Eunomia  0.1.0
A lightweight eBPF-based CloudNative Monitor tool for Container Security and Observability
seccomp-bpf.h
Go to the documentation of this file.
1 /*
2  * seccomp example for x86 (32-bit and 64-bit) with BPF macros
3  *
4  * Copyright (c) 2012 The Chromium OS Authors <chromium-os-dev@chromium.org>
5  * Authors:
6  * Will Drewry <wad@chromium.org>
7  * Kees Cook <keescook@chromium.org>
8  *
9  * Use of this source code is governed by a BSD-style license that can be
10  * found in the LICENSE file.
11  */
12 #ifndef _SECCOMP_BPF_H_
13 #define _SECCOMP_BPF_H_
14 
15 #define _GNU_SOURCE 1
16 #include <stdio.h>
17 #include <stddef.h>
18 #include <stdlib.h>
19 #include <errno.h>
20 #include <signal.h>
21 #include <string.h>
22 #include <unistd.h>
23 
24 #include <sys/prctl.h>
25 #ifndef PR_SET_NO_NEW_PRIVS
26 # define PR_SET_NO_NEW_PRIVS 38
27 #endif
28 
29 #include <linux/unistd.h>
30 #include <linux/audit.h>
31 #include <linux/filter.h>
32 #ifdef HAVE_LINUX_SECCOMP_H
33 # include <linux/seccomp.h>
34 #endif
35 #ifndef SECCOMP_MODE_FILTER
36 # define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
37 # define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
38 # define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */
39 # define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
40 struct seccomp_data {
41  int nr;
42  __u32 arch;
43  __u64 instruction_pointer;
44  __u64 args[6];
45 };
46 #endif
47 #ifndef SYS_SECCOMP
48 # define SYS_SECCOMP 1
49 #endif
50 
51 #define syscall_nr (offsetof(struct seccomp_data, nr))
52 #define arch_nr (offsetof(struct seccomp_data, arch))
53 
54 #if defined(__i386__)
55 # define REG_SYSCALL REG_EAX
56 # define ARCH_NR AUDIT_ARCH_I386
57 #elif defined(__x86_64__)
58 # define REG_SYSCALL REG_RAX
59 # define ARCH_NR AUDIT_ARCH_X86_64
60 #else
61 # warning "Platform does not support seccomp filter yet"
62 # define REG_SYSCALL 0
63 # define ARCH_NR 0
64 #endif
65 
66 #define VALIDATE_ARCHITECTURE \
67  BPF_STMT(BPF_LD+BPF_W+BPF_ABS, arch_nr), \
68  BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, ARCH_NR, 1, 0), \
69  BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
70 
71 #define EXAMINE_SYSCALL \
72  BPF_STMT(BPF_LD+BPF_W+BPF_ABS, syscall_nr)
73 
74 #define ALLOW_SYSCALL(name) \
75  BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_##name, 0, 1), \
76  BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW)
77 
78 #define KILL_PROCESS \
79  BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL)
80 
81 #endif /* _SECCOMP_BPF_H_ */
seccomp_data::arch
__u32 arch
Definition: seccomp-bpf.h:42
seccomp_data::instruction_pointer
__u64 instruction_pointer
Definition: seccomp-bpf.h:43
seccomp_data::nr
int nr
Definition: seccomp-bpf.h:41
seccomp_data::args
__u64 args[6]
Definition: seccomp-bpf.h:44
seccomp_data
Definition: seccomp-bpf.h:40