2 files changed, 73 insertions, 4 deletions
diff --git a/include/linux/Kbuild b/include/linux/Kbuild
index 3c9b616c834a..5c93d6c5d591 100644
--- a/include/linux/Kbuild
+++ b/include/linux/Kbuild
@@ -332,6 +332,7 @@ header-y += scc.h
 header-y += sched.h
 header-y += screen_info.h
 header-y += sdla.h
+header-y += seccomp.h
 header-y += securebits.h
 header-y += selinux_netlink.h
 header-y += sem.h
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
index d61f27fcaa97..86bb68fc7683 100644
--- a/include/linux/seccomp.h
+++ b/include/linux/seccomp.h
@@ -1,14 +1,67 @@
 #ifndef _LINUX_SECCOMP_H
 #define _LINUX_SECCOMP_H
+#include <linux/compiler.h>
+#include <linux/types.h>
+/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
+#define SECCOMP_MODE_DISABLED   0 /* seccomp is not in use. */
+#define SECCOMP_MODE_STRICT     1 /* uses hard-coded filter. */
+#define SECCOMP_MODE_FILTER     2 /* uses user-supplied filter. */
+/*
+ * All BPF programs must return a 32-bit value.
+ * The bottom 16-bits are reserved for future use.
+ * The upper 16-bits are ordered from least permissive values to most.
+ *
+ * The ordering ensures that a min_t() over composed return values always
+ * selects the least permissive choice.
+ */
+#define SECCOMP_RET_KILL        0x00000000U /* kill the task immediately */
+#define SECCOMP_RET_ALLOW       0x7fff0000U /* allow */
+/* Masks for the return value sections. */
+#define SECCOMP_RET_ACTION      0x7fff0000U
+#define SECCOMP_RET_DATA        0x0000ffffU
+/**
+ * struct seccomp_data - the format the BPF program executes over.
+ * @nr: the system call number
+ * @arch: indicates system call convention as an AUDIT_ARCH_* value
+ *        as defined in <linux/audit.h>.
+ * @instruction_pointer: at the time of the system call.
+ * @args: up to 6 system call arguments always stored as 64-bit values
+ *        regardless of the architecture.
+ */
+struct seccomp_data {
+        int nr;
+        __u32 arch;
+        __u64 instruction_pointer;
+        __u64 args[6];
+};
+#ifdef __KERNEL__
 #ifdef CONFIG_SECCOMP
 #include <linux/thread_info.h>
 #include <asm/seccomp.h>
+struct seccomp_filter;
+/**
+ * struct seccomp - the state of a seccomp'ed process
+ *
+ * @mode:  indicates one of the valid values above for controlled
+ *         system calls available to a process.
+ * @filter: The metadata and ruleset for determining what system calls
+ *          are allowed for a task.
+ *
+ *          @filter must only be accessed from the context of current as there
+ *          is no locking.
+ */
 struct seccomp {
        int mode;
+        struct seccomp_filter *filter;
 };
 extern void __secure_computing(int);
@@ -19,7 +72,7 @@ static inline void secure_computing(int this_syscall)
 }
 extern long prctl_get_seccomp(void);
-extern long prctl_set_seccomp(unsigned long);
+extern long prctl_set_seccomp(unsigned long, char __user *);
 static inline int seccomp_mode(struct seccomp *s)
 {
@@ -31,15 +84,16 @@ static inline int seccomp_mode(struct seccomp *s)
 #include <linux/errno.h>
 struct seccomp { };
+struct seccomp_filter { };
-#define secure_computing(x) do { } while (0)
+#define secure_computing(x) 0
 static inline long prctl_get_seccomp(void)
 {
        return -EINVAL;
 }
-static inline long prctl_set_seccomp(unsigned long arg2)
+static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
 {
        return -EINVAL;
 }
@@ -48,7 +102,21 @@ static inline int seccomp_mode(struct seccomp *s)
 {
        return 0;
 }
 #endif /* CONFIG_SECCOMP */
+#ifdef CONFIG_SECCOMP_FILTER
+extern void put_seccomp_filter(struct task_struct *tsk);
+extern void get_seccomp_filter(struct task_struct *tsk);
+extern u32 seccomp_bpf_load(int off);
+#else  /* CONFIG_SECCOMP_FILTER */
+static inline void put_seccomp_filter(struct task_struct *tsk)
+{
+        return;
+}
+static inline void get_seccomp_filter(struct task_struct *tsk)
+{
+        return;
+}
+#endif /* CONFIG_SECCOMP_FILTER */
+#endif /* __KERNEL__ */
 #endif /* _LINUX_SECCOMP_H */

diff --git a/include/linux/Kbuild b/include/linux/Kbuild index 3c9b616c834a..5c93d6c5d591 100644 --- a/include/linux/Kbuild +++ b/include/linux/Kbuild
@@ -332,6 +332,7 @@ header-y += scc.h
332	header-y += sched.h	332	header-y += sched.h
333	header-y += screen_info.h	333	header-y += screen_info.h
334	header-y += sdla.h	334	header-y += sdla.h
		335	header-y += seccomp.h
335	header-y += securebits.h	336	header-y += securebits.h
336	header-y += selinux_netlink.h	337	header-y += selinux_netlink.h
337	header-y += sem.h	338	header-y += sem.h


diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index d61f27fcaa97..86bb68fc7683 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h
@@ -1,14 +1,67 @@
1	#ifndef _LINUX_SECCOMP_H	1	#ifndef _LINUX_SECCOMP_H
2	#define _LINUX_SECCOMP_H	2	#define _LINUX_SECCOMP_H
3		3
		4	#include <linux/compiler.h>
		5	#include <linux/types.h>
		6
		7
		8	/* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */
		9	#define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */
		10	#define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */
		11	#define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */
		12
		13	/*
		14	* All BPF programs must return a 32-bit value.
		15	* The bottom 16-bits are reserved for future use.
		16	* The upper 16-bits are ordered from least permissive values to most.
		17	*
		18	* The ordering ensures that a min_t() over composed return values always
		19	* selects the least permissive choice.
		20	*/
		21	#define SECCOMP_RET_KILL 0x00000000U /* kill the task immediately */
		22	#define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */
		23
		24	/* Masks for the return value sections. */
		25	#define SECCOMP_RET_ACTION 0x7fff0000U
		26	#define SECCOMP_RET_DATA 0x0000ffffU
		27
		28	/**
		29	* struct seccomp_data - the format the BPF program executes over.
		30	* @nr: the system call number
		31	* @arch: indicates system call convention as an AUDIT_ARCH_* value
		32	* as defined in <linux/audit.h>.
		33	* @instruction_pointer: at the time of the system call.
		34	* @args: up to 6 system call arguments always stored as 64-bit values
		35	* regardless of the architecture.
		36	*/
		37	struct seccomp_data {
		38	int nr;
		39	__u32 arch;
		40	__u64 instruction_pointer;
		41	__u64 args[6];
		42	};
4		43
		44	#ifdef __KERNEL__
5	#ifdef CONFIG_SECCOMP	45	#ifdef CONFIG_SECCOMP
6		46
7	#include <linux/thread_info.h>	47	#include <linux/thread_info.h>
8	#include <asm/seccomp.h>	48	#include <asm/seccomp.h>
9		49
		50	struct seccomp_filter;
		51	/**
		52	* struct seccomp - the state of a seccomp'ed process
		53	*
		54	* @mode: indicates one of the valid values above for controlled
		55	* system calls available to a process.
		56	* @filter: The metadata and ruleset for determining what system calls
		57	* are allowed for a task.
		58	*
		59	* @filter must only be accessed from the context of current as there
		60	* is no locking.
		61	*/
10	struct seccomp {	62	struct seccomp {
11	int mode;	63	int mode;
		64	struct seccomp_filter *filter;
12	};	65	};
13		66
14	extern void __secure_computing(int);	67	extern void __secure_computing(int);
@@ -19,7 +72,7 @@ static inline void secure_computing(int this_syscall)
19	}	72	}
20		73
21	extern long prctl_get_seccomp(void);	74	extern long prctl_get_seccomp(void);
22	extern long prctl_set_seccomp(unsigned long);	75	extern long prctl_set_seccomp(unsigned long, char __user *);
23		76
24	static inline int seccomp_mode(struct seccomp *s)	77	static inline int seccomp_mode(struct seccomp *s)
25	{	78	{
@@ -31,15 +84,16 @@ static inline int seccomp_mode(struct seccomp *s)
31	#include <linux/errno.h>	84	#include <linux/errno.h>
32		85
33	struct seccomp { };	86	struct seccomp { };
		87	struct seccomp_filter { };
34		88
35	#define secure_computing(x) do { } while (0)	89	#define secure_computing(x) 0
36		90
37	static inline long prctl_get_seccomp(void)	91	static inline long prctl_get_seccomp(void)
38	{	92	{
39	return -EINVAL;	93	return -EINVAL;
40	}	94	}
41		95
42	static inline long prctl_set_seccomp(unsigned long arg2)	96	static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
43	{	97	{
44	return -EINVAL;	98	return -EINVAL;
45	}	99	}
@@ -48,7 +102,21 @@ static inline int seccomp_mode(struct seccomp *s)
48	{	102	{
49	return 0;	103	return 0;
50	}	104	}
51
52	#endif /* CONFIG_SECCOMP */	105	#endif /* CONFIG_SECCOMP */
53		106
		107	#ifdef CONFIG_SECCOMP_FILTER
		108	extern void put_seccomp_filter(struct task_struct *tsk);
		109	extern void get_seccomp_filter(struct task_struct *tsk);
		110	extern u32 seccomp_bpf_load(int off);
		111	#else /* CONFIG_SECCOMP_FILTER */
		112	static inline void put_seccomp_filter(struct task_struct *tsk)
		113	{
		114	return;
		115	}
		116	static inline void get_seccomp_filter(struct task_struct *tsk)
		117	{
		118	return;
		119	}
		120	#endif /* CONFIG_SECCOMP_FILTER */
		121	#endif /* __KERNEL__ */
54	#endif /* _LINUX_SECCOMP_H */	122	#endif /* _LINUX_SECCOMP_H */