159c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// Copyright 2015 The Chromium Authors. All rights reserved. 259c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// Use of this source code is governed by a BSD-style license that can be 359c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// found in the LICENSE file. 459c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat 559c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ 659c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ 759c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat 859c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// The Seccomp2 kernel ABI is not part of older versions of glibc. 959c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// As we can't break compilation with these versions of the library, 1059c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// we explicitly define all missing symbols. 1159c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// If we ever decide that we can now rely on system headers, the following 1259c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// include files should be enabled: 1359c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// #include <linux/audit.h> 1459c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// #include <linux/seccomp.h> 1559c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat 1659c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// For audit.h 1759c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef EM_ARM 1859c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define EM_ARM 40 1959c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 2059c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef EM_386 2159c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define EM_386 3 2259c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 2359c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef EM_X86_64 2459c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define EM_X86_64 62 2559c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 2659c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef EM_MIPS 2759c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define EM_MIPS 8 2859c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 2959c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef EM_AARCH64 3059c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define EM_AARCH64 183 3159c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 3259c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat 3359c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef __AUDIT_ARCH_64BIT 3459c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define __AUDIT_ARCH_64BIT 0x80000000 3559c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 3659c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef __AUDIT_ARCH_LE 3759c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define __AUDIT_ARCH_LE 0x40000000 3859c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 3959c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef AUDIT_ARCH_ARM 4059c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) 4159c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 4259c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef AUDIT_ARCH_I386 4359c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE) 4459c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 4559c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef AUDIT_ARCH_X86_64 4659c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) 4759c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 4859c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef AUDIT_ARCH_MIPSEL 4959c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE) 5059c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 5159c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef AUDIT_ARCH_AARCH64 5259c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define AUDIT_ARCH_AARCH64 (EM_AARCH64 | __AUDIT_ARCH_64BIT | __AUDIT_ARCH_LE) 5359c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 5459c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat 5559c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// For prctl.h 5659c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef PR_SET_SECCOMP 5759c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define PR_SET_SECCOMP 22 5859c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define PR_GET_SECCOMP 21 5959c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 6059c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef PR_SET_NO_NEW_PRIVS 6159c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define PR_SET_NO_NEW_PRIVS 38 6259c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define PR_GET_NO_NEW_PRIVS 39 6359c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 6459c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef IPC_64 6559c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define IPC_64 0x0100 6659c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 6759c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat 6859c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// In order to build will older tool chains, we currently have to avoid 6959c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// including <linux/seccomp.h>. Until that can be fixed (if ever). Rely on 7059c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// our own definitions of the seccomp kernel ABI. 7159c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef SECCOMP_MODE_FILTER 7259c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_MODE_DISABLED 0 7359c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_MODE_STRICT 1 7459c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_MODE_FILTER 2 // User user-supplied filter 7559c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 7659c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat 7759c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef SECCOMP_SET_MODE_STRICT 7859c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_SET_MODE_STRICT 0 7959c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 8059c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef SECCOMP_SET_MODE_FILTER 8159c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_SET_MODE_FILTER 1 8259c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 8359c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef SECCOMP_FILTER_FLAG_TSYNC 8459c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_FILTER_FLAG_TSYNC 1 8559c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 8659c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat 8759c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef SECCOMP_RET_KILL 8859c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// Return values supported for BPF filter programs. Please note that the 8959c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// "illegal" SECCOMP_RET_INVALID is not supported by the kernel, should only 9059c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat// ever be used internally, and would result in the kernel killing our process. 9159c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_RET_KILL 0x00000000U // Kill the task immediately 9259c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_RET_INVALID 0x00010000U // Illegal return value 9359c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_RET_TRAP 0x00030000U // Disallow and force a SIGSYS 9459c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_RET_ERRNO 0x00050000U // Returns an errno 9559c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_RET_TRACE 0x7ff00000U // Pass to a tracer or disallow 9659c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_RET_ALLOW 0x7fff0000U // Allow 9759c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_RET_ACTION 0xffff0000U // Masks for the return value 9859c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_RET_DATA 0x0000ffffU // sections 9959c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#else 10059c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SECCOMP_RET_INVALID 0x00010000U // Illegal return value 10159c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 10259c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat 10359c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#ifndef SYS_SECCOMP 10459c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#define SYS_SECCOMP 1 10559c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif 10659c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat 10759c5f4b0fb104e8e4806e4934a3d5d112ad695abDaniel Erat#endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ 108