1// Copyright 2014 The Chromium Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style license that can be
3// found in the LICENSE file.
4
5#ifndef SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
6#define SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
7
8#include <signal.h>
9#include <stdint.h>
10#include <sys/types.h>
11
12#include <cstddef>
13
14#include "sandbox/sandbox_export.h"
15
16struct sock_fprog;
17struct rlimit64;
18struct cap_hdr;
19struct cap_data;
20
21namespace sandbox {
22
23// Provide direct system call wrappers for a few common system calls.
24// These are guaranteed to perform a system call and do not rely on things such
25// as caching the current pid (c.f. getpid()) unless otherwise specified.
26
27SANDBOX_EXPORT pid_t sys_getpid(void);
28
29SANDBOX_EXPORT pid_t sys_gettid(void);
30
31SANDBOX_EXPORT long sys_clone(unsigned long flags);
32
33// |regs| is not supported and must be passed as nullptr. |child_stack| must be
34// nullptr, since otherwise this function cannot safely return. As a
35// consequence, this function does not support CLONE_VM.
36SANDBOX_EXPORT long sys_clone(unsigned long flags,
37                              std::nullptr_t child_stack,
38                              pid_t* ptid,
39                              pid_t* ctid,
40                              std::nullptr_t regs);
41
42SANDBOX_EXPORT void sys_exit_group(int status);
43
44// The official system call takes |args| as void*  (in order to be extensible),
45// but add more typing for the cases that are currently used.
46SANDBOX_EXPORT int sys_seccomp(unsigned int operation,
47                               unsigned int flags,
48                               const struct sock_fprog* args);
49
50// Some libcs do not expose a prlimit64 wrapper.
51SANDBOX_EXPORT int sys_prlimit64(pid_t pid,
52                                 int resource,
53                                 const struct rlimit64* new_limit,
54                                 struct rlimit64* old_limit);
55
56// Some libcs do not expose capget/capset wrappers. We want to use these
57// directly in order to avoid pulling in libcap2.
58SANDBOX_EXPORT int sys_capget(struct cap_hdr* hdrp, struct cap_data* datap);
59SANDBOX_EXPORT int sys_capset(struct cap_hdr* hdrp,
60                              const struct cap_data* datap);
61
62// Some libcs do not expose getresuid/getresgid wrappers.
63SANDBOX_EXPORT int sys_getresuid(uid_t* ruid, uid_t* euid, uid_t* suid);
64SANDBOX_EXPORT int sys_getresgid(gid_t* rgid, gid_t* egid, gid_t* sgid);
65
66// Some libcs do not expose a chroot wrapper.
67SANDBOX_EXPORT int sys_chroot(const char* path);
68
69// Some libcs do not expose a unshare wrapper.
70SANDBOX_EXPORT int sys_unshare(int flags);
71
72// Some libcs do not expose a sigprocmask. Note that oldset must be a nullptr,
73// because of some ABI gap between toolchain's and Linux's.
74SANDBOX_EXPORT int sys_sigprocmask(int how,
75                                   const sigset_t* set,
76                                   std::nullptr_t oldset);
77
78// Some libcs do not expose a sigaction().
79SANDBOX_EXPORT int sys_sigaction(int signum,
80                                 const struct sigaction* act,
81                                 struct sigaction* oldact);
82
83}  // namespace sandbox
84
85#endif  // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
86