .value =
                "close\0"
                "dup2\0"
                "dup3\0"
                "dup\0"
                "lseek\0"
                "pread64\0"
                "preadv\0"
                "pwrite64\0"
                "pwritev\0"
                "read\0"
                "readv\0"
                "write\0"
                "writev\0"
        },
        [SYSCALL_FILTER_SET_CLOCK] = {
                .name = "@clock",
                .help = "Change the system time",
                .value =
                "adjtimex\0"
                "clock_adjtime\0"
                "clock_settime\0"
                "settimeofday\0"
                "stime\0"
        },
        [SYSCALL_FILTER_SET_CPU_EMULATION] = {
                .name = "@cpu-emulation",
                .help = "System calls for CPU emulation functionality",
                .value =
                "modify_ldt\0"
                "subpage_prot\0"
                "switch_endian\0"
                "vm86\0"
                "vm86old\0"
        },
        [SYSCALL_FILTER_SET_DEBUG] = {
                .name = "@debug",
                .help = "Debugging, performance monitoring and tracing functionality",
                .value =
                "lookup_dcookie\0"
                "perf_event_open\0"
                "process_vm_readv\0"
                "process_vm_writev\0"
                "ptrace\0"
                "rtas\0"
#ifdef __NR_s390_runtime_instr
                "s390_runtime_instr\0"
#endif
                "sys_debug_setcontext\0"
        },
        [SYSCALL_FILTER_SET_FILE_SYSTEM] = {
                .name = "@file-system",
                .help = "File system operations",
                .value =
                "access\0"
                "chdir\0"
                "chmod\0"
                "close\0"
                "creat\0"
                "faccessat\0"
                "fallocate\0"
                "fchdir\0"
                "fchmod\0"
                "fchmodat\0"
                "fcntl64\0"
                "fcntl\0"
                "fgetxattr\0"
                "flistxattr\0"
                "fsetxattr\0"
                "fstat64\0"
                "fstat\0"
                "fstatat64\0"
                "fstatfs64\0"
                "fstatfs\0"
                "ftruncate64\0"
                "ftruncate\0"
                "futimesat\0"
                "getcwd\0"
                "getdents64\0"
                "getdents\0"
                "getxattr\0"
                "inotify_add_watch\0"
                "inotify_init1\0"
                "inotify_rm_watch\0"
                "lgetxattr\0"
                "link\0"
                "linkat\0"
                "listxattr\0"
                "llistxattr\0"
                "lremovexattr\0"
                "lsetxattr\0"
                "lstat64\0"
                "lstat\0"
                "mkdir\0"
                "mkdirat\0"
                "mknod\0"
                "mknodat\0"
                "mmap2\0"
                "mmap\0"
                "newfstatat\0"
                "open\0"
                "openat\0"
                "readlink\0"
                "readlinkat\0"
                "removexattr\0"
                "rename\0"
                "renameat2\0"
                "renameat\0"
                "rmdir\0"
                "setxattr\0"
                "stat64\0"
                "stat\0"
                "statfs\0"
                "symlink\0"
                "symlinkat\0"
                "truncate64\0"
                "truncate\0"
                "unlink\0"
                "unlinkat\0"
                "utimensat\0"
                "utimes\0"
        },
        [SYSCALL_FILTER_SET_IO_EVENT] = {
                .name = "@io-event",
                .help = "Event loop system calls",
                .value =
                "_newselect\0"
                "epoll_create1\0"
                "epoll_create\0"
                "epoll_ctl\0"
                "epoll_ctl_old\0"
                "epoll_pwait\0"
                "epoll_wait\0"
                "epoll_wait_old\0"
                "eventfd2\0"
                "eventfd\0"
                "poll\0"
                "ppoll\0"
                "pselect6\0"
                "select\0"
        },
        [SYSCALL_FILTER_SET_IPC] = {
                .name = "@ipc",
                .help = "SysV IPC, POSIX Message Queues or other IPC",
                .value =
                "ipc\0"
                "memfd_create\0"
                "mq_getsetattr\0"
                "mq_notify\0"
                "mq_open\0"
                "mq_timedreceive\0"
                "mq_timedsend\0"
                "mq_unlink\0"
                "msgctl\0"
                "msgget\0"
                "msgrcv\0"
                "msgsnd\0"
                "pipe2\0"
                "pipe\0"
                "process_vm_readv\0"
                "process_vm_writev\0"
                "semctl\0"
                "semget\0"
                "semop\0"
                "semtimedop\0"
                "shmat\0"
                "shmctl\0"
                "shmdt\0"
                "shmget\0"
        },
        [SYSCALL_FILTER_SET_KEYRING] = {
                .name = "@keyring",
                .help = "Kernel keyring access",
                .value =
                "add_key\0"
                "keyctl\0"
                "request_key\0"
        },
        [SYSCALL_FILTER_SET_MODULE] = {
                .name = "@module",
                .help = "Loading and unloading of kernel modules",
                .value =
                "delete_module\0"
                "finit_module\0"
                "init_module\0"
        },
        [SYSCALL_FILTER_SET_MOUNT] = {
                .name = "@mount",
                .help = "Mounting and unmounting of file systems",
                .value =
                "chroot\0"
                "mount\0"
                "pivot_root\0"
                "umount2\0"
                "umount\0"
        },
        [SYSCALL_FILTER_SET_NETWORK_IO] = {
                .name = "@network-io",
                .help = "Network or Unix socket IO, should not be needed if not network facing",
                .value =
                "accept4\0"
                "accept\0"
                "bind\0"
                "connect\0"
                "getpeername\0"
                "getsockname\0"
                "getsockopt\0"
                "listen\0"
                "recv\0"
                "recvfrom\0"
                "recvmmsg\0"
                "recvmsg\0"
                "send\0"
                "sendmmsg\0"
                "sendmsg\0"
                "sendto\0"
                "setsockopt\0"
                "shutdown\0"
                "socket\0"
                "socketcall\0"
                "socketpair\0"
        },
        [SYSCALL_FILTER_SET_OBSOLETE] = {
                /* some unknown even to libseccomp */
                .name = "@obsolete",
                .help = "Unusual, obsolete or unimplemented system calls",
                .value =
                "_sysctl\0"
                "afs_syscall\0"
                "break\0"
                "create_module\0"
                "ftime\0"
                "get_kernel_syms\0"
                "getpmsg\0"
                "gtty\0"
                "lock\0"
                "mpx\0"
                "prof\0"
                "profil\0"
                "putpmsg\0"
                "query_module\0"
                "security\0"
                "sgetmask\0"
                "ssetmask\0"
                "stty\0"
                "sysfs\0"
                "tuxcall\0"
                "ulimit\0"
                "uselib\0"
                "ustat\0"
                "vserver\0"
        },
        [SYSCALL_FILTER_SET_PRIVILEGED] = {
                .name = "@privileged",
                .help = "All system calls which need super-user capabilities",
                .value =
                "@clock\0"
                "@module\0"
                "@raw-io\0"
                "acct\0"
                "bdflush\0"
                "bpf\0"
                "capset\0"
                "chown32\0"
                "chown\0"
                "chroot\0"
                "fchown32\0"
                "fchown\0"
                "fchownat\0"
                "kexec_file_load\0"
                "kexec_load\0"
                "lchown32\0"
                "lchown\0"
                "nfsservctl\0"
                "pivot_root\0"
                "quotactl\0"
                "reboot\0"
                "setdomainname\0"
                "setfsuid32\0"
                "setfsuid\0"
                "setgroups32\0"
                "setgroups\0"
                "sethostname\0"
                "setresuid32\0"
                "setresuid\0"
                "setreuid32\0"
                "setreuid\0"
                "setuid32\0"
                "setuid\0"
                "swapoff\0"
                "swapon\0"
                "_sysctl\0"
                "vhangup\0"
        },
        [SYSCALL_FILTER_SET_PROCESS] = {
                .name = "@process",
                .help = "Process control, execution, namespaceing operations",
                .value =
                "arch_prctl\0"
                "clone\0"
                "execveat\0"
                "fork\0"
                "kill\0"
                "prctl\0"
                "setns\0"
                "tgkill\0"
                "tkill\0"
                "unshare\0"
                "vfork\0"
        },
        [SYSCALL_FILTER_SET_RAW_IO] = {
                .name = "@raw-io",
                .help = "Raw I/O port access",
                .value =
                "ioperm\0"
                "iopl\0"
                "pciconfig_iobase\0"
                "pciconfig_read\0"
                "pciconfig_write\0"
#ifdef __NR_s390_pci_mmio_read
                "s390_pci_mmio_read\0"
#endif
#ifdef __NR_s390_pci_mmio_write
                "s390_pci_mmio_write\0"
#endif
        },
        [SYSCALL_FILTER_SET_REBOOT] = {
                .name = "@reboot",
                .help = "Reboot and reboot preparation/kexec",
                .value =
                "kexec\0"
                "kexec_file_load\0"
                "reboot\0"
        },
        [SYSCALL_FILTER_SET_RESOURCES] = {
                /* Alter resource settings */
                .name = "@resources",
                .value =
                "sched_setparam\0"
                "sched_setscheduler\0"
                "sched_setaffinity\0"
                "setpriority\0"
                "setrlimit\0"
                "set_mempolicy\0"
                "migrate_pages\0"
                "move_pages\0"
                "mbind\0"
                "sched_setattr\0"
                "prlimit64\0"
        },
        [SYSCALL_FILTER_SET_SWAP] = {
                .name = "@swap",
                .help = "Enable/disable swap devices",
                .value =
                "swapoff\0"
                "swapon\0"
        },
};

const SyscallFilterSet *syscall_filter_set_find(const char *name) {
        unsigned i;

        if (isempty(name) || name[0] != '@')
                return NULL;

        for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++)
                if (streq(syscall_filter_sets[i].name, name))
                        return syscall_filter_sets + i;

        return NULL;
}

int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action) {
        const char *sys;
        int r;

        assert(seccomp);
        assert(set);

        NULSTR_FOREACH(sys, set->value) {
                int id;

                if (sys[0] == '@') {
                        const SyscallFilterSet *other;

                        other = syscall_filter_set_find(sys);
                        if (!other)
                                return -EINVAL;

                        r = seccomp_add_syscall_filter_set(seccomp, other, action);
                } else {
                        id = seccomp_syscall_resolve_name(sys);
                        if (id == __NR_SCMP_ERROR)
                                return -EINVAL;

                        r = seccomp_rule_add(seccomp, action, id, 0);
                }
                if (r < 0)
                        return r;
        }

        return 0;
}

int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action) {
        scmp_filter_ctx seccomp;
        int r;

        assert(set);

        /* The one-stop solution: allocate a seccomp object, add a filter to it, and apply it */

        r = seccomp_init_conservative(&seccomp, default_action);
        if (r < 0)
                return r;

        r = seccomp_add_syscall_filter_set(seccomp, set, action);
        if (r < 0)
                goto finish;

        r = seccomp_load(seccomp);

finish:
        seccomp_release(seccomp);
        return r;
}

int seccomp_restrict_namespaces(unsigned long retain) {
        scmp_filter_ctx seccomp;
        unsigned i;
        int r;

        if (log_get_max_level() >= LOG_DEBUG) {
                _cleanup_free_ char *s = NULL;

                (void) namespace_flag_to_string_many(retain, &s);
                log_debug("Restricting namespace to: %s.", strna(s));
        }

        /* NOOP? */
        if ((retain & NAMESPACE_FLAGS_ALL) == NAMESPACE_FLAGS_ALL)
                return 0;

        r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
        if (r < 0)
                return r;

        if ((retain & NAMESPACE_FLAGS_ALL) == 0)
                /* If every single kind of namespace shall be prohibited, then let's block the whole setns() syscall
                 * altogether. */
                r = seccomp_rule_add(
                                seccomp,
                                SCMP_ACT_ERRNO(EPERM),
                                SCMP_SYS(setns),
                                0);
        else
                /* Otherwise, block only the invocations with the appropriate flags in the loop below, but also the
                 * special invocation with a zero flags argument, right here. */
                r = seccomp_rule_add(
                                seccomp,
                                SCMP_ACT_ERRNO(EPERM),
                                SCMP_SYS(setns),
                                1,
                                SCMP_A1(SCMP_CMP_EQ, 0));
        if (r < 0)
                goto finish;

        for (i = 0; namespace_flag_map[i].name; i++) {
                unsigned long f;

                f = namespace_flag_map[i].flag;
                if ((retain & f) == f) {
                        log_debug("Permitting %s.", namespace_flag_map[i].name);
                        continue;
                }

                log_debug("Blocking %s.", namespace_flag_map[i].name);

                r = seccomp_rule_add(
                                seccomp,
                                SCMP_ACT_ERRNO(EPERM),
                                SCMP_SYS(unshare),
                                1,
                                SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
                if (r < 0)
                        goto finish;

                r = seccomp_rule_add(
                                seccomp,
                                SCMP_ACT_ERRNO(EPERM),
                                SCMP_SYS(clone),
                                1,
                                SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
                if (r < 0)
                        goto finish;

                if ((retain & NAMESPACE_FLAGS_ALL) != 0) {
                        r = seccomp_rule_add(
                                        seccomp,
                                        SCMP_ACT_ERRNO(EPERM),
                                        SCMP_SYS(setns),
                                        1,
                                        SCMP_A1(SCMP_CMP_MASKED_EQ, f, f));
                        if (r < 0)
                                goto finish;
                }
        }

        r = seccomp_load(seccomp);

finish:
        seccomp_release(seccomp);
        return r;
}
Commit	Line	Data
57183d11 LP	1	/***
	2	This file is part of systemd.
	3
	4	Copyright 2014 Lennart Poettering
	5
	6	systemd is free software; you can redistribute it and/or modify it
	7	under the terms of the GNU Lesser General Public License as published by
	8	the Free Software Foundation; either version 2.1 of the License, or
	9	(at your option) any later version.
	10
	11	systemd is distributed in the hope that it will be useful, but
	12	WITHOUT ANY WARRANTY; without even the implied warranty of
	13	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	14	Lesser General Public License for more details.
	15
	16	You should have received a copy of the GNU Lesser General Public License
	17	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	18	***/
	19
a8fbdf54	20	#include <errno.h>
57183d11	21	#include <seccomp.h>
a8fbdf54	22	#include <stddef.h>
d347d902 FS	23	#include <sys/prctl.h>
d347d902 FS	24	#include <linux/seccomp.h>
57183d11	25
add00535	26	#include "alloc-util.h"
a8fbdf54	27	#include "macro.h"
add00535	28	#include "nsflags.h"
cf0fbc49	29	#include "seccomp-util.h"
07630cea	30	#include "string-util.h"
8130926d	31	#include "util.h"
57183d11 LP	32
57183d11 LP	33	const char* seccomp_arch_to_string(uint32_t c) {
aa34055f ZJS	34	/* Maintain order used in <seccomp.h>.
	35	*
	36	* Names used here should be the same as those used for ConditionArchitecture=,
	37	* except for "subarchitectures" like x32. */
57183d11	38
aa34055f ZJS	39	switch(c) {
aa34055f ZJS	40	case SCMP_ARCH_NATIVE:
57183d11	41	return "native";
aa34055f	42	case SCMP_ARCH_X86:
57183d11	43	return "x86";
aa34055f	44	case SCMP_ARCH_X86_64:
57183d11	45	return "x86-64";
aa34055f	46	case SCMP_ARCH_X32:
57183d11	47	return "x32";
aa34055f	48	case SCMP_ARCH_ARM:
57183d11	49	return "arm";
aa34055f ZJS	50	case SCMP_ARCH_AARCH64:
	51	return "arm64";
	52	case SCMP_ARCH_MIPS:
	53	return "mips";
	54	case SCMP_ARCH_MIPS64:
	55	return "mips64";
	56	case SCMP_ARCH_MIPS64N32:
	57	return "mips64-n32";
	58	case SCMP_ARCH_MIPSEL:
	59	return "mips-le";
	60	case SCMP_ARCH_MIPSEL64:
	61	return "mips64-le";
	62	case SCMP_ARCH_MIPSEL64N32:
	63	return "mips64-le-n32";
	64	case SCMP_ARCH_PPC:
	65	return "ppc";
	66	case SCMP_ARCH_PPC64:
	67	return "ppc64";
	68	case SCMP_ARCH_PPC64LE:
	69	return "ppc64-le";
	70	case SCMP_ARCH_S390:
6abfd303	71	return "s390";
aa34055f	72	case SCMP_ARCH_S390X:
6abfd303	73	return "s390x";
aa34055f ZJS	74	default:
	75	return NULL;
	76	}
57183d11 LP	77	}
	78
	79	int seccomp_arch_from_string(const char n, uint32_t ret) {
	80	if (!n)
	81	return -EINVAL;
	82
	83	assert(ret);
	84
	85	if (streq(n, "native"))
	86	*ret = SCMP_ARCH_NATIVE;
	87	else if (streq(n, "x86"))
	88	*ret = SCMP_ARCH_X86;
	89	else if (streq(n, "x86-64"))
	90	*ret = SCMP_ARCH_X86_64;
	91	else if (streq(n, "x32"))
	92	*ret = SCMP_ARCH_X32;
	93	else if (streq(n, "arm"))
	94	*ret = SCMP_ARCH_ARM;
aa34055f ZJS	95	else if (streq(n, "arm64"))
	96	*ret = SCMP_ARCH_AARCH64;
	97	else if (streq(n, "mips"))
	98	*ret = SCMP_ARCH_MIPS;
	99	else if (streq(n, "mips64"))
	100	*ret = SCMP_ARCH_MIPS64;
	101	else if (streq(n, "mips64-n32"))
	102	*ret = SCMP_ARCH_MIPS64N32;
	103	else if (streq(n, "mips-le"))
	104	*ret = SCMP_ARCH_MIPSEL;
	105	else if (streq(n, "mips64-le"))
	106	*ret = SCMP_ARCH_MIPSEL64;
	107	else if (streq(n, "mips64-le-n32"))
	108	*ret = SCMP_ARCH_MIPSEL64N32;
	109	else if (streq(n, "ppc"))
	110	*ret = SCMP_ARCH_PPC;
	111	else if (streq(n, "ppc64"))
	112	*ret = SCMP_ARCH_PPC64;
	113	else if (streq(n, "ppc64-le"))
	114	*ret = SCMP_ARCH_PPC64LE;
6abfd303 HB	115	else if (streq(n, "s390"))
	116	*ret = SCMP_ARCH_S390;
	117	else if (streq(n, "s390x"))
	118	*ret = SCMP_ARCH_S390X;
57183d11 LP	119	else
	120	return -EINVAL;
	121
	122	return 0;
	123	}
e9642be2	124
8d7b0c8f LP	125	int seccomp_init_conservative(scmp_filter_ctx *ret, uint32_t default_action) {
	126	scmp_filter_ctx seccomp;
	127	int r;
	128
	129	/* Much like seccomp_init(), but tries to be a bit more conservative in its defaults: all secondary archs are
	130	* added by default, and NNP is turned off. */
	131
	132	seccomp = seccomp_init(default_action);
	133	if (!seccomp)
	134	return -ENOMEM;
	135
	136	r = seccomp_add_secondary_archs(seccomp);
	137	if (r < 0)
	138	goto finish;
	139
	140	r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
	141	if (r < 0)
	142	goto finish;
	143
	144	*ret = seccomp;
	145	return 0;
	146
	147	finish:
	148	seccomp_release(seccomp);
	149	return r;
	150	}
	151
aa34055f	152	int seccomp_add_secondary_archs(scmp_filter_ctx ctx) {
e9642be2 LP	153
	154	/* Add in all possible secondary archs we are aware of that
	155	* this kernel might support. */
	156
aa34055f ZJS	157	static const int seccomp_arches[] = {
	158	#if defined(__i386__) \|\| defined(__x86_64__)
	159	SCMP_ARCH_X86,
	160	SCMP_ARCH_X86_64,
	161	SCMP_ARCH_X32,
	162
	163	#elif defined(__arm__) \|\| defined(__aarch64__)
	164	SCMP_ARCH_ARM,
	165	SCMP_ARCH_AARCH64,
	166
	167	#elif defined(__arm__) \|\| defined(__aarch64__)
	168	SCMP_ARCH_ARM,
	169	SCMP_ARCH_AARCH64,
	170
	171	#elif defined(__mips__) \|\| defined(__mips64__)
	172	SCMP_ARCH_MIPS,
	173	SCMP_ARCH_MIPS64,
	174	SCMP_ARCH_MIPS64N32,
	175	SCMP_ARCH_MIPSEL,
	176	SCMP_ARCH_MIPSEL64,
	177	SCMP_ARCH_MIPSEL64N32,
	178
	179	#elif defined(__powerpc__) \|\| defined(__powerpc64__)
	180	SCMP_ARCH_PPC,
	181	SCMP_ARCH_PPC64,
	182	SCMP_ARCH_PPC64LE,
e9642be2	183
6abfd303	184	#elif defined(__s390__) \|\| defined(__s390x__)
aa34055f ZJS	185	SCMP_ARCH_S390,
	186	SCMP_ARCH_S390X,
	187	#endif
	188	};
6abfd303	189
aa34055f ZJS	190	unsigned i;
aa34055f ZJS	191	int r;
6abfd303	192
aa34055f ZJS	193	for (i = 0; i < ELEMENTSOF(seccomp_arches); i++) {
	194	r = seccomp_arch_add(ctx, seccomp_arches[i]);
	195	if (r < 0 && r != -EEXIST)
	196	return r;
	197	}
e9642be2 LP	198
e9642be2 LP	199	return 0;
e9642be2	200	}
201c1cc2	201
d347d902 FS	202	static bool is_basic_seccomp_available(void) {
	203	int r;
	204	r = prctl(PR_GET_SECCOMP, 0, 0, 0, 0);
	205	return r >= 0;
	206	}
	207
	208	static bool is_seccomp_filter_available(void) {
	209	int r;
	210	r = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, NULL, 0, 0);
	211	return r < 0 && errno == EFAULT;
	212	}
	213
83f12b27	214	bool is_seccomp_available(void) {
83f12b27 FS	215	static int cached_enabled = -1;
83f12b27 FS	216	if (cached_enabled < 0)
d347d902	217	cached_enabled = is_basic_seccomp_available() && is_seccomp_filter_available();
83f12b27 FS	218	return cached_enabled;
	219	}
	220
8130926d	221	const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
40eb6a80	222	[SYSCALL_FILTER_SET_DEFAULT] = {
40eb6a80	223	.name = "@default",
d5efc18b	224	.help = "System calls that are always permitted",
40eb6a80 ZJS	225	.value =
	226	"clock_getres\0"
	227	"clock_gettime\0"
	228	"clock_nanosleep\0"
	229	"execve\0"
	230	"exit\0"
	231	"exit_group\0"
	232	"getrlimit\0" /* make sure processes can query stack size and such */
	233	"gettimeofday\0"
	234	"nanosleep\0"
	235	"pause\0"
	236	"rt_sigreturn\0"
	237	"sigreturn\0"
	238	"time\0"
	239	},
133ddbbe	240	[SYSCALL_FILTER_SET_BASIC_IO] = {
133ddbbe	241	.name = "@basic-io",
d5efc18b	242	.help = "Basic IO",
133ddbbe LP	243	.value =
	244	"close\0"
	245	"dup2\0"
	246	"dup3\0"
	247	"dup\0"
	248	"lseek\0"
	249	"pread64\0"
	250	"preadv\0"
	251	"pwrite64\0"
	252	"pwritev\0"
	253	"read\0"
	254	"readv\0"
	255	"write\0"
	256	"writev\0"
	257	},
8130926d	258	[SYSCALL_FILTER_SET_CLOCK] = {
8130926d	259	.name = "@clock",
d5efc18b	260	.help = "Change the system time",
201c1cc2 TM	261	.value =
201c1cc2 TM	262	"adjtimex\0"
1f9ac68b LP	263	"clock_adjtime\0"
1f9ac68b LP	264	"clock_settime\0"
201c1cc2	265	"settimeofday\0"
1f9ac68b	266	"stime\0"
8130926d LP	267	},
8130926d LP	268	[SYSCALL_FILTER_SET_CPU_EMULATION] = {
8130926d	269	.name = "@cpu-emulation",
d5efc18b	270	.help = "System calls for CPU emulation functionality",
1f9ac68b LP	271	.value =
	272	"modify_ldt\0"
	273	"subpage_prot\0"
	274	"switch_endian\0"
	275	"vm86\0"
	276	"vm86old\0"
8130926d LP	277	},
8130926d LP	278	[SYSCALL_FILTER_SET_DEBUG] = {
8130926d	279	.name = "@debug",
d5efc18b	280	.help = "Debugging, performance monitoring and tracing functionality",
1f9ac68b LP	281	.value =
	282	"lookup_dcookie\0"
	283	"perf_event_open\0"
	284	"process_vm_readv\0"
	285	"process_vm_writev\0"
	286	"ptrace\0"
	287	"rtas\0"
8130926d	288	#ifdef __NR_s390_runtime_instr
1f9ac68b	289	"s390_runtime_instr\0"
8130926d	290	#endif
1f9ac68b	291	"sys_debug_setcontext\0"
8130926d	292	},
1a1b13c9 LP	293	[SYSCALL_FILTER_SET_FILE_SYSTEM] = {
	294	.name = "@file-system",
	295	.help = "File system operations",
	296	.value =
	297	"access\0"
	298	"chdir\0"
	299	"chmod\0"
	300	"close\0"
	301	"creat\0"
	302	"faccessat\0"
	303	"fallocate\0"
	304	"fchdir\0"
	305	"fchmod\0"
	306	"fchmodat\0"
	307	"fcntl64\0"
	308	"fcntl\0"
	309	"fgetxattr\0"
	310	"flistxattr\0"
	311	"fsetxattr\0"
	312	"fstat64\0"
	313	"fstat\0"
	314	"fstatat64\0"
	315	"fstatfs64\0"
	316	"fstatfs\0"
	317	"ftruncate64\0"
	318	"ftruncate\0"
	319	"futimesat\0"
	320	"getcwd\0"
	321	"getdents64\0"
	322	"getdents\0"
	323	"getxattr\0"
	324	"inotify_add_watch\0"
	325	"inotify_init1\0"
	326	"inotify_rm_watch\0"
	327	"lgetxattr\0"
	328	"link\0"
	329	"linkat\0"
	330	"listxattr\0"
	331	"llistxattr\0"
	332	"lremovexattr\0"
	333	"lsetxattr\0"
	334	"lstat64\0"
	335	"lstat\0"
	336	"mkdir\0"
	337	"mkdirat\0"
	338	"mknod\0"
	339	"mknodat\0"
	340	"mmap2\0"
	341	"mmap\0"
	342	"newfstatat\0"
	343	"open\0"
	344	"openat\0"
	345	"readlink\0"
	346	"readlinkat\0"
	347	"removexattr\0"
	348	"rename\0"
	349	"renameat2\0"
	350	"renameat\0"
	351	"rmdir\0"
	352	"setxattr\0"
	353	"stat64\0"
	354	"stat\0"
	355	"statfs\0"
	356	"symlink\0"
357	"symlinkat\0"
358	"truncate64\0"
359	"truncate\0"
360	"unlink\0"
361	"unlinkat\0"
362	"utimensat\0"
363	"utimes\0"
364	},
8130926d	365	[SYSCALL_FILTER_SET_IO_EVENT] = {
8130926d	366	.name = "@io-event",
d5efc18b	367	.help = "Event loop system calls",
201c1cc2 TM	368	.value =
	369	"_newselect\0"
	370	"epoll_create1\0"
	371	"epoll_create\0"
	372	"epoll_ctl\0"
	373	"epoll_ctl_old\0"
	374	"epoll_pwait\0"
	375	"epoll_wait\0"
	376	"epoll_wait_old\0"
	377	"eventfd2\0"
	378	"eventfd\0"
	379	"poll\0"
	380	"ppoll\0"
	381	"pselect6\0"
	382	"select\0"
8130926d LP	383	},
8130926d LP	384	[SYSCALL_FILTER_SET_IPC] = {
8130926d	385	.name = "@ipc",
d5efc18b ZJS	386	.help = "SysV IPC, POSIX Message Queues or other IPC",
	387	.value =
	388	"ipc\0"
cd5bfd7e	389	"memfd_create\0"
201c1cc2 TM	390	"mq_getsetattr\0"
	391	"mq_notify\0"
	392	"mq_open\0"
	393	"mq_timedreceive\0"
	394	"mq_timedsend\0"
	395	"mq_unlink\0"
	396	"msgctl\0"
	397	"msgget\0"
	398	"msgrcv\0"
	399	"msgsnd\0"
cd5bfd7e LP	400	"pipe2\0"
cd5bfd7e LP	401	"pipe\0"
201c1cc2 TM	402	"process_vm_readv\0"
	403	"process_vm_writev\0"
	404	"semctl\0"
	405	"semget\0"
	406	"semop\0"
	407	"semtimedop\0"
	408	"shmat\0"
	409	"shmctl\0"
	410	"shmdt\0"
	411	"shmget\0"
8130926d LP	412	},
8130926d LP	413	[SYSCALL_FILTER_SET_KEYRING] = {
8130926d	414	.name = "@keyring",
d5efc18b	415	.help = "Kernel keyring access",
1f9ac68b LP	416	.value =
	417	"add_key\0"
	418	"keyctl\0"
	419	"request_key\0"
8130926d LP	420	},
8130926d LP	421	[SYSCALL_FILTER_SET_MODULE] = {
8130926d	422	.name = "@module",
d5efc18b	423	.help = "Loading and unloading of kernel modules",
201c1cc2	424	.value =
201c1cc2 TM	425	"delete_module\0"
	426	"finit_module\0"
	427	"init_module\0"
8130926d LP	428	},
8130926d LP	429	[SYSCALL_FILTER_SET_MOUNT] = {
8130926d	430	.name = "@mount",
d5efc18b	431	.help = "Mounting and unmounting of file systems",
201c1cc2 TM	432	.value =
	433	"chroot\0"
	434	"mount\0"
201c1cc2 TM	435	"pivot_root\0"
	436	"umount2\0"
	437	"umount\0"
8130926d LP	438	},
8130926d LP	439	[SYSCALL_FILTER_SET_NETWORK_IO] = {
8130926d	440	.name = "@network-io",
d5efc18b	441	.help = "Network or Unix socket IO, should not be needed if not network facing",
201c1cc2 TM	442	.value =
	443	"accept4\0"
	444	"accept\0"
	445	"bind\0"
	446	"connect\0"
	447	"getpeername\0"
	448	"getsockname\0"
	449	"getsockopt\0"
	450	"listen\0"
	451	"recv\0"
	452	"recvfrom\0"
	453	"recvmmsg\0"
	454	"recvmsg\0"
	455	"send\0"
	456	"sendmmsg\0"
	457	"sendmsg\0"
	458	"sendto\0"
	459	"setsockopt\0"
	460	"shutdown\0"
	461	"socket\0"
	462	"socketcall\0"
	463	"socketpair\0"
8130926d LP	464	},
8130926d LP	465	[SYSCALL_FILTER_SET_OBSOLETE] = {
d5efc18b	466	/* some unknown even to libseccomp */
8130926d	467	.name = "@obsolete",
d5efc18b	468	.help = "Unusual, obsolete or unimplemented system calls",
201c1cc2 TM	469	.value =
	470	"_sysctl\0"
	471	"afs_syscall\0"
	472	"break\0"
1f9ac68b	473	"create_module\0"
201c1cc2 TM	474	"ftime\0"
201c1cc2 TM	475	"get_kernel_syms\0"
201c1cc2 TM	476	"getpmsg\0"
201c1cc2 TM	477	"gtty\0"
201c1cc2	478	"lock\0"
201c1cc2	479	"mpx\0"
201c1cc2 TM	480	"prof\0"
201c1cc2 TM	481	"profil\0"
201c1cc2 TM	482	"putpmsg\0"
201c1cc2 TM	483	"query_module\0"
201c1cc2 TM	484	"security\0"
	485	"sgetmask\0"
	486	"ssetmask\0"
	487	"stty\0"
1f9ac68b	488	"sysfs\0"
201c1cc2 TM	489	"tuxcall\0"
	490	"ulimit\0"
	491	"uselib\0"
1f9ac68b	492	"ustat\0"
201c1cc2	493	"vserver\0"
8130926d LP	494	},
8130926d LP	495	[SYSCALL_FILTER_SET_PRIVILEGED] = {
8130926d	496	.name = "@privileged",
d5efc18b	497	.help = "All system calls which need super-user capabilities",
201c1cc2 TM	498	.value =
	499	"@clock\0"
	500	"@module\0"
	501	"@raw-io\0"
	502	"acct\0"
	503	"bdflush\0"
	504	"bpf\0"
1f9ac68b	505	"capset\0"
201c1cc2 TM	506	"chown32\0"
	507	"chown\0"
	508	"chroot\0"
	509	"fchown32\0"
	510	"fchown\0"
	511	"fchownat\0"
	512	"kexec_file_load\0"
	513	"kexec_load\0"
	514	"lchown32\0"
	515	"lchown\0"
	516	"nfsservctl\0"
	517	"pivot_root\0"
	518	"quotactl\0"
	519	"reboot\0"
	520	"setdomainname\0"
	521	"setfsuid32\0"
	522	"setfsuid\0"
	523	"setgroups32\0"
	524	"setgroups\0"
	525	"sethostname\0"
	526	"setresuid32\0"
	527	"setresuid\0"
	528	"setreuid32\0"
	529	"setreuid\0"
	530	"setuid32\0"
	531	"setuid\0"
201c1cc2 TM	532	"swapoff\0"
201c1cc2 TM	533	"swapon\0"
60f547cf	534	"_sysctl\0"
201c1cc2	535	"vhangup\0"
8130926d LP	536	},
8130926d LP	537	[SYSCALL_FILTER_SET_PROCESS] = {
8130926d	538	.name = "@process",
d5efc18b	539	.help = "Process control, execution, namespaceing operations",
201c1cc2 TM	540	.value =
	541	"arch_prctl\0"
	542	"clone\0"
201c1cc2 TM	543	"execveat\0"
	544	"fork\0"
	545	"kill\0"
	546	"prctl\0"
	547	"setns\0"
	548	"tgkill\0"
	549	"tkill\0"
	550	"unshare\0"
	551	"vfork\0"
8130926d LP	552	},
8130926d LP	553	[SYSCALL_FILTER_SET_RAW_IO] = {
8130926d	554	.name = "@raw-io",
d5efc18b	555	.help = "Raw I/O port access",
201c1cc2 TM	556	.value =
	557	"ioperm\0"
	558	"iopl\0"
1f9ac68b	559	"pciconfig_iobase\0"
201c1cc2 TM	560	"pciconfig_read\0"
201c1cc2 TM	561	"pciconfig_write\0"
8130926d	562	#ifdef __NR_s390_pci_mmio_read
201c1cc2	563	"s390_pci_mmio_read\0"
8130926d LP	564	#endif
8130926d LP	565	#ifdef __NR_s390_pci_mmio_write
201c1cc2	566	"s390_pci_mmio_write\0"
8130926d LP	567	#endif
8130926d LP	568	},
bd2ab3f4 LP	569	[SYSCALL_FILTER_SET_REBOOT] = {
	570	.name = "@reboot",
	571	.help = "Reboot and reboot preparation/kexec",
	572	.value =
	573	"kexec\0"
	574	"kexec_file_load\0"
	575	"reboot\0"
	576	},
133ddbbe LP	577	[SYSCALL_FILTER_SET_RESOURCES] = {
	578	/* Alter resource settings */
	579	.name = "@resources",
	580	.value =
	581	"sched_setparam\0"
	582	"sched_setscheduler\0"
	583	"sched_setaffinity\0"
	584	"setpriority\0"
	585	"setrlimit\0"
	586	"set_mempolicy\0"
	587	"migrate_pages\0"
	588	"move_pages\0"
	589	"mbind\0"
	590	"sched_setattr\0"
	591	"prlimit64\0"
	592	},
bd2ab3f4 LP	593	[SYSCALL_FILTER_SET_SWAP] = {
	594	.name = "@swap",
	595	.help = "Enable/disable swap devices",
	596	.value =
	597	"swapoff\0"
	598	"swapon\0"
	599	},
201c1cc2	600	};
8130926d LP	601
	602	const SyscallFilterSet syscall_filter_set_find(const char name) {
	603	unsigned i;
	604
	605	if (isempty(name) \|\| name[0] != '@')
	606	return NULL;
	607
	608	for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++)
	609	if (streq(syscall_filter_sets[i].name, name))
	610	return syscall_filter_sets + i;
	611
	612	return NULL;
	613	}
	614
	615	int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action) {
	616	const char *sys;
	617	int r;
	618
	619	assert(seccomp);
	620	assert(set);
	621
	622	NULSTR_FOREACH(sys, set->value) {
	623	int id;
	624
	625	if (sys[0] == '@') {
	626	const SyscallFilterSet *other;
	627
	628	other = syscall_filter_set_find(sys);
	629	if (!other)
	630	return -EINVAL;
	631
	632	r = seccomp_add_syscall_filter_set(seccomp, other, action);
	633	} else {
	634	id = seccomp_syscall_resolve_name(sys);
	635	if (id == __NR_SCMP_ERROR)
	636	return -EINVAL;
	637
	638	r = seccomp_rule_add(seccomp, action, id, 0);
	639	}
	640	if (r < 0)
	641	return r;
	642	}
	643
	644	return 0;
	645	}
a3be2849 LP	646
	647	int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action) {
	648	scmp_filter_ctx seccomp;
	649	int r;
	650
	651	assert(set);
	652
	653	/* The one-stop solution: allocate a seccomp object, add a filter to it, and apply it */
	654
	655	r = seccomp_init_conservative(&seccomp, default_action);
	656	if (r < 0)
	657	return r;
	658
	659	r = seccomp_add_syscall_filter_set(seccomp, set, action);
	660	if (r < 0)
	661	goto finish;
	662
	663	r = seccomp_load(seccomp);
	664
	665	finish:
	666	seccomp_release(seccomp);
	667	return r;
add00535 LP	668	}
	669
	670	int seccomp_restrict_namespaces(unsigned long retain) {
	671	scmp_filter_ctx seccomp;
	672	unsigned i;
	673	int r;
	674
	675	if (log_get_max_level() >= LOG_DEBUG) {
	676	_cleanup_free_ char *s = NULL;
	677
	678	(void) namespace_flag_to_string_many(retain, &s);
	679	log_debug("Restricting namespace to: %s.", strna(s));
	680	}
	681
	682	/* NOOP? */
	683	if ((retain & NAMESPACE_FLAGS_ALL) == NAMESPACE_FLAGS_ALL)
	684	return 0;
	685
	686	r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW);
	687	if (r < 0)
	688	return r;
	689
	690	if ((retain & NAMESPACE_FLAGS_ALL) == 0)
	691	/* If every single kind of namespace shall be prohibited, then let's block the whole setns() syscall
	692	* altogether. */
	693	r = seccomp_rule_add(
	694	seccomp,
	695	SCMP_ACT_ERRNO(EPERM),
	696	SCMP_SYS(setns),
	697	0);
	698	else
	699	/* Otherwise, block only the invocations with the appropriate flags in the loop below, but also the
	700	* special invocation with a zero flags argument, right here. */
	701	r = seccomp_rule_add(
	702	seccomp,
	703	SCMP_ACT_ERRNO(EPERM),
	704	SCMP_SYS(setns),
	705	1,
	706	SCMP_A1(SCMP_CMP_EQ, 0));
	707	if (r < 0)
	708	goto finish;
	709
	710	for (i = 0; namespace_flag_map[i].name; i++) {
	711	unsigned long f;
	712
	713	f = namespace_flag_map[i].flag;
	714	if ((retain & f) == f) {
	715	log_debug("Permitting %s.", namespace_flag_map[i].name);
	716	continue;
	717	}
a3be2849	718
add00535 LP	719	log_debug("Blocking %s.", namespace_flag_map[i].name);
	720
	721	r = seccomp_rule_add(
	722	seccomp,
	723	SCMP_ACT_ERRNO(EPERM),
	724	SCMP_SYS(unshare),
	725	1,
	726	SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
	727	if (r < 0)
	728	goto finish;
	729
	730	r = seccomp_rule_add(
	731	seccomp,
	732	SCMP_ACT_ERRNO(EPERM),
	733	SCMP_SYS(clone),
	734	1,
	735	SCMP_A0(SCMP_CMP_MASKED_EQ, f, f));
	736	if (r < 0)
	737	goto finish;
	738
	739	if ((retain & NAMESPACE_FLAGS_ALL) != 0) {
	740	r = seccomp_rule_add(
	741	seccomp,
	742	SCMP_ACT_ERRNO(EPERM),
	743	SCMP_SYS(setns),
	744	1,
	745	SCMP_A1(SCMP_CMP_MASKED_EQ, f, f));
	746	if (r < 0)
	747	goto finish;
	748	}
	749	}
	750
	751	r = seccomp_load(seccomp);
	752
	753	finish:
	754	seccomp_release(seccomp);
	755	return r;
a3be2849	756	}