2 * seccomp example for x86 (32-bit and 64-bit) with BPF macros
4 * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
6 * Will Drewry <wad@chromium.org>
7 * Kees Cook <keescook@chromium.org>
9 * The code may be used by anyone for any purpose, and can serve as a
10 * starting point for developing applications using mode 2 seccomp.
12 #ifndef _SECCOMP_BPF_H_
13 #define _SECCOMP_BPF_H_
23 #include <sys/prctl.h>
25 #include <linux/unistd.h>
26 #include <linux/audit.h>
27 #include <linux/filter.h>
28 #include <linux/seccomp.h>
30 #ifndef SECCOMP_MODE_FILTER
31 # define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
32 # define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
33 # define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
34 # define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
38 __u64 instruction_pointer;
43 # define SYS_SECCOMP 1
46 #define syscall_nr (offsetof(struct seccomp_data, nr))
47 #define arch_nr (offsetof(struct seccomp_data, arch))
50 # define REG_SYSCALL REG_EAX
51 # define ARCH_NR AUDIT_ARCH_I386
52 #elif defined(__x86_64__)
53 # define REG_SYSCALL REG_RAX
54 # define ARCH_NR AUDIT_ARCH_X86_64
56 # warning "Platform does not support seccomp filter yet"
57 # define REG_SYSCALL 0
61 #define VALIDATE_ARCHITECTURE \
62 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), \
63 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
64 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
66 #define EXAMINE_SYSCALL \
67 BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr)
69 #define ALLOW_SYSCALL(name) \
70 BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
71 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
73 #define _KILL_PROCESS \
74 BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
76 #endif /* _SECCOMP_BPF_H_ */