aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/seccomp.c
diff options
context:
space:
mode:
Diffstat (limited to 'kernel/seccomp.c')
-rw-r--r--kernel/seccomp.c56
1 files changed, 56 insertions, 0 deletions
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
new file mode 100644
index 000000000000..c3391b6020e8
--- /dev/null
+++ b/kernel/seccomp.c
@@ -0,0 +1,56 @@
1/*
2 * linux/kernel/seccomp.c
3 *
4 * Copyright 2004-2005 Andrea Arcangeli <andrea@cpushare.com>
5 *
6 * This defines a simple but solid secure-computing mode.
7 */
8
9#include <linux/seccomp.h>
10#include <linux/sched.h>
11
12/* #define SECCOMP_DEBUG 1 */
13
14/*
15 * Secure computing mode 1 allows only read/write/exit/sigreturn.
16 * To be fully secure this must be combined with rlimit
17 * to limit the stack allocations too.
18 */
19static int mode1_syscalls[] = {
20 __NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn,
21 0, /* null terminated */
22};
23
24#ifdef TIF_32BIT
25static int mode1_syscalls_32[] = {
26 __NR_seccomp_read_32, __NR_seccomp_write_32, __NR_seccomp_exit_32, __NR_seccomp_sigreturn_32,
27 0, /* null terminated */
28};
29#endif
30
31void __secure_computing(int this_syscall)
32{
33 int mode = current->seccomp.mode;
34 int * syscall;
35
36 switch (mode) {
37 case 1:
38 syscall = mode1_syscalls;
39#ifdef TIF_32BIT
40 if (test_thread_flag(TIF_32BIT))
41 syscall = mode1_syscalls_32;
42#endif
43 do {
44 if (*syscall == this_syscall)
45 return;
46 } while (*++syscall);
47 break;
48 default:
49 BUG();
50 }
51
52#ifdef SECCOMP_DEBUG
53 dump_stack();
54#endif
55 do_exit(SIGKILL);
56}