Lines Matching +full:realm +full:-
1 // SPDX-License-Identifier: GPL-2.0
5 * Copyright 2004-2005 Andrea Arcangeli <andrea@cpushare.com>
10 * This defines a simple but solid secure-computing facility.
13 * Mode 2 allows user-defined system call filters in the form
103 * struct seccomp_kaddfd - container for seccomp_addfd ioctl messages
106 * @fd: The fd number to install it at. If the fd number is -1, it means the
136 * struct notification - container for seccomp userspace notifications. Since
138 * structure is fairly large, we store the notification-specific stuff in a
143 * filter->notify_lock.
158 * struct action_cache - per-filter cache of seccomp actions per
189 * struct seccomp_filter - container for seccomp BPF programs
198 * and once for the dependent filter (tracked in filter->prev).
211 * @notify_lock: A lock for all notification-related accesses.
215 * pointer. For any task, it appears to be a singly-linked list starting
216 * with current->seccomp.filter, the most recently attached or inherited filter.
254 sd->nr = syscall_get_nr(task, regs); in populate_seccomp_data()
255 sd->arch = syscall_get_arch(task); in populate_seccomp_data()
257 sd->args[0] = args[0]; in populate_seccomp_data()
258 sd->args[1] = args[1]; in populate_seccomp_data()
259 sd->args[2] = args[2]; in populate_seccomp_data()
260 sd->args[3] = args[3]; in populate_seccomp_data()
261 sd->args[4] = args[4]; in populate_seccomp_data()
262 sd->args[5] = args[5]; in populate_seccomp_data()
263 sd->instruction_pointer = KSTK_EIP(task); in populate_seccomp_data()
267 * seccomp_check_filter - verify seccomp filter code
276 * Returns 0 if the rule set is legal or -EINVAL if not.
283 u16 code = ftest->code; in seccomp_check_filter()
284 u32 k = ftest->k; in seccomp_check_filter()
288 ftest->code = BPF_LDX | BPF_W | BPF_ABS; in seccomp_check_filter()
289 /* 32-bit aligned and not out of bounds. */ in seccomp_check_filter()
291 return -EINVAL; in seccomp_check_filter()
294 ftest->code = BPF_LD | BPF_IMM; in seccomp_check_filter()
295 ftest->k = sizeof(struct seccomp_data); in seccomp_check_filter()
298 ftest->code = BPF_LDX | BPF_IMM; in seccomp_check_filter()
299 ftest->k = sizeof(struct seccomp_data); in seccomp_check_filter()
342 return -EINVAL; in seccomp_check_filter()
361 * seccomp_cache_check_allow - lookup seccomp cache
370 int syscall_nr = sd->nr; in seccomp_cache_check_allow()
371 const struct action_cache *cache = &sfilter->cache; in seccomp_cache_check_allow()
374 /* A native-only architecture doesn't need to check sd->arch. */ in seccomp_cache_check_allow()
375 return seccomp_cache_check_allow_bitmap(cache->allow_native, in seccomp_cache_check_allow()
379 if (likely(sd->arch == SECCOMP_ARCH_NATIVE)) in seccomp_cache_check_allow()
380 return seccomp_cache_check_allow_bitmap(cache->allow_native, in seccomp_cache_check_allow()
383 if (likely(sd->arch == SECCOMP_ARCH_COMPAT)) in seccomp_cache_check_allow()
384 return seccomp_cache_check_allow_bitmap(cache->allow_compat, in seccomp_cache_check_allow()
396 * seccomp_run_filters - evaluates all seccomp filters against @sd
408 /* Make sure cross-thread synced filter points somewhere sane. */ in seccomp_run_filters()
410 READ_ONCE(current->seccomp.filter); in seccomp_run_filters()
423 for (; f; f = f->prev) { in seccomp_run_filters()
424 u32 cur_ret = bpf_prog_run_pin_on_cpu(f->prog, sd); in seccomp_run_filters()
437 assert_spin_locked(¤t->sighand->siglock); in seccomp_may_assign_mode()
439 if (current->seccomp.mode && current->seccomp.mode != seccomp_mode) in seccomp_may_assign_mode()
451 assert_spin_locked(&task->sighand->siglock); in seccomp_assign_mode()
453 task->seccomp.mode = seccomp_mode; in seccomp_assign_mode()
473 for (; child; child = child->prev) in is_ancestor()
484 * Returns 0 on success, -ve on error, or the pid of a thread which was
492 BUG_ON(!mutex_is_locked(¤t->signal->cred_guard_mutex)); in seccomp_can_sync_threads()
493 assert_spin_locked(¤t->sighand->siglock); in seccomp_can_sync_threads()
504 if (thread->flags & PF_EXITING) in seccomp_can_sync_threads()
507 if (thread->seccomp.mode == SECCOMP_MODE_DISABLED || in seccomp_can_sync_threads()
508 (thread->seccomp.mode == SECCOMP_MODE_FILTER && in seccomp_can_sync_threads()
509 is_ancestor(thread->seccomp.filter, in seccomp_can_sync_threads()
510 caller->seccomp.filter))) in seccomp_can_sync_threads()
515 /* If the pid cannot be resolved, then return -ESRCH */ in seccomp_can_sync_threads()
517 failed = -ESRCH; in seccomp_can_sync_threads()
527 bpf_prog_destroy(filter->prog); in seccomp_filter_free()
534 while (orig && refcount_dec_and_test(&orig->users)) { in __seccomp_filter_orphan()
535 if (waitqueue_active(&orig->wqh)) in __seccomp_filter_orphan()
536 wake_up_poll(&orig->wqh, EPOLLHUP); in __seccomp_filter_orphan()
537 orig = orig->prev; in __seccomp_filter_orphan()
543 /* Clean up single-reference branches iteratively. */ in __put_seccomp_filter()
544 while (orig && refcount_dec_and_test(&orig->refs)) { in __put_seccomp_filter()
546 orig = orig->prev; in __put_seccomp_filter()
560 * seccomp_filter_release - Detach the task from its filter tree,
574 if (WARN_ON((tsk->flags & PF_EXITING) == 0)) in seccomp_filter_release()
577 if (READ_ONCE(tsk->seccomp.filter) == NULL) in seccomp_filter_release()
580 spin_lock_irq(&tsk->sighand->siglock); in seccomp_filter_release()
581 orig = tsk->seccomp.filter; in seccomp_filter_release()
583 tsk->seccomp.filter = NULL; in seccomp_filter_release()
584 spin_unlock_irq(&tsk->sighand->siglock); in seccomp_filter_release()
602 BUG_ON(!mutex_is_locked(¤t->signal->cred_guard_mutex)); in seccomp_sync_threads()
603 assert_spin_locked(¤t->sighand->siglock); in seccomp_sync_threads()
609 if (current->signal->flags & SIGNAL_GROUP_EXIT) in seccomp_sync_threads()
623 if (thread->flags & PF_EXITING) in seccomp_sync_threads()
634 __seccomp_filter_release(thread->seccomp.filter); in seccomp_sync_threads()
637 smp_store_release(&thread->seccomp.filter, in seccomp_sync_threads()
638 caller->seccomp.filter); in seccomp_sync_threads()
639 atomic_set(&thread->seccomp.filter_count, in seccomp_sync_threads()
640 atomic_read(&caller->seccomp.filter_count)); in seccomp_sync_threads()
653 * As threads are considered to be trust-realm in seccomp_sync_threads()
657 if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) in seccomp_sync_threads()
680 if (fprog->len == 0 || fprog->len > BPF_MAXINSNS) in seccomp_prepare_filter()
681 return ERR_PTR(-EINVAL); in seccomp_prepare_filter()
683 BUG_ON(INT_MAX / fprog->len < sizeof(struct sock_filter)); in seccomp_prepare_filter()
693 return ERR_PTR(-EACCES); in seccomp_prepare_filter()
698 return ERR_PTR(-ENOMEM); in seccomp_prepare_filter()
700 mutex_init(&sfilter->notify_lock); in seccomp_prepare_filter()
701 ret = bpf_prog_create_from_user(&sfilter->prog, fprog, in seccomp_prepare_filter()
708 refcount_set(&sfilter->refs, 1); in seccomp_prepare_filter()
709 refcount_set(&sfilter->users, 1); in seccomp_prepare_filter()
710 init_waitqueue_head(&sfilter->wqh); in seccomp_prepare_filter()
716 * seccomp_prepare_user_filter - prepares a user-supplied sock_fprog
719 * Returns 0 on success and non-zero otherwise.
725 struct seccomp_filter *filter = ERR_PTR(-EFAULT); in seccomp_prepare_user_filter()
745 * seccomp_is_const_allow - check if filter is constant allow with given data
763 if (sd->arch == SECCOMP_ARCH_NATIVE) in seccomp_is_const_allow()
765 if (sd->nr == __NR_uretprobe) in seccomp_is_const_allow()
769 for (pc = 0; pc < fprog->len; pc++) { in seccomp_is_const_allow()
770 struct sock_filter *insn = &fprog->filter[pc]; in seccomp_is_const_allow()
771 u16 code = insn->code; in seccomp_is_const_allow()
772 u32 k = insn->k; in seccomp_is_const_allow()
778 reg_value = sd->nr; in seccomp_is_const_allow()
781 reg_value = sd->arch; in seccomp_is_const_allow()
784 /* can't optimize (non-constant value load) */ in seccomp_is_const_allow()
792 pc += insn->k; in seccomp_is_const_allow()
816 pc += op_res ? insn->jt : insn->jf; in seccomp_is_const_allow()
836 struct sock_fprog_kern *fprog = sfilter->prog->orig_prog; in seccomp_cache_prepare_bitmap()
869 * seccomp_cache_prepare - emulate the filter to find cacheable syscalls
872 * Returns 0 if successful or -errno if error occurred.
876 struct action_cache *cache = &sfilter->cache; in seccomp_cache_prepare()
878 sfilter->prev ? &sfilter->prev->cache : NULL; in seccomp_cache_prepare()
880 seccomp_cache_prepare_bitmap(sfilter, cache->allow_native, in seccomp_cache_prepare()
881 cache_prev ? cache_prev->allow_native : NULL, in seccomp_cache_prepare()
886 seccomp_cache_prepare_bitmap(sfilter, cache->allow_compat, in seccomp_cache_prepare()
887 cache_prev ? cache_prev->allow_compat : NULL, in seccomp_cache_prepare()
899 * Caller must be holding current->sighand->siglock lock.
901 * Returns 0 on success, -ve on error, or
902 * - in TSYNC mode: the pid of a thread which was either not in the correct
904 * - in NEW_LISTENER mode: the fd of the new listener
912 assert_spin_locked(¤t->sighand->siglock); in seccomp_attach_filter()
915 total_insns = filter->prog->len; in seccomp_attach_filter()
916 for (walker = current->seccomp.filter; walker; walker = walker->prev) in seccomp_attach_filter()
917 total_insns += walker->prog->len + 4; /* 4 instr penalty */ in seccomp_attach_filter()
919 return -ENOMEM; in seccomp_attach_filter()
928 return -ESRCH; in seccomp_attach_filter()
936 filter->log = true; in seccomp_attach_filter()
940 filter->wait_killable_recv = true; in seccomp_attach_filter()
946 filter->prev = current->seccomp.filter; in seccomp_attach_filter()
948 current->seccomp.filter = filter; in seccomp_attach_filter()
949 atomic_inc(¤t->seccomp.filter_count); in seccomp_attach_filter()
960 refcount_inc(&filter->refs); in __get_seccomp_filter()
963 /* get_seccomp_filter - increments the reference count of the filter on @tsk */
966 struct seccomp_filter *orig = tsk->seccomp.filter; in get_seccomp_filter()
970 refcount_inc(&orig->users); in get_seccomp_filter()
1046 -1, /* negative terminated */
1059 } while (*++allowed_syscalls != -1); in __secure_computing_strict()
1064 current->seccomp.mode = SECCOMP_MODE_DEAD; in __secure_computing_strict()
1072 int mode = current->seccomp.mode; in secure_computing_strict()
1075 unlikely(current->ptrace & PT_SUSPEND_SECCOMP)) in secure_computing_strict()
1101 lockdep_assert_held(&filter->notify_lock); in seccomp_next_notify_id()
1102 return filter->notif->next_id++; in seccomp_next_notify_id()
1113 list_del_init(&addfd->list); in seccomp_handle_addfd()
1114 if (!addfd->setfd) in seccomp_handle_addfd()
1115 fd = receive_fd(addfd->file, NULL, addfd->flags); in seccomp_handle_addfd()
1117 fd = receive_fd_replace(addfd->fd, addfd->file, addfd->flags); in seccomp_handle_addfd()
1118 addfd->ret = fd; in seccomp_handle_addfd()
1120 if (addfd->ioctl_flags & SECCOMP_ADDFD_FLAG_SEND) { in seccomp_handle_addfd()
1123 n->state = SECCOMP_NOTIFY_SENT; in seccomp_handle_addfd()
1126 n->flags = 0; in seccomp_handle_addfd()
1127 n->error = 0; in seccomp_handle_addfd()
1128 n->val = fd; in seccomp_handle_addfd()
1136 complete(&addfd->completion); in seccomp_handle_addfd()
1142 return match->wait_killable_recv && n->state == SECCOMP_NOTIFY_SENT; in should_sleep_killable()
1155 mutex_lock(&match->notify_lock); in seccomp_do_user_notification()
1156 err = -ENOSYS; in seccomp_do_user_notification()
1157 if (!match->notif) in seccomp_do_user_notification()
1165 list_add_tail(&n.list, &match->notif->notifications); in seccomp_do_user_notification()
1168 atomic_inc(&match->notif->requests); in seccomp_do_user_notification()
1169 if (match->notif->flags & SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP) in seccomp_do_user_notification()
1170 wake_up_poll_on_current_cpu(&match->wqh, EPOLLIN | EPOLLRDNORM); in seccomp_do_user_notification()
1172 wake_up_poll(&match->wqh, EPOLLIN | EPOLLRDNORM); in seccomp_do_user_notification()
1180 mutex_unlock(&match->notify_lock); in seccomp_do_user_notification()
1185 mutex_lock(&match->notify_lock); in seccomp_do_user_notification()
1214 addfd->ret = -ESRCH; in seccomp_do_user_notification()
1215 list_del_init(&addfd->list); in seccomp_do_user_notification()
1216 complete(&addfd->completion); in seccomp_do_user_notification()
1222 * re-acquire the lock, so only delete from the list if the in seccomp_do_user_notification()
1229 if (match->notif) in seccomp_do_user_notification()
1232 mutex_unlock(&match->notify_lock); in seccomp_do_user_notification()
1240 return -1; in seccomp_do_user_notification()
1264 /* Set low-order bits as an errno, capped at MAX_ERRNO. */ in __seccomp_filter()
1268 -data, 0); in __seccomp_filter()
1287 -ENOSYS, 0); in __seccomp_filter()
1317 return -1; in __seccomp_filter()
1342 current->seccomp.mode = SECCOMP_MODE_DEAD; in __seccomp_filter()
1346 (atomic_read(¤t->signal->live) == 1)) { in __seccomp_filter()
1354 return -1; /* skip the syscall go directly to signal handling */ in __seccomp_filter()
1360 seccomp_log(this_syscall, 0, action, match ? match->log : false); in __seccomp_filter()
1361 return -1; in __seccomp_filter()
1368 return -1; in __seccomp_filter()
1374 int mode = current->seccomp.mode; in __secure_computing()
1378 unlikely(current->ptrace & PT_SUSPEND_SECCOMP)) in __secure_computing()
1393 return -1; in __secure_computing()
1402 return current->seccomp.mode; in prctl_get_seccomp()
1408 * Once current->seccomp.mode is non-zero, it may not be changed.
1410 * Returns 0 on success or -EINVAL on failure.
1415 long ret = -EINVAL; in seccomp_set_mode_strict()
1417 spin_lock_irq(¤t->sighand->siglock); in seccomp_set_mode_strict()
1429 spin_unlock_irq(¤t->sighand->siglock); in seccomp_set_mode_strict()
1437 kfree(filter->notif); in seccomp_notify_free()
1438 filter->notif = NULL; in seccomp_notify_free()
1448 mutex_lock(&filter->notify_lock); in seccomp_notify_detach()
1454 list_for_each_entry(knotif, &filter->notif->notifications, list) { in seccomp_notify_detach()
1455 if (knotif->state == SECCOMP_NOTIFY_REPLIED) in seccomp_notify_detach()
1458 knotif->state = SECCOMP_NOTIFY_REPLIED; in seccomp_notify_detach()
1459 knotif->error = -ENOSYS; in seccomp_notify_detach()
1460 knotif->val = 0; in seccomp_notify_detach()
1467 complete(&knotif->ready); in seccomp_notify_detach()
1471 mutex_unlock(&filter->notify_lock); in seccomp_notify_detach()
1476 struct seccomp_filter *filter = file->private_data; in seccomp_notify_release()
1489 lockdep_assert_held(&filter->notify_lock); in find_notification()
1491 list_for_each_entry(cur, &filter->notif->notifications, list) { in find_notification()
1492 if (cur->id == id) in find_notification()
1513 if (refcount_read(&filter->users) == 0) in recv_wait_event()
1516 if (atomic_dec_if_positive(&filter->notif->requests) >= 0) in recv_wait_event()
1520 ret = prepare_to_wait_event(&filter->wqh, &wait, TASK_INTERRUPTIBLE); in recv_wait_event()
1522 if (atomic_dec_if_positive(&filter->notif->requests) >= 0) in recv_wait_event()
1524 if (refcount_read(&filter->users) == 0) in recv_wait_event()
1532 finish_wait(&filter->wqh, &wait); in recv_wait_event()
1548 return -EINVAL; in seccomp_notify_recv()
1556 mutex_lock(&filter->notify_lock); in seccomp_notify_recv()
1557 list_for_each_entry(cur, &filter->notif->notifications, list) { in seccomp_notify_recv()
1558 if (cur->state == SECCOMP_NOTIFY_INIT) { in seccomp_notify_recv()
1570 ret = -ENOENT; in seccomp_notify_recv()
1574 unotif.id = knotif->id; in seccomp_notify_recv()
1575 unotif.pid = task_pid_vnr(knotif->task); in seccomp_notify_recv()
1576 unotif.data = *(knotif->data); in seccomp_notify_recv()
1578 knotif->state = SECCOMP_NOTIFY_SENT; in seccomp_notify_recv()
1579 wake_up_poll(&filter->wqh, EPOLLOUT | EPOLLWRNORM); in seccomp_notify_recv()
1582 mutex_unlock(&filter->notify_lock); in seccomp_notify_recv()
1585 ret = -EFAULT; in seccomp_notify_recv()
1593 mutex_lock(&filter->notify_lock); in seccomp_notify_recv()
1598 complete(&knotif->ready); in seccomp_notify_recv()
1599 knotif->state = SECCOMP_NOTIFY_INIT; in seccomp_notify_recv()
1600 atomic_inc(&filter->notif->requests); in seccomp_notify_recv()
1601 wake_up_poll(&filter->wqh, EPOLLIN | EPOLLRDNORM); in seccomp_notify_recv()
1603 mutex_unlock(&filter->notify_lock); in seccomp_notify_recv()
1617 return -EFAULT; in seccomp_notify_send()
1620 return -EINVAL; in seccomp_notify_send()
1624 return -EINVAL; in seccomp_notify_send()
1626 ret = mutex_lock_interruptible(&filter->notify_lock); in seccomp_notify_send()
1632 ret = -ENOENT; in seccomp_notify_send()
1637 if (knotif->state != SECCOMP_NOTIFY_SENT) { in seccomp_notify_send()
1638 ret = -EINPROGRESS; in seccomp_notify_send()
1643 knotif->state = SECCOMP_NOTIFY_REPLIED; in seccomp_notify_send()
1644 knotif->error = resp.error; in seccomp_notify_send()
1645 knotif->val = resp.val; in seccomp_notify_send()
1646 knotif->flags = resp.flags; in seccomp_notify_send()
1647 if (filter->notif->flags & SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP) in seccomp_notify_send()
1648 complete_on_current_cpu(&knotif->ready); in seccomp_notify_send()
1650 complete(&knotif->ready); in seccomp_notify_send()
1652 mutex_unlock(&filter->notify_lock); in seccomp_notify_send()
1664 return -EFAULT; in seccomp_notify_id_valid()
1666 ret = mutex_lock_interruptible(&filter->notify_lock); in seccomp_notify_id_valid()
1671 if (knotif && knotif->state == SECCOMP_NOTIFY_SENT) in seccomp_notify_id_valid()
1674 ret = -ENOENT; in seccomp_notify_id_valid()
1676 mutex_unlock(&filter->notify_lock); in seccomp_notify_id_valid()
1686 return -EINVAL; in seccomp_notify_set_flags()
1688 ret = mutex_lock_interruptible(&filter->notify_lock); in seccomp_notify_set_flags()
1691 filter->notif->flags = flags; in seccomp_notify_set_flags()
1692 mutex_unlock(&filter->notify_lock); in seccomp_notify_set_flags()
1709 return -EINVAL; in seccomp_notify_addfd()
1716 return -EINVAL; in seccomp_notify_addfd()
1719 return -EINVAL; in seccomp_notify_addfd()
1722 return -EINVAL; in seccomp_notify_addfd()
1726 return -EBADF; in seccomp_notify_addfd()
1734 ret = mutex_lock_interruptible(&filter->notify_lock); in seccomp_notify_addfd()
1740 ret = -ENOENT; in seccomp_notify_addfd()
1749 if (knotif->state != SECCOMP_NOTIFY_SENT) { in seccomp_notify_addfd()
1750 ret = -EINPROGRESS; in seccomp_notify_addfd()
1760 * the loop on the other side straight-forward. in seccomp_notify_addfd()
1762 if (!list_empty(&knotif->addfd)) { in seccomp_notify_addfd()
1763 ret = -EBUSY; in seccomp_notify_addfd()
1768 knotif->state = SECCOMP_NOTIFY_REPLIED; in seccomp_notify_addfd()
1771 list_add(&kaddfd.list, &knotif->addfd); in seccomp_notify_addfd()
1772 complete(&knotif->ready); in seccomp_notify_addfd()
1773 mutex_unlock(&filter->notify_lock); in seccomp_notify_addfd()
1789 mutex_lock(&filter->notify_lock); in seccomp_notify_addfd()
1803 mutex_unlock(&filter->notify_lock); in seccomp_notify_addfd()
1813 struct seccomp_filter *filter = file->private_data; in seccomp_notify_ioctl()
1816 /* Fixed-size ioctls */ in seccomp_notify_ioctl()
1835 return -EINVAL; in seccomp_notify_ioctl()
1842 struct seccomp_filter *filter = file->private_data; in seccomp_notify_poll()
1846 poll_wait(file, &filter->wqh, poll_tab); in seccomp_notify_poll()
1848 if (mutex_lock_interruptible(&filter->notify_lock) < 0) in seccomp_notify_poll()
1851 list_for_each_entry(cur, &filter->notif->notifications, list) { in seccomp_notify_poll()
1852 if (cur->state == SECCOMP_NOTIFY_INIT) in seccomp_notify_poll()
1854 if (cur->state == SECCOMP_NOTIFY_SENT) in seccomp_notify_poll()
1860 mutex_unlock(&filter->notify_lock); in seccomp_notify_poll()
1862 if (refcount_read(&filter->users) == 0) in seccomp_notify_poll()
1879 ret = ERR_PTR(-ENOMEM); in init_listener()
1880 filter->notif = kzalloc(sizeof(*(filter->notif)), GFP_KERNEL); in init_listener()
1881 if (!filter->notif) in init_listener()
1884 filter->notif->next_id = get_random_u64(); in init_listener()
1885 INIT_LIST_HEAD(&filter->notif->notifications); in init_listener()
1908 * we use current->seccomp.filter.
1915 lockdep_assert_held(¤t->sighand->siglock); in has_duplicate_listener()
1917 if (!new_child->notif) in has_duplicate_listener()
1919 for (cur = current->seccomp.filter; cur; cur = cur->prev) { in has_duplicate_listener()
1920 if (cur->notif) in has_duplicate_listener()
1936 * Once current->seccomp.mode is non-zero, it may not be changed.
1938 * Returns 0 on success or -EINVAL on failure.
1945 long ret = -EINVAL; in seccomp_set_mode_filter()
1946 int listener = -1; in seccomp_set_mode_filter()
1951 return -EINVAL; in seccomp_set_mode_filter()
1963 return -EINVAL; in seccomp_set_mode_filter()
1971 return -EINVAL; in seccomp_set_mode_filter()
1998 mutex_lock_killable(¤t->signal->cred_guard_mutex)) in seccomp_set_mode_filter()
2001 spin_lock_irq(¤t->sighand->siglock); in seccomp_set_mode_filter()
2007 ret = -EBUSY; in seccomp_set_mode_filter()
2019 spin_unlock_irq(¤t->sighand->siglock); in seccomp_set_mode_filter()
2021 mutex_unlock(¤t->signal->cred_guard_mutex); in seccomp_set_mode_filter()
2025 listener_f->private_data = NULL; in seccomp_set_mode_filter()
2042 return -EINVAL; in seccomp_set_mode_filter()
2051 return -EFAULT; in seccomp_get_action_avail()
2064 return -EOPNOTSUPP; in seccomp_get_action_avail()
2079 return -EFAULT; in seccomp_get_notif_sizes()
2091 return -EINVAL; in do_seccomp()
2097 return -EINVAL; in do_seccomp()
2102 return -EINVAL; in do_seccomp()
2106 return -EINVAL; in do_seccomp()
2117 * prctl_set_seccomp: configures current->seccomp.mode
2121 * Returns 0 on success or -EINVAL on failure.
2143 return -EINVAL; in prctl_set_seccomp()
2161 spin_lock_irq(&task->sighand->siglock); in get_nth_filter()
2163 if (task->seccomp.mode != SECCOMP_MODE_FILTER) { in get_nth_filter()
2164 spin_unlock_irq(&task->sighand->siglock); in get_nth_filter()
2165 return ERR_PTR(-EINVAL); in get_nth_filter()
2168 orig = task->seccomp.filter; in get_nth_filter()
2170 spin_unlock_irq(&task->sighand->siglock); in get_nth_filter()
2173 for (filter = orig; filter; filter = filter->prev) in get_nth_filter()
2177 filter = ERR_PTR(-ENOENT); in get_nth_filter()
2181 count -= filter_off; in get_nth_filter()
2182 for (filter = orig; filter && count > 1; filter = filter->prev) in get_nth_filter()
2183 count--; in get_nth_filter()
2186 filter = ERR_PTR(-ENOENT); in get_nth_filter()
2205 current->seccomp.mode != SECCOMP_MODE_DISABLED) { in seccomp_get_filter()
2206 return -EACCES; in seccomp_get_filter()
2213 fprog = filter->prog->orig_prog; in seccomp_get_filter()
2215 /* This must be a new non-cBPF filter, since we save in seccomp_get_filter()
2219 ret = -EMEDIUMTYPE; in seccomp_get_filter()
2223 ret = fprog->len; in seccomp_get_filter()
2227 if (copy_to_user(data, fprog->filter, bpf_classic_proglen(fprog))) in seccomp_get_filter()
2228 ret = -EFAULT; in seccomp_get_filter()
2243 current->seccomp.mode != SECCOMP_MODE_DISABLED) { in seccomp_get_metadata()
2244 return -EACCES; in seccomp_get_metadata()
2250 return -EINVAL; in seccomp_get_metadata()
2253 return -EFAULT; in seccomp_get_metadata()
2259 if (filter->log) in seccomp_get_metadata()
2264 ret = -EFAULT; in seccomp_get_metadata()
2317 for (cur = seccomp_log_names; cur->name && size; cur++) { in seccomp_names_from_actions_logged()
2320 if (!(actions_logged & cur->log)) in seccomp_names_from_actions_logged()
2329 size -= ret; in seccomp_names_from_actions_logged()
2333 ret = strscpy(names, cur->name, size); in seccomp_names_from_actions_logged()
2338 size -= ret; in seccomp_names_from_actions_logged()
2349 for (cur = seccomp_log_names; cur->name; cur++) { in seccomp_action_logged_from_name()
2350 if (!strcmp(cur->name, name)) { in seccomp_action_logged_from_name()
2351 *action_logged = cur->log; in seccomp_action_logged_from_name()
2386 return -EINVAL; in read_actions_logged()
2402 return -EPERM; in write_actions_logged()
2414 return -EINVAL; in write_actions_logged()
2417 return -EINVAL; in write_actions_logged()
2524 if (!file_ns_capable(m->file, &init_user_ns, CAP_SYS_ADMIN)) in proc_pid_seccomp_cache()
2525 return -EACCES; in proc_pid_seccomp_cache()
2528 return -ESRCH; in proc_pid_seccomp_cache()
2530 f = READ_ONCE(task->seccomp.filter); in proc_pid_seccomp_cache()
2541 f->cache.allow_native, in proc_pid_seccomp_cache()
2546 f->cache.allow_compat, in proc_pid_seccomp_cache()