• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /* syscall_filter.h
2  * Copyright 2012 The ChromiumOS Authors
3  * Use of this source code is governed by a BSD-style license that can be
4  * found in the LICENSE file.
5  *
6  * Syscall filter functions.
7  */
8 
9 #ifndef SYSCALL_FILTER_H
10 #define SYSCALL_FILTER_H
11 
12 #include <stdbool.h>
13 
14 #include "bpf.h"
15 
16 #ifdef __cplusplus
17 extern "C" {
18 #endif
19 
20 struct filter_block {
21 	struct sock_filter *instrs;
22 	size_t len;
23 
24 	struct filter_block *next;
25 	struct filter_block *last;
26 	size_t total_len;
27 };
28 
29 struct parser_state {
30 	const char *filename;
31 	size_t line_number;
32 };
33 
34 enum block_action {
35 	ACTION_RET_KILL = 0,
36 	ACTION_RET_TRAP,
37 	ACTION_RET_LOG,
38 	ACTION_RET_KILL_PROCESS,
39 };
40 
41 struct filter_options {
42 	enum block_action action;
43 	int allow_logging;
44 	int allow_syscalls_for_logging;
45 	bool allow_duplicate_syscalls;
46 	bool include_libc_compatibility_allowlist;
47 };
48 
49 struct bpf_labels;
50 
51 struct filter_block *compile_policy_line(struct parser_state *state, int nr,
52 					 const char *policy_line,
53 					 unsigned int label_id,
54 					 struct bpf_labels *labels,
55 					 enum block_action action);
56 
57 int compile_file(const char *filename, FILE *policy_file,
58 		 struct filter_block *head, struct filter_block **arg_blocks,
59 		 struct bpf_labels *labels,
60 		 const struct filter_options *filteropts,
61 		 struct parser_state **previous_syscalls,
62 		 unsigned int include_level);
63 
64 int compile_filter(const char *filename, FILE *policy_file,
65 		   struct sock_fprog *prog,
66 		   const struct filter_options *filteropts);
67 
68 struct filter_block *new_filter_block(void);
69 int flatten_block_list(struct filter_block *head, struct sock_filter *filter,
70 		       size_t index, size_t cap);
71 void free_block_list(struct filter_block *head);
72 void free_previous_syscalls(struct parser_state **previous_syscalls);
73 
74 int seccomp_can_softfail(void);
allow_duplicate_syscalls(void)75 static inline bool allow_duplicate_syscalls(void)
76 {
77 #if defined(ALLOW_DUPLICATE_SYSCALLS)
78 	return true;
79 #endif
80 	return false;
81 }
82 
allow_libc_compatibility_syscalls(void)83 static inline bool allow_libc_compatibility_syscalls(void)
84 {
85 #if defined(ALLOW_LIBC_COMPATIBILITY_SYSCALLS)
86 	return true;
87 #endif
88 	return false;
89 }
90 
91 #ifdef __cplusplus
92 }; /* extern "C" */
93 #endif
94 
95 #endif /* SYSCALL_FILTER_H */
96