16f52b16cSGreg Kroah-Hartman /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2607ca46eSDavid Howells #ifndef _UAPI_LINUX_SECCOMP_H 3607ca46eSDavid Howells #define _UAPI_LINUX_SECCOMP_H 4607ca46eSDavid Howells 5607ca46eSDavid Howells #include <linux/compiler.h> 6607ca46eSDavid Howells #include <linux/types.h> 7607ca46eSDavid Howells 8607ca46eSDavid Howells 9607ca46eSDavid Howells /* Valid values for seccomp.mode and prctl(PR_SET_SECCOMP, <mode>) */ 10607ca46eSDavid Howells #define SECCOMP_MODE_DISABLED 0 /* seccomp is not in use. */ 11607ca46eSDavid Howells #define SECCOMP_MODE_STRICT 1 /* uses hard-coded filter. */ 12607ca46eSDavid Howells #define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ 13607ca46eSDavid Howells 1448dc92b9SKees Cook /* Valid operations for seccomp syscall. */ 1548dc92b9SKees Cook #define SECCOMP_SET_MODE_STRICT 0 1648dc92b9SKees Cook #define SECCOMP_SET_MODE_FILTER 1 17d612b1fdSTyler Hicks #define SECCOMP_GET_ACTION_AVAIL 2 186a21cc50STycho Andersen #define SECCOMP_GET_NOTIF_SIZES 3 1948dc92b9SKees Cook 20c2e1f2e3SKees Cook /* Valid flags for SECCOMP_SET_MODE_FILTER */ 2100a02d0cSKees Cook #define SECCOMP_FILTER_FLAG_TSYNC (1UL << 0) 2200a02d0cSKees Cook #define SECCOMP_FILTER_FLAG_LOG (1UL << 1) 2300a02d0cSKees Cook #define SECCOMP_FILTER_FLAG_SPEC_ALLOW (1UL << 2) 246a21cc50STycho Andersen #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3) 2551891498STycho Andersen #define SECCOMP_FILTER_FLAG_TSYNC_ESRCH (1UL << 4) 26c2aa2dfeSSargun Dhillon /* Received notifications wait in killable state (only respond to fatal signals) */ 27c2aa2dfeSSargun Dhillon #define SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV (1UL << 5) 28c2e1f2e3SKees Cook 29607ca46eSDavid Howells /* 30607ca46eSDavid Howells * All BPF programs must return a 32-bit value. 31607ca46eSDavid Howells * The bottom 16-bits are for optional return data. 324d3b0b05SKees Cook * The upper 16-bits are ordered from least permissive values to most, 334d3b0b05SKees Cook * as a signed value (so 0x8000000 is negative). 34607ca46eSDavid Howells * 35607ca46eSDavid Howells * The ordering ensures that a min_t() over composed return values always 36607ca46eSDavid Howells * selects the least permissive choice. 37607ca46eSDavid Howells */ 384d3b0b05SKees Cook #define SECCOMP_RET_KILL_PROCESS 0x80000000U /* kill the process */ 39fd76875cSKees Cook #define SECCOMP_RET_KILL_THREAD 0x00000000U /* kill the thread */ 40fd76875cSKees Cook #define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD 41607ca46eSDavid Howells #define SECCOMP_RET_TRAP 0x00030000U /* disallow and force a SIGSYS */ 42607ca46eSDavid Howells #define SECCOMP_RET_ERRNO 0x00050000U /* returns an errno */ 436a21cc50STycho Andersen #define SECCOMP_RET_USER_NOTIF 0x7fc00000U /* notifies userspace */ 44607ca46eSDavid Howells #define SECCOMP_RET_TRACE 0x7ff00000U /* pass to a tracer or disallow */ 4559f5cf44STyler Hicks #define SECCOMP_RET_LOG 0x7ffc0000U /* allow after logging */ 46607ca46eSDavid Howells #define SECCOMP_RET_ALLOW 0x7fff0000U /* allow */ 47607ca46eSDavid Howells 48607ca46eSDavid Howells /* Masks for the return value sections. */ 490466bdb9SKees Cook #define SECCOMP_RET_ACTION_FULL 0xffff0000U 50607ca46eSDavid Howells #define SECCOMP_RET_ACTION 0x7fff0000U 51607ca46eSDavid Howells #define SECCOMP_RET_DATA 0x0000ffffU 52607ca46eSDavid Howells 53607ca46eSDavid Howells /** 54607ca46eSDavid Howells * struct seccomp_data - the format the BPF program executes over. 55607ca46eSDavid Howells * @nr: the system call number 56607ca46eSDavid Howells * @arch: indicates system call convention as an AUDIT_ARCH_* value 57607ca46eSDavid Howells * as defined in <linux/audit.h>. 58607ca46eSDavid Howells * @instruction_pointer: at the time of the system call. 59607ca46eSDavid Howells * @args: up to 6 system call arguments always stored as 64-bit values 60607ca46eSDavid Howells * regardless of the architecture. 61607ca46eSDavid Howells */ 62607ca46eSDavid Howells struct seccomp_data { 63607ca46eSDavid Howells int nr; 64607ca46eSDavid Howells __u32 arch; 65607ca46eSDavid Howells __u64 instruction_pointer; 66607ca46eSDavid Howells __u64 args[6]; 67607ca46eSDavid Howells }; 68607ca46eSDavid Howells 696a21cc50STycho Andersen struct seccomp_notif_sizes { 706a21cc50STycho Andersen __u16 seccomp_notif; 716a21cc50STycho Andersen __u16 seccomp_notif_resp; 726a21cc50STycho Andersen __u16 seccomp_data; 736a21cc50STycho Andersen }; 746a21cc50STycho Andersen 756a21cc50STycho Andersen struct seccomp_notif { 766a21cc50STycho Andersen __u64 id; 776a21cc50STycho Andersen __u32 pid; 786a21cc50STycho Andersen __u32 flags; 796a21cc50STycho Andersen struct seccomp_data data; 806a21cc50STycho Andersen }; 816a21cc50STycho Andersen 82fb3c5386SChristian Brauner /* 83fb3c5386SChristian Brauner * Valid flags for struct seccomp_notif_resp 84fb3c5386SChristian Brauner * 85fb3c5386SChristian Brauner * Note, the SECCOMP_USER_NOTIF_FLAG_CONTINUE flag must be used with caution! 86fb3c5386SChristian Brauner * If set by the process supervising the syscalls of another process the 87fb3c5386SChristian Brauner * syscall will continue. This is problematic because of an inherent TOCTOU. 88fb3c5386SChristian Brauner * An attacker can exploit the time while the supervised process is waiting on 89fb3c5386SChristian Brauner * a response from the supervising process to rewrite syscall arguments which 90fb3c5386SChristian Brauner * are passed as pointers of the intercepted syscall. 91fb3c5386SChristian Brauner * It should be absolutely clear that this means that the seccomp notifier 92fb3c5386SChristian Brauner * _cannot_ be used to implement a security policy! It should only ever be used 93fb3c5386SChristian Brauner * in scenarios where a more privileged process supervises the syscalls of a 94fb3c5386SChristian Brauner * lesser privileged process to get around kernel-enforced security 95fb3c5386SChristian Brauner * restrictions when the privileged process deems this safe. In other words, 96fb3c5386SChristian Brauner * in order to continue a syscall the supervising process should be sure that 97fb3c5386SChristian Brauner * another security mechanism or the kernel itself will sufficiently block 98fb3c5386SChristian Brauner * syscalls if arguments are rewritten to something unsafe. 99fb3c5386SChristian Brauner * 100fb3c5386SChristian Brauner * Similar precautions should be applied when stacking SECCOMP_RET_USER_NOTIF 101fb3c5386SChristian Brauner * or SECCOMP_RET_TRACE. For SECCOMP_RET_USER_NOTIF filters acting on the 102fb3c5386SChristian Brauner * same syscall, the most recently added filter takes precedence. This means 103fb3c5386SChristian Brauner * that the new SECCOMP_RET_USER_NOTIF filter can override any 104fb3c5386SChristian Brauner * SECCOMP_IOCTL_NOTIF_SEND from earlier filters, essentially allowing all 105fb3c5386SChristian Brauner * such filtered syscalls to be executed by sending the response 106fb3c5386SChristian Brauner * SECCOMP_USER_NOTIF_FLAG_CONTINUE. Note that SECCOMP_RET_TRACE can equally 107fb3c5386SChristian Brauner * be overriden by SECCOMP_USER_NOTIF_FLAG_CONTINUE. 108fb3c5386SChristian Brauner */ 10923b2c96fSChristian Brauner #define SECCOMP_USER_NOTIF_FLAG_CONTINUE (1UL << 0) 110fb3c5386SChristian Brauner 1116a21cc50STycho Andersen struct seccomp_notif_resp { 1126a21cc50STycho Andersen __u64 id; 1136a21cc50STycho Andersen __s64 val; 1146a21cc50STycho Andersen __s32 error; 1156a21cc50STycho Andersen __u32 flags; 1166a21cc50STycho Andersen }; 1176a21cc50STycho Andersen 118*48a1084aSAndrei Vagin #define SECCOMP_USER_NOTIF_FD_SYNC_WAKE_UP (1UL << 0) 119*48a1084aSAndrei Vagin 1207cf97b12SSargun Dhillon /* valid flags for seccomp_notif_addfd */ 1217cf97b12SSargun Dhillon #define SECCOMP_ADDFD_FLAG_SETFD (1UL << 0) /* Specify remote fd */ 1220ae71c77SRodrigo Campos #define SECCOMP_ADDFD_FLAG_SEND (1UL << 1) /* Addfd and return it, atomically */ 1237cf97b12SSargun Dhillon 1247cf97b12SSargun Dhillon /** 1257cf97b12SSargun Dhillon * struct seccomp_notif_addfd 1267cf97b12SSargun Dhillon * @id: The ID of the seccomp notification 1277cf97b12SSargun Dhillon * @flags: SECCOMP_ADDFD_FLAG_* 1287cf97b12SSargun Dhillon * @srcfd: The local fd number 1297cf97b12SSargun Dhillon * @newfd: Optional remote FD number if SETFD option is set, otherwise 0. 1307cf97b12SSargun Dhillon * @newfd_flags: The O_* flags the remote FD should have applied 1317cf97b12SSargun Dhillon */ 1327cf97b12SSargun Dhillon struct seccomp_notif_addfd { 1337cf97b12SSargun Dhillon __u64 id; 1347cf97b12SSargun Dhillon __u32 flags; 1357cf97b12SSargun Dhillon __u32 srcfd; 1367cf97b12SSargun Dhillon __u32 newfd; 1377cf97b12SSargun Dhillon __u32 newfd_flags; 1387cf97b12SSargun Dhillon }; 1397cf97b12SSargun Dhillon 1406a21cc50STycho Andersen #define SECCOMP_IOC_MAGIC '!' 1416a21cc50STycho Andersen #define SECCOMP_IO(nr) _IO(SECCOMP_IOC_MAGIC, nr) 1426a21cc50STycho Andersen #define SECCOMP_IOR(nr, type) _IOR(SECCOMP_IOC_MAGIC, nr, type) 1436a21cc50STycho Andersen #define SECCOMP_IOW(nr, type) _IOW(SECCOMP_IOC_MAGIC, nr, type) 1446a21cc50STycho Andersen #define SECCOMP_IOWR(nr, type) _IOWR(SECCOMP_IOC_MAGIC, nr, type) 1456a21cc50STycho Andersen 1466a21cc50STycho Andersen /* Flags for seccomp notification fd ioctl. */ 1476a21cc50STycho Andersen #define SECCOMP_IOCTL_NOTIF_RECV SECCOMP_IOWR(0, struct seccomp_notif) 1486a21cc50STycho Andersen #define SECCOMP_IOCTL_NOTIF_SEND SECCOMP_IOWR(1, \ 1496a21cc50STycho Andersen struct seccomp_notif_resp) 15047e33c05SKees Cook #define SECCOMP_IOCTL_NOTIF_ID_VALID SECCOMP_IOW(2, __u64) 1517cf97b12SSargun Dhillon /* On success, the return value is the remote process's added fd number */ 1527cf97b12SSargun Dhillon #define SECCOMP_IOCTL_NOTIF_ADDFD SECCOMP_IOW(3, \ 1537cf97b12SSargun Dhillon struct seccomp_notif_addfd) 15447e33c05SKees Cook 155*48a1084aSAndrei Vagin #define SECCOMP_IOCTL_NOTIF_SET_FLAGS SECCOMP_IOW(4, __u64) 156*48a1084aSAndrei Vagin 157607ca46eSDavid Howells #endif /* _UAPI_LINUX_SECCOMP_H */ 158