1// Copyright 2014 The Chromium Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style license that can be 3// found in the LICENSE file. 4 5#ifndef SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_ 6#define SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_ 7 8#include <signal.h> 9#include <stdint.h> 10#include <sys/types.h> 11 12#include <cstddef> 13 14#include "sandbox/sandbox_export.h" 15 16struct sock_fprog; 17struct rlimit64; 18struct cap_hdr; 19struct cap_data; 20 21namespace sandbox { 22 23// Provide direct system call wrappers for a few common system calls. 24// These are guaranteed to perform a system call and do not rely on things such 25// as caching the current pid (c.f. getpid()) unless otherwise specified. 26 27SANDBOX_EXPORT pid_t sys_getpid(void); 28 29SANDBOX_EXPORT pid_t sys_gettid(void); 30 31SANDBOX_EXPORT long sys_clone(unsigned long flags); 32 33// |regs| is not supported and must be passed as nullptr. |child_stack| must be 34// nullptr, since otherwise this function cannot safely return. As a 35// consequence, this function does not support CLONE_VM. 36SANDBOX_EXPORT long sys_clone(unsigned long flags, 37 std::nullptr_t child_stack, 38 pid_t* ptid, 39 pid_t* ctid, 40 std::nullptr_t regs); 41 42SANDBOX_EXPORT void sys_exit_group(int status); 43 44// The official system call takes |args| as void* (in order to be extensible), 45// but add more typing for the cases that are currently used. 46SANDBOX_EXPORT int sys_seccomp(unsigned int operation, 47 unsigned int flags, 48 const struct sock_fprog* args); 49 50// Some libcs do not expose a prlimit64 wrapper. 51SANDBOX_EXPORT int sys_prlimit64(pid_t pid, 52 int resource, 53 const struct rlimit64* new_limit, 54 struct rlimit64* old_limit); 55 56// Some libcs do not expose capget/capset wrappers. We want to use these 57// directly in order to avoid pulling in libcap2. 58SANDBOX_EXPORT int sys_capget(struct cap_hdr* hdrp, struct cap_data* datap); 59SANDBOX_EXPORT int sys_capset(struct cap_hdr* hdrp, 60 const struct cap_data* datap); 61 62// Some libcs do not expose getresuid/getresgid wrappers. 63SANDBOX_EXPORT int sys_getresuid(uid_t* ruid, uid_t* euid, uid_t* suid); 64SANDBOX_EXPORT int sys_getresgid(gid_t* rgid, gid_t* egid, gid_t* sgid); 65 66// Some libcs do not expose a chroot wrapper. 67SANDBOX_EXPORT int sys_chroot(const char* path); 68 69// Some libcs do not expose a unshare wrapper. 70SANDBOX_EXPORT int sys_unshare(int flags); 71 72// Some libcs do not expose a sigprocmask. Note that oldset must be a nullptr, 73// because of some ABI gap between toolchain's and Linux's. 74SANDBOX_EXPORT int sys_sigprocmask(int how, 75 const sigset_t* set, 76 std::nullptr_t oldset); 77 78// Some libcs do not expose a sigaction(). 79SANDBOX_EXPORT int sys_sigaction(int signum, 80 const struct sigaction* act, 81 struct sigaction* oldact); 82 83} // namespace sandbox 84 85#endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_ 86