diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 17:09:30 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 17:09:30 +0000 |
commit | 81749f1fe87e489c4e2e7408a0fae9370c3810b3 (patch) | |
tree | 2d1345a5762855b6577495d90ac134c4e92d7ff8 /include | |
parent | Initial commit. (diff) | |
download | libseccomp-81749f1fe87e489c4e2e7408a0fae9370c3810b3.tar.xz libseccomp-81749f1fe87e489c4e2e7408a0fae9370c3810b3.zip |
Adding upstream version 2.5.5.upstream/2.5.5upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/Makefile.am | 19 | ||||
-rw-r--r-- | include/Makefile.in | 607 | ||||
-rw-r--r-- | include/seccomp-syscalls.h | 2355 | ||||
-rw-r--r-- | include/seccomp.h | 827 | ||||
-rw-r--r-- | include/seccomp.h.in | 827 |
5 files changed, 4635 insertions, 0 deletions
diff --git a/include/Makefile.am b/include/Makefile.am new file mode 100644 index 0000000..d996128 --- /dev/null +++ b/include/Makefile.am @@ -0,0 +1,19 @@ +#### +# Seccomp Library Header Files +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License +# as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +include_HEADERS = seccomp.h seccomp-syscalls.h diff --git a/include/Makefile.in b/include/Makefile.in new file mode 100644 index 0000000..bbd5054 --- /dev/null +++ b/include/Makefile.in @@ -0,0 +1,607 @@ +# Makefile.in generated by automake 1.16.5 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2021 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +#### +# Seccomp Library Header Files +# + +# +# This library is free software; you can redistribute it and/or modify it +# under the terms of version 2.1 of the GNU Lesser General Public License +# as published by the Free Software Foundation. +# +# This library is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser +# General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, see <http://www.gnu.org/licenses>. +# + +VPATH = @srcdir@ +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +subdir = include +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/ax_code_coverage.m4 \ + $(top_srcdir)/m4/libtool.m4 $(top_srcdir)/m4/ltoptions.m4 \ + $(top_srcdir)/m4/ltsugar.m4 $(top_srcdir)/m4/ltversion.m4 \ + $(top_srcdir)/m4/lt~obsolete.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(include_HEADERS) \ + $(am__DIST_COMMON) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/configure.h +CONFIG_CLEAN_FILES = seccomp.h +CONFIG_CLEAN_VPATH_FILES = +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +SOURCES = +DIST_SOURCES = +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(includedir)" +HEADERS = $(include_HEADERS) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +am__DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/seccomp.h.in +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_CFLAGS = @AM_CFLAGS@ +AM_CPPFLAGS = @AM_CPPFLAGS@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AM_LDFLAGS = @AM_LDFLAGS@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CFLAGS = @CFLAGS@ +CODE_COVERAGE_CFLAGS = @CODE_COVERAGE_CFLAGS@ +CODE_COVERAGE_CPPFLAGS = @CODE_COVERAGE_CPPFLAGS@ +CODE_COVERAGE_CXXFLAGS = @CODE_COVERAGE_CXXFLAGS@ +CODE_COVERAGE_ENABLED = @CODE_COVERAGE_ENABLED@ +CODE_COVERAGE_LDFLAGS = @CODE_COVERAGE_LDFLAGS@ +CODE_COVERAGE_LIBS = @CODE_COVERAGE_LIBS@ +CPPFLAGS = @CPPFLAGS@ +CSCOPE = @CSCOPE@ +CTAGS = @CTAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +ETAGS = @ETAGS@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FILECMD = @FILECMD@ +GCOV = @GCOV@ +GENHTML = @GENHTML@ +GPERF = @GPERF@ +GREP = @GREP@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LCOV = @LCOV@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +NM = @NM@ +NMEDIT = @NMEDIT@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PYTHON = @PYTHON@ +PYTHON_EXEC_PREFIX = @PYTHON_EXEC_PREFIX@ +PYTHON_PLATFORM = @PYTHON_PLATFORM@ +PYTHON_PREFIX = @PYTHON_PREFIX@ +PYTHON_VERSION = @PYTHON_VERSION@ +RANLIB = @RANLIB@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +VERSION_MAJOR = @VERSION_MAJOR@ +VERSION_MICRO = @VERSION_MICRO@ +VERSION_MINOR = @VERSION_MINOR@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +cython = @cython@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +have_coverity = @have_coverity@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +pkgpyexecdir = @pkgpyexecdir@ +pkgpythondir = @pkgpythondir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +pyexecdir = @pyexecdir@ +pythondir = @pythondir@ +runstatedir = @runstatedir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +include_HEADERS = seccomp.h seccomp-syscalls.h +all: all-am + +.SUFFIXES: +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign include/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --foreign include/Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): +seccomp.h: $(top_builddir)/config.status $(srcdir)/seccomp.h.in + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-includeHEADERS: $(include_HEADERS) + @$(NORMAL_INSTALL) + @list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \ + if test -n "$$list"; then \ + echo " $(MKDIR_P) '$(DESTDIR)$(includedir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(includedir)" || exit 1; \ + fi; \ + for p in $$list; do \ + if test -f "$$p"; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; \ + done | $(am__base_list) | \ + while read files; do \ + echo " $(INSTALL_HEADER) $$files '$(DESTDIR)$(includedir)'"; \ + $(INSTALL_HEADER) $$files "$(DESTDIR)$(includedir)" || exit $$?; \ + done + +uninstall-includeHEADERS: + @$(NORMAL_UNINSTALL) + @list='$(include_HEADERS)'; test -n "$(includedir)" || list=; \ + files=`for p in $$list; do echo $$p; done | sed -e 's|^.*/||'`; \ + dir='$(DESTDIR)$(includedir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags +distdir: $(BUILT_SOURCES) + $(MAKE) $(AM_MAKEFLAGS) distdir-am + +distdir-am: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am +check: check-am +all-am: Makefile $(HEADERS) +installdirs: + for dir in "$(DESTDIR)$(includedir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + +clean-generic: + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-generic clean-libtool mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-generic distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-includeHEADERS + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-generic mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-includeHEADERS + +.MAKE: install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-am clean clean-generic \ + clean-libtool cscopelist-am ctags ctags-am distclean \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-dvi install-dvi-am \ + install-exec install-exec-am install-html install-html-am \ + install-includeHEADERS install-info install-info-am \ + install-man install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-generic mostlyclean-libtool pdf pdf-am \ + ps ps-am tags tags-am uninstall uninstall-am \ + uninstall-includeHEADERS + +.PRECIOUS: Makefile + + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/include/seccomp-syscalls.h b/include/seccomp-syscalls.h new file mode 100644 index 0000000..611c78d --- /dev/null +++ b/include/seccomp-syscalls.h @@ -0,0 +1,2355 @@ +/** + * Seccomp Library + * + * Copyright (c) 2019 Cisco Systems <pmoore2@cisco.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#ifndef _SECCOMP_H +#error "do not include seccomp-syscalls.h directly, use seccomp.h instead" +#endif + +/* + * psuedo syscall definitions + */ + +/* socket syscalls */ + +#define __PNR_socket -101 +#define __PNR_bind -102 +#define __PNR_connect -103 +#define __PNR_listen -104 +#define __PNR_accept -105 +#define __PNR_getsockname -106 +#define __PNR_getpeername -107 +#define __PNR_socketpair -108 +#define __PNR_send -109 +#define __PNR_recv -110 +#define __PNR_sendto -111 +#define __PNR_recvfrom -112 +#define __PNR_shutdown -113 +#define __PNR_setsockopt -114 +#define __PNR_getsockopt -115 +#define __PNR_sendmsg -116 +#define __PNR_recvmsg -117 +#define __PNR_accept4 -118 +#define __PNR_recvmmsg -119 +#define __PNR_sendmmsg -120 + +/* ipc syscalls */ + +#define __PNR_semop -201 +#define __PNR_semget -202 +#define __PNR_semctl -203 +#define __PNR_semtimedop -204 +#define __PNR_msgsnd -211 +#define __PNR_msgrcv -212 +#define __PNR_msgget -213 +#define __PNR_msgctl -214 +#define __PNR_shmat -221 +#define __PNR_shmdt -222 +#define __PNR_shmget -223 +#define __PNR_shmctl -224 + +/* single syscalls */ + +#define __PNR_arch_prctl -10001 +#define __PNR_bdflush -10002 +#define __PNR_break -10003 +#define __PNR_chown32 -10004 +#define __PNR_epoll_ctl_old -10005 +#define __PNR_epoll_wait_old -10006 +#define __PNR_fadvise64_64 -10007 +#define __PNR_fchown32 -10008 +#define __PNR_fcntl64 -10009 +#define __PNR_fstat64 -10010 +#define __PNR_fstatat64 -10011 +#define __PNR_fstatfs64 -10012 +#define __PNR_ftime -10013 +#define __PNR_ftruncate64 -10014 +#define __PNR_getegid32 -10015 +#define __PNR_geteuid32 -10016 +#define __PNR_getgid32 -10017 +#define __PNR_getgroups32 -10018 +#define __PNR_getresgid32 -10019 +#define __PNR_getresuid32 -10020 +#define __PNR_getuid32 -10021 +#define __PNR_gtty -10022 +#define __PNR_idle -10023 +#define __PNR_ipc -10024 +#define __PNR_lchown32 -10025 +#define __PNR__llseek -10026 +#define __PNR_lock -10027 +#define __PNR_lstat64 -10028 +#define __PNR_mmap2 -10029 +#define __PNR_mpx -10030 +#define __PNR_newfstatat -10031 +#define __PNR__newselect -10032 +#define __PNR_nice -10033 +#define __PNR_oldfstat -10034 +#define __PNR_oldlstat -10035 +#define __PNR_oldolduname -10036 +#define __PNR_oldstat -10037 +#define __PNR_olduname -10038 +#define __PNR_prof -10039 +#define __PNR_profil -10040 +#define __PNR_readdir -10041 +#define __PNR_security -10042 +#define __PNR_sendfile64 -10043 +#define __PNR_setfsgid32 -10044 +#define __PNR_setfsuid32 -10045 +#define __PNR_setgid32 -10046 +#define __PNR_setgroups32 -10047 +#define __PNR_setregid32 -10048 +#define __PNR_setresgid32 -10049 +#define __PNR_setresuid32 -10050 +#define __PNR_setreuid32 -10051 +#define __PNR_setuid32 -10052 +#define __PNR_sgetmask -10053 +#define __PNR_sigaction -10054 +#define __PNR_signal -10055 +#define __PNR_sigpending -10056 +#define __PNR_sigprocmask -10057 +#define __PNR_sigreturn -10058 +#define __PNR_sigsuspend -10059 +#define __PNR_socketcall -10060 +#define __PNR_ssetmask -10061 +#define __PNR_stat64 -10062 +#define __PNR_statfs64 -10063 +#define __PNR_stime -10064 +#define __PNR_stty -10065 +#define __PNR_truncate64 -10066 +#define __PNR_tuxcall -10067 +#define __PNR_ugetrlimit -10068 +#define __PNR_ulimit -10069 +#define __PNR_umount -10070 +#define __PNR_vm86 -10071 +#define __PNR_vm86old -10072 +#define __PNR_waitpid -10073 +#define __PNR_create_module -10074 +#define __PNR_get_kernel_syms -10075 +#define __PNR_get_thread_area -10076 +#define __PNR_nfsservctl -10077 +#define __PNR_query_module -10078 +#define __PNR_set_thread_area -10079 +#define __PNR__sysctl -10080 +#define __PNR_uselib -10081 +#define __PNR_vserver -10082 +#define __PNR_arm_fadvise64_64 -10083 +#define __PNR_arm_sync_file_range -10084 +#define __PNR_pciconfig_iobase -10086 +#define __PNR_pciconfig_read -10087 +#define __PNR_pciconfig_write -10088 +#define __PNR_sync_file_range2 -10089 +#define __PNR_syscall -10090 +#define __PNR_afs_syscall -10091 +#define __PNR_fadvise64 -10092 +#define __PNR_getpmsg -10093 +#define __PNR_ioperm -10094 +#define __PNR_iopl -10095 +#define __PNR_migrate_pages -10097 +#define __PNR_modify_ldt -10098 +#define __PNR_putpmsg -10099 +#define __PNR_sync_file_range -10100 +#define __PNR_select -10101 +#define __PNR_vfork -10102 +#define __PNR_cachectl -10103 +#define __PNR_cacheflush -10104 +#define __PNR_sysmips -10106 +#define __PNR_timerfd -10107 +#define __PNR_time -10108 +#define __PNR_getrandom -10109 +#define __PNR_memfd_create -10110 +#define __PNR_kexec_file_load -10111 +#define __PNR_sysfs -10145 +#define __PNR_oldwait4 -10146 +#define __PNR_access -10147 +#define __PNR_alarm -10148 +#define __PNR_chmod -10149 +#define __PNR_chown -10150 +#define __PNR_creat -10151 +#define __PNR_dup2 -10152 +#define __PNR_epoll_create -10153 +#define __PNR_epoll_wait -10154 +#define __PNR_eventfd -10155 +#define __PNR_fork -10156 +#define __PNR_futimesat -10157 +#define __PNR_getdents -10158 +#define __PNR_getpgrp -10159 +#define __PNR_inotify_init -10160 +#define __PNR_lchown -10161 +#define __PNR_link -10162 +#define __PNR_lstat -10163 +#define __PNR_mkdir -10164 +#define __PNR_mknod -10165 +#define __PNR_open -10166 +#define __PNR_pause -10167 +#define __PNR_pipe -10168 +#define __PNR_poll -10169 +#define __PNR_readlink -10170 +#define __PNR_rename -10171 +#define __PNR_rmdir -10172 +#define __PNR_signalfd -10173 +#define __PNR_stat -10174 +#define __PNR_symlink -10175 +#define __PNR_unlink -10176 +#define __PNR_ustat -10177 +#define __PNR_utime -10178 +#define __PNR_utimes -10179 +#define __PNR_getrlimit -10180 +#define __PNR_mmap -10181 +#define __PNR_breakpoint -10182 +#define __PNR_set_tls -10183 +#define __PNR_usr26 -10184 +#define __PNR_usr32 -10185 +#define __PNR_multiplexer -10186 +#define __PNR_rtas -10187 +#define __PNR_spu_create -10188 +#define __PNR_spu_run -10189 +#define __PNR_swapcontext -10190 +#define __PNR_sys_debug_setcontext -10191 +#define __PNR_switch_endian -10191 +#define __PNR_get_mempolicy -10192 +#define __PNR_move_pages -10193 +#define __PNR_mbind -10194 +#define __PNR_set_mempolicy -10195 +#define __PNR_s390_runtime_instr -10196 +#define __PNR_s390_pci_mmio_read -10197 +#define __PNR_s390_pci_mmio_write -10198 +#define __PNR_membarrier -10199 +#define __PNR_userfaultfd -10200 +#define __PNR_pkey_mprotect -10201 +#define __PNR_pkey_alloc -10202 +#define __PNR_pkey_free -10203 +#define __PNR_get_tls -10204 +#define __PNR_s390_guarded_storage -10205 +#define __PNR_s390_sthyi -10206 +#define __PNR_subpage_prot -10207 +#define __PNR_statx -10208 +#define __PNR_io_pgetevents -10209 +#define __PNR_rseq -10210 +#define __PNR_setrlimit -10211 +#define __PNR_clock_adjtime64 -10212 +#define __PNR_clock_getres_time64 -10213 +#define __PNR_clock_gettime64 -10214 +#define __PNR_clock_nanosleep_time64 -10215 +#define __PNR_clock_settime64 -10216 +#define __PNR_clone3 -10217 +#define __PNR_fsconfig -10218 +#define __PNR_fsmount -10219 +#define __PNR_fsopen -10220 +#define __PNR_fspick -10221 +#define __PNR_futex_time64 -10222 +#define __PNR_io_pgetevents_time64 -10223 +#define __PNR_move_mount -10224 +#define __PNR_mq_timedreceive_time64 -10225 +#define __PNR_mq_timedsend_time64 -10226 +#define __PNR_open_tree -10227 +#define __PNR_pidfd_open -10228 +#define __PNR_pidfd_send_signal -10229 +#define __PNR_ppoll_time64 -10230 +#define __PNR_pselect6_time64 -10231 +#define __PNR_recvmmsg_time64 -10232 +#define __PNR_rt_sigtimedwait_time64 -10233 +#define __PNR_sched_rr_get_interval_time64 -10234 +#define __PNR_semtimedop_time64 -10235 +#define __PNR_timer_gettime64 -10236 +#define __PNR_timer_settime64 -10237 +#define __PNR_timerfd_gettime64 -10238 +#define __PNR_timerfd_settime64 -10239 +#define __PNR_utimensat_time64 -10240 +#define __PNR_ppoll -10241 +#define __PNR_renameat -10242 +#define __PNR_riscv_flush_icache -10243 +#define __PNR_memfd_secret -10244 +#define __PNR_map_shadow_stack -10245 + +/* + * libseccomp syscall definitions + */ + +#ifdef __NR__llseek +#define __SNR__llseek __NR__llseek +#else +#define __SNR__llseek __PNR__llseek +#endif + +#ifdef __NR__newselect +#define __SNR__newselect __NR__newselect +#else +#define __SNR__newselect __PNR__newselect +#endif + +#ifdef __NR__sysctl +#define __SNR__sysctl __NR__sysctl +#else +#define __SNR__sysctl __PNR__sysctl +#endif + +#ifdef __NR_accept +#define __SNR_accept __NR_accept +#else +#define __SNR_accept __PNR_accept +#endif + +#ifdef __NR_accept4 +#define __SNR_accept4 __NR_accept4 +#else +#define __SNR_accept4 __PNR_accept4 +#endif + +#ifdef __NR_access +#define __SNR_access __NR_access +#else +#define __SNR_access __PNR_access +#endif + +#define __SNR_acct __NR_acct + +#define __SNR_add_key __NR_add_key + +#define __SNR_adjtimex __NR_adjtimex + +#ifdef __NR_afs_syscall +#define __SNR_afs_syscall __NR_afs_syscall +#else +#define __SNR_afs_syscall __PNR_afs_syscall +#endif + +#ifdef __NR_alarm +#define __SNR_alarm __NR_alarm +#else +#define __SNR_alarm __PNR_alarm +#endif + +#ifdef __NR_arm_fadvise64_64 +#define __SNR_arm_fadvise64_64 __NR_arm_fadvise64_64 +#else +#define __SNR_arm_fadvise64_64 __PNR_arm_fadvise64_64 +#endif + +#ifdef __NR_arm_sync_file_range +#define __SNR_arm_sync_file_range __NR_arm_sync_file_range +#else +#define __SNR_arm_sync_file_range __PNR_arm_sync_file_range +#endif + +#ifdef __NR_arch_prctl +#define __SNR_arch_prctl __NR_arch_prctl +#else +#define __SNR_arch_prctl __PNR_arch_prctl +#endif + +#ifdef __NR_bdflush +#define __SNR_bdflush __NR_bdflush +#else +#define __SNR_bdflush __PNR_bdflush +#endif + +#ifdef __NR_bind +#define __SNR_bind __NR_bind +#else +#define __SNR_bind __PNR_bind +#endif + +#define __SNR_bpf __NR_bpf + +#ifdef __NR_break +#define __SNR_break __NR_break +#else +#define __SNR_break __PNR_break +#endif + +#ifdef __NR_breakpoint +#ifdef __ARM_NR_breakpoint +#define __SNR_breakpoint __ARM_NR_breakpoint +#else +#define __SNR_breakpoint __NR_breakpoint +#endif +#else +#define __SNR_breakpoint __PNR_breakpoint +#endif + +#define __SNR_brk __NR_brk + +#ifdef __NR_cachectl +#define __SNR_cachectl __NR_cachectl +#else +#define __SNR_cachectl __PNR_cachectl +#endif + +#ifdef __NR_cacheflush +#ifdef __ARM_NR_cacheflush +#define __SNR_cacheflush __ARM_NR_cacheflush +#else +#define __SNR_cacheflush __NR_cacheflush +#endif +#else +#define __SNR_cacheflush __PNR_cacheflush +#endif + +#define __SNR_cachestat __NR_cachestat + +#define __SNR_capget __NR_capget + +#define __SNR_capset __NR_capset + +#define __SNR_chdir __NR_chdir + +#ifdef __NR_chmod +#define __SNR_chmod __NR_chmod +#else +#define __SNR_chmod __PNR_chmod +#endif + +#ifdef __NR_chown +#define __SNR_chown __NR_chown +#else +#define __SNR_chown __PNR_chown +#endif + +#ifdef __NR_chown32 +#define __SNR_chown32 __NR_chown32 +#else +#define __SNR_chown32 __PNR_chown32 +#endif + +#define __SNR_chroot __NR_chroot + +#define __SNR_clock_adjtime __NR_clock_adjtime + +#ifdef __NR_clock_adjtime64 +#define __SNR_clock_adjtime64 __NR_clock_adjtime64 +#else +#define __SNR_clock_adjtime64 __PNR_clock_adjtime64 +#endif + +#define __SNR_clock_getres __NR_clock_getres + +#ifdef __NR_clock_getres_time64 +#define __SNR_clock_getres_time64 __NR_clock_getres_time64 +#else +#define __SNR_clock_getres_time64 __PNR_clock_getres_time64 +#endif + +#define __SNR_clock_gettime __NR_clock_gettime + +#ifdef __NR_clock_gettime64 +#define __SNR_clock_gettime64 __NR_clock_gettime64 +#else +#define __SNR_clock_gettime64 __PNR_clock_gettime64 +#endif + +#define __SNR_clock_nanosleep __NR_clock_nanosleep + +#ifdef __NR_clock_nanosleep_time64 +#define __SNR_clock_nanosleep_time64 __NR_clock_nanosleep_time64 +#else +#define __SNR_clock_nanosleep_time64 __PNR_clock_nanosleep_time64 +#endif + +#define __SNR_clock_settime __NR_clock_settime + +#ifdef __NR_clock_settime64 +#define __SNR_clock_settime64 __NR_clock_settime64 +#else +#define __SNR_clock_settime64 __PNR_clock_settime64 +#endif + +#define __SNR_clone __NR_clone + +#ifdef __NR_clone3 +#define __SNR_clone3 __NR_clone3 +#else +#define __SNR_clone3 __PNR_clone3 +#endif + +#define __SNR_close __NR_close + +#define __SNR_close_range __NR_close_range + +#ifdef __NR_connect +#define __SNR_connect __NR_connect +#else +#define __SNR_connect __PNR_connect +#endif + +#define __SNR_copy_file_range __NR_copy_file_range + +#ifdef __NR_creat +#define __SNR_creat __NR_creat +#else +#define __SNR_creat __PNR_creat +#endif + +#ifdef __NR_create_module +#define __SNR_create_module __NR_create_module +#else +#define __SNR_create_module __PNR_create_module +#endif + +#define __SNR_delete_module __NR_delete_module + +#ifdef __NR_dup +#define __SNR_dup __NR_dup +#else +#define __SNR_dup __PNR_dup +#endif + +#ifdef __NR_dup2 +#define __SNR_dup2 __NR_dup2 +#else +#define __SNR_dup2 __PNR_dup2 +#endif + +#define __SNR_dup3 __NR_dup3 + +#ifdef __NR_epoll_create +#define __SNR_epoll_create __NR_epoll_create +#else +#define __SNR_epoll_create __PNR_epoll_create +#endif + +#define __SNR_epoll_create1 __NR_epoll_create1 + +#ifdef __NR_epoll_ctl +#define __SNR_epoll_ctl __NR_epoll_ctl +#else +#define __SNR_epoll_ctl __PNR_epoll_ctl +#endif + +#ifdef __NR_epoll_ctl_old +#define __SNR_epoll_ctl_old __NR_epoll_ctl_old +#else +#define __SNR_epoll_ctl_old __PNR_epoll_ctl_old +#endif + +#define __SNR_epoll_pwait __NR_epoll_pwait + +#define __SNR_epoll_pwait2 __NR_epoll_pwait2 + +#ifdef __NR_epoll_wait +#define __SNR_epoll_wait __NR_epoll_wait +#else +#define __SNR_epoll_wait __PNR_epoll_wait +#endif + +#ifdef __NR_epoll_wait_old +#define __SNR_epoll_wait_old __NR_epoll_wait_old +#else +#define __SNR_epoll_wait_old __PNR_epoll_wait_old +#endif + +#ifdef __NR_eventfd +#define __SNR_eventfd __NR_eventfd +#else +#define __SNR_eventfd __PNR_eventfd +#endif + +#define __SNR_eventfd2 __NR_eventfd2 + +#define __SNR_execve __NR_execve + +#define __SNR_execveat __NR_execveat + +#define __SNR_exit __NR_exit + +#define __SNR_exit_group __NR_exit_group + +#define __SNR_faccessat __NR_faccessat + +#define __SNR_faccessat2 __NR_faccessat2 + +#ifdef __NR_fadvise64 +#define __SNR_fadvise64 __NR_fadvise64 +#else +#define __SNR_fadvise64 __PNR_fadvise64 +#endif + +#ifdef __NR_fadvise64_64 +#define __SNR_fadvise64_64 __NR_fadvise64_64 +#else +#define __SNR_fadvise64_64 __PNR_fadvise64_64 +#endif + +#define __SNR_fallocate __NR_fallocate + +#define __SNR_fanotify_init __NR_fanotify_init + +#define __SNR_fanotify_mark __NR_fanotify_mark + +#define __SNR_fchdir __NR_fchdir + +#define __SNR_fchmod __NR_fchmod + +#define __SNR_fchmodat __NR_fchmodat + +#define __SNR_fchmodat2 __NR_fchmodat2 + +#ifdef __NR_fchown +#define __SNR_fchown __NR_fchown +#else +#define __SNR_fchown __PNR_fchown +#endif + +#ifdef __NR_fchown32 +#define __SNR_fchown32 __NR_fchown32 +#else +#define __SNR_fchown32 __PNR_fchown32 +#endif + +#define __SNR_fchownat __NR_fchownat + +#ifdef __NR_fcntl +#define __SNR_fcntl __NR_fcntl +#else +#define __SNR_fcntl __PNR_fcntl +#endif + +#ifdef __NR_fcntl64 +#define __SNR_fcntl64 __NR_fcntl64 +#else +#define __SNR_fcntl64 __PNR_fcntl64 +#endif + +#define __SNR_fdatasync __NR_fdatasync + +#define __SNR_fgetxattr __NR_fgetxattr + +#define __SNR_finit_module __NR_finit_module + +#define __SNR_flistxattr __NR_flistxattr + +#define __SNR_flock __NR_flock + +#ifdef __NR_fork +#define __SNR_fork __NR_fork +#else +#define __SNR_fork __PNR_fork +#endif + +#define __SNR_fremovexattr __NR_fremovexattr + +#ifdef __NR_fsconfig +#define __SNR_fsconfig __NR_fsconfig +#else +#define __SNR_fsconfig __PNR_fsconfig +#endif + +#define __SNR_fsetxattr __NR_fsetxattr + +#ifdef __NR_fsmount +#define __SNR_fsmount __NR_fsmount +#else +#define __SNR_fsmount __PNR_fsmount +#endif + +#ifdef __NR_fsopen +#define __SNR_fsopen __NR_fsopen +#else +#define __SNR_fsopen __PNR_fsopen +#endif + +#ifdef __NR_fspick +#define __SNR_fspick __NR_fspick +#else +#define __SNR_fspick __PNR_fspick +#endif + +#ifdef __NR_fstat +#define __SNR_fstat __NR_fstat +#else +#define __SNR_fstat __PNR_fstat +#endif + +#ifdef __NR_fstat64 +#define __SNR_fstat64 __NR_fstat64 +#else +#define __SNR_fstat64 __PNR_fstat64 +#endif + +#ifdef __NR_fstatat64 +#define __SNR_fstatat64 __NR_fstatat64 +#else +#define __SNR_fstatat64 __PNR_fstatat64 +#endif + +#ifdef __NR_fstatfs +#define __SNR_fstatfs __NR_fstatfs +#else +#define __SNR_fstatfs __PNR_fstatfs +#endif + +#ifdef __NR_fstatfs64 +#define __SNR_fstatfs64 __NR_fstatfs64 +#else +#define __SNR_fstatfs64 __PNR_fstatfs64 +#endif + +#define __SNR_fsync __NR_fsync + +#ifdef __NR_ftime +#define __SNR_ftime __NR_ftime +#else +#define __SNR_ftime __PNR_ftime +#endif + +#ifdef __NR_ftruncate +#define __SNR_ftruncate __NR_ftruncate +#else +#define __SNR_ftruncate __PNR_ftruncate +#endif + +#ifdef __NR_ftruncate64 +#define __SNR_ftruncate64 __NR_ftruncate64 +#else +#define __SNR_ftruncate64 __PNR_ftruncate64 +#endif + +#define __SNR_futex __NR_futex + +#define __SNR_futex_requeue __NR_futex_requeue + +#ifdef __NR_futex_time64 +#define __SNR_futex_time64 __NR_futex_time64 +#else +#define __SNR_futex_time64 __PNR_futex_time64 +#endif + +#define __SNR_futex_wait __NR_futex_wait + +#define __SNR_futex_waitv __NR_futex_waitv + +#define __SNR_futex_wake __NR_futex_wake + +#ifdef __NR_futimesat +#define __SNR_futimesat __NR_futimesat +#else +#define __SNR_futimesat __PNR_futimesat +#endif + +#ifdef __NR_get_kernel_syms +#define __SNR_get_kernel_syms __NR_get_kernel_syms +#else +#define __SNR_get_kernel_syms __PNR_get_kernel_syms +#endif + +#ifdef __NR_get_mempolicy +#define __SNR_get_mempolicy __NR_get_mempolicy +#else +#define __SNR_get_mempolicy __PNR_get_mempolicy +#endif + +#define __SNR_get_robust_list __NR_get_robust_list + +#ifdef __NR_get_thread_area +#define __SNR_get_thread_area __NR_get_thread_area +#else +#define __SNR_get_thread_area __PNR_get_thread_area +#endif + +#ifdef __NR_get_tls +#ifdef __ARM_NR_get_tls +#define __SNR_get_tls __ARM_NR_get_tls +#else +#define __SNR_get_tls __NR_get_tls +#endif +#else +#define __SNR_get_tls __PNR_get_tls +#endif + +#define __SNR_getcpu __NR_getcpu + +#define __SNR_getcwd __NR_getcwd + +#ifdef __NR_getdents +#define __SNR_getdents __NR_getdents +#else +#define __SNR_getdents __PNR_getdents +#endif + +#define __SNR_getdents64 __NR_getdents64 + +#ifdef __NR_getegid +#define __SNR_getegid __NR_getegid +#else +#define __SNR_getegid __PNR_getegid +#endif + +#ifdef __NR_getegid32 +#define __SNR_getegid32 __NR_getegid32 +#else +#define __SNR_getegid32 __PNR_getegid32 +#endif + +#ifdef __NR_geteuid +#define __SNR_geteuid __NR_geteuid +#else +#define __SNR_geteuid __PNR_geteuid +#endif + +#ifdef __NR_geteuid32 +#define __SNR_geteuid32 __NR_geteuid32 +#else +#define __SNR_geteuid32 __PNR_geteuid32 +#endif + +#ifdef __NR_getgid +#define __SNR_getgid __NR_getgid +#else +#define __SNR_getgid __PNR_getgid +#endif + +#ifdef __NR_getgid32 +#define __SNR_getgid32 __NR_getgid32 +#else +#define __SNR_getgid32 __PNR_getgid32 +#endif + +#ifdef __NR_getgroups +#define __SNR_getgroups __NR_getgroups +#else +#define __SNR_getgroups __PNR_getgroups +#endif + +#ifdef __NR_getgroups32 +#define __SNR_getgroups32 __NR_getgroups32 +#else +#define __SNR_getgroups32 __PNR_getgroups32 +#endif + +#define __SNR_getitimer __NR_getitimer + +#ifdef __NR_getpeername +#define __SNR_getpeername __NR_getpeername +#else +#define __SNR_getpeername __PNR_getpeername +#endif + +#define __SNR_getpgid __NR_getpgid + +#ifdef __NR_getpgrp +#define __SNR_getpgrp __NR_getpgrp +#else +#define __SNR_getpgrp __PNR_getpgrp +#endif + +#define __SNR_getpid __NR_getpid + +#ifdef __NR_getpmsg +#define __SNR_getpmsg __NR_getpmsg +#else +#define __SNR_getpmsg __PNR_getpmsg +#endif + +#define __SNR_getppid __NR_getppid + +#define __SNR_getpriority __NR_getpriority + +#ifdef __NR_getrandom +#define __SNR_getrandom __NR_getrandom +#else +#define __SNR_getrandom __PNR_getrandom +#endif + +#ifdef __NR_getresgid +#define __SNR_getresgid __NR_getresgid +#else +#define __SNR_getresgid __PNR_getresgid +#endif + +#ifdef __NR_getresgid32 +#define __SNR_getresgid32 __NR_getresgid32 +#else +#define __SNR_getresgid32 __PNR_getresgid32 +#endif + +#ifdef __NR_getresuid +#define __SNR_getresuid __NR_getresuid +#else +#define __SNR_getresuid __PNR_getresuid +#endif + +#ifdef __NR_getresuid32 +#define __SNR_getresuid32 __NR_getresuid32 +#else +#define __SNR_getresuid32 __PNR_getresuid32 +#endif + +#ifdef __NR_getrlimit +#define __SNR_getrlimit __NR_getrlimit +#else +#define __SNR_getrlimit __PNR_getrlimit +#endif + +#define __SNR_getrusage __NR_getrusage + +#define __SNR_getsid __NR_getsid + +#ifdef __NR_getsockname +#define __SNR_getsockname __NR_getsockname +#else +#define __SNR_getsockname __PNR_getsockname +#endif + +#ifdef __NR_getsockopt +#define __SNR_getsockopt __NR_getsockopt +#else +#define __SNR_getsockopt __PNR_getsockopt +#endif + +#define __SNR_gettid __NR_gettid + +#define __SNR_gettimeofday __NR_gettimeofday + +#ifdef __NR_getuid +#define __SNR_getuid __NR_getuid +#else +#define __SNR_getuid __PNR_getuid +#endif + +#ifdef __NR_getuid32 +#define __SNR_getuid32 __NR_getuid32 +#else +#define __SNR_getuid32 __PNR_getuid32 +#endif + +#define __SNR_getxattr __NR_getxattr + +#ifdef __NR_gtty +#define __SNR_gtty __NR_gtty +#else +#define __SNR_gtty __PNR_gtty +#endif + +#ifdef __NR_idle +#define __SNR_idle __NR_idle +#else +#define __SNR_idle __PNR_idle +#endif + +#define __SNR_init_module __NR_init_module + +#define __SNR_inotify_add_watch __NR_inotify_add_watch + +#ifdef __NR_inotify_init +#define __SNR_inotify_init __NR_inotify_init +#else +#define __SNR_inotify_init __PNR_inotify_init +#endif + +#define __SNR_inotify_init1 __NR_inotify_init1 + +#define __SNR_inotify_rm_watch __NR_inotify_rm_watch + +#define __SNR_io_cancel __NR_io_cancel + +#define __SNR_io_destroy __NR_io_destroy + +#define __SNR_io_getevents __NR_io_getevents + +#ifdef __NR_io_pgetevents +#define __SNR_io_pgetevents __NR_io_pgetevents +#else +#define __SNR_io_pgetevents __PNR_io_pgetevents +#endif + +#ifdef __NR_io_pgetevents_time64 +#define __SNR_io_pgetevents_time64 __NR_io_pgetevents_time64 +#else +#define __SNR_io_pgetevents_time64 __PNR_io_pgetevents_time64 +#endif + +#define __SNR_io_setup __NR_io_setup + +#define __SNR_io_submit __NR_io_submit + +#define __SNR_io_uring_setup __NR_io_uring_setup + +#define __SNR_io_uring_enter __NR_io_uring_enter + +#define __SNR_io_uring_register __NR_io_uring_register + +#define __SNR_ioctl __NR_ioctl + +#ifdef __NR_ioperm +#define __SNR_ioperm __NR_ioperm +#else +#define __SNR_ioperm __PNR_ioperm +#endif + +#ifdef __NR_iopl +#define __SNR_iopl __NR_iopl +#else +#define __SNR_iopl __PNR_iopl +#endif + +#define __SNR_ioprio_get __NR_ioprio_get + +#define __SNR_ioprio_set __NR_ioprio_set + +#ifdef __NR_ipc +#define __SNR_ipc __NR_ipc +#else +#define __SNR_ipc __PNR_ipc +#endif + +#define __SNR_kcmp __NR_kcmp + +#ifdef __NR_kexec_file_load +#define __SNR_kexec_file_load __NR_kexec_file_load +#else +#define __SNR_kexec_file_load __PNR_kexec_file_load +#endif + +#define __SNR_kexec_load __NR_kexec_load + +#define __SNR_keyctl __NR_keyctl + +#define __SNR_kill __NR_kill + +#define __SNR_landlock_add_rule __NR_landlock_add_rule +#define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset +#define __SNR_landlock_restrict_self __NR_landlock_restrict_self + +#ifdef __NR_lchown +#define __SNR_lchown __NR_lchown +#else +#define __SNR_lchown __PNR_lchown +#endif + +#ifdef __NR_lchown32 +#define __SNR_lchown32 __NR_lchown32 +#else +#define __SNR_lchown32 __PNR_lchown32 +#endif + +#define __SNR_lgetxattr __NR_lgetxattr + +#ifdef __NR_link +#define __SNR_link __NR_link +#else +#define __SNR_link __PNR_link +#endif + +#define __SNR_linkat __NR_linkat + +#ifdef __NR_listen +#define __SNR_listen __NR_listen +#else +#define __SNR_listen __PNR_listen +#endif + +#define __SNR_listxattr __NR_listxattr + +#define __SNR_llistxattr __NR_llistxattr + +#ifdef __NR_lock +#define __SNR_lock __NR_lock +#else +#define __SNR_lock __PNR_lock +#endif + +#define __SNR_lookup_dcookie __NR_lookup_dcookie + +#define __SNR_lremovexattr __NR_lremovexattr + +#define __SNR_lseek __NR_lseek + +#define __SNR_lsetxattr __NR_lsetxattr + +#ifdef __NR_lstat +#define __SNR_lstat __NR_lstat +#else +#define __SNR_lstat __PNR_lstat +#endif + +#ifdef __NR_lstat64 +#define __SNR_lstat64 __NR_lstat64 +#else +#define __SNR_lstat64 __PNR_lstat64 +#endif + +#define __SNR_madvise __NR_madvise + +#ifdef __NR_map_shadow_stack +#define __SNR_map_shadow_stack __NR_map_shadow_stack +#else +#define __SNR_map_shadow_stack __PNR_map_shadow_stack +#endif + +#ifdef __NR_mbind +#define __SNR_mbind __NR_mbind +#else +#define __SNR_mbind __PNR_mbind +#endif + +#ifdef __NR_membarrier +#define __SNR_membarrier __NR_membarrier +#else +#define __SNR_membarrier __PNR_membarrier +#endif + +#ifdef __NR_memfd_create +#define __SNR_memfd_create __NR_memfd_create +#else +#define __SNR_memfd_create __PNR_memfd_create +#endif + +#ifdef __NR_memfd_secret +#define __SNR_memfd_secret __NR_memfd_secret +#else +#define __SNR_memfd_secret __PNR_memfd_secret +#endif + +#ifdef __NR_migrate_pages +#define __SNR_migrate_pages __NR_migrate_pages +#else +#define __SNR_migrate_pages __PNR_migrate_pages +#endif + +#define __SNR_mincore __NR_mincore + +#ifdef __NR_mkdir +#define __SNR_mkdir __NR_mkdir +#else +#define __SNR_mkdir __PNR_mkdir +#endif + +#define __SNR_mkdirat __NR_mkdirat + +#ifdef __NR_mknod +#define __SNR_mknod __NR_mknod +#else +#define __SNR_mknod __PNR_mknod +#endif + +#define __SNR_mknodat __NR_mknodat + +#define __SNR_mlock __NR_mlock + +#define __SNR_mlock2 __NR_mlock2 + +#define __SNR_mlockall __NR_mlockall + +#ifdef __NR_mmap +#define __SNR_mmap __NR_mmap +#else +#define __SNR_mmap __PNR_mmap +#endif + +#ifdef __NR_mmap2 +#define __SNR_mmap2 __NR_mmap2 +#else +#define __SNR_mmap2 __PNR_mmap2 +#endif + +#ifdef __NR_modify_ldt +#define __SNR_modify_ldt __NR_modify_ldt +#else +#define __SNR_modify_ldt __PNR_modify_ldt +#endif + +#define __SNR_mount __NR_mount + +#define __SNR_mount_setattr __NR_mount_setattr + +#ifdef __NR_move_mount +#define __SNR_move_mount __NR_move_mount +#else +#define __SNR_move_mount __PNR_move_mount +#endif + +#ifdef __NR_move_pages +#define __SNR_move_pages __NR_move_pages +#else +#define __SNR_move_pages __PNR_move_pages +#endif + +#define __SNR_mprotect __NR_mprotect + +#ifdef __NR_mpx +#define __SNR_mpx __NR_mpx +#else +#define __SNR_mpx __PNR_mpx +#endif + +#define __SNR_mq_getsetattr __NR_mq_getsetattr + +#define __SNR_mq_notify __NR_mq_notify + +#define __SNR_mq_open __NR_mq_open + +#define __SNR_mq_timedreceive __NR_mq_timedreceive + +#ifdef __NR_mq_timedreceive_time64 +#define __SNR_mq_timedreceive_time64 __NR_mq_timedreceive_time64 +#else +#define __SNR_mq_timedreceive_time64 __PNR_mq_timedreceive_time64 +#endif + +#define __SNR_mq_timedsend __NR_mq_timedsend + +#ifdef __NR_mq_timedsend_time64 +#define __SNR_mq_timedsend_time64 __NR_mq_timedsend_time64 +#else +#define __SNR_mq_timedsend_time64 __PNR_mq_timedsend_time64 +#endif + +#define __SNR_mq_unlink __NR_mq_unlink + +#define __SNR_mremap __NR_mremap + +#ifdef __NR_msgctl +#define __SNR_msgctl __NR_msgctl +#else +#define __SNR_msgctl __PNR_msgctl +#endif + +#ifdef __NR_msgget +#define __SNR_msgget __NR_msgget +#else +#define __SNR_msgget __PNR_msgget +#endif + +#ifdef __NR_msgrcv +#define __SNR_msgrcv __NR_msgrcv +#else +#define __SNR_msgrcv __PNR_msgrcv +#endif + +#ifdef __NR_msgsnd +#define __SNR_msgsnd __NR_msgsnd +#else +#define __SNR_msgsnd __PNR_msgsnd +#endif + +#define __SNR_msync __NR_msync + +#ifdef __NR_multiplexer +#define __SNR_multiplexer __NR_multiplexer +#else +#define __SNR_multiplexer __PNR_multiplexer +#endif + +#define __SNR_munlock __NR_munlock + +#define __SNR_munlockall __NR_munlockall + +#define __SNR_munmap __NR_munmap + +#define __SNR_name_to_handle_at __NR_name_to_handle_at + +#define __SNR_nanosleep __NR_nanosleep + +#ifdef __NR_newfstatat +#define __SNR_newfstatat __NR_newfstatat +#else +#define __SNR_newfstatat __PNR_newfstatat +#endif + +#ifdef __NR_nfsservctl +#define __SNR_nfsservctl __NR_nfsservctl +#else +#define __SNR_nfsservctl __PNR_nfsservctl +#endif + +#ifdef __NR_nice +#define __SNR_nice __NR_nice +#else +#define __SNR_nice __PNR_nice +#endif + +#ifdef __NR_oldfstat +#define __SNR_oldfstat __NR_oldfstat +#else +#define __SNR_oldfstat __PNR_oldfstat +#endif + +#ifdef __NR_oldlstat +#define __SNR_oldlstat __NR_oldlstat +#else +#define __SNR_oldlstat __PNR_oldlstat +#endif + +#ifdef __NR_oldolduname +#define __SNR_oldolduname __NR_oldolduname +#else +#define __SNR_oldolduname __PNR_oldolduname +#endif + +#ifdef __NR_oldstat +#define __SNR_oldstat __NR_oldstat +#else +#define __SNR_oldstat __PNR_oldstat +#endif + +#ifdef __NR_olduname +#define __SNR_olduname __NR_olduname +#else +#define __SNR_olduname __PNR_olduname +#endif + +#ifdef __NR_open +#define __SNR_open __NR_open +#else +#define __SNR_open __PNR_open +#endif + +#define __SNR_open_by_handle_at __NR_open_by_handle_at + +#ifdef __NR_open_tree +#define __SNR_open_tree __NR_open_tree +#else +#define __SNR_open_tree __PNR_open_tree +#endif + +#define __SNR_openat __NR_openat + +#define __SNR_openat2 __NR_openat2 + +#ifdef __NR_pause +#define __SNR_pause __NR_pause +#else +#define __SNR_pause __PNR_pause +#endif + +#ifdef __NR_pciconfig_iobase +#define __SNR_pciconfig_iobase __NR_pciconfig_iobase +#else +#define __SNR_pciconfig_iobase __PNR_pciconfig_iobase +#endif + +#ifdef __NR_pciconfig_read +#define __SNR_pciconfig_read __NR_pciconfig_read +#else +#define __SNR_pciconfig_read __PNR_pciconfig_read +#endif + +#ifdef __NR_pciconfig_write +#define __SNR_pciconfig_write __NR_pciconfig_write +#else +#define __SNR_pciconfig_write __PNR_pciconfig_write +#endif + +#define __SNR_perf_event_open __NR_perf_event_open + +#define __SNR_personality __NR_personality + +#define __SNR_pidfd_getfd __NR_pidfd_getfd + +#ifdef __NR_pidfd_open +#define __SNR_pidfd_open __NR_pidfd_open +#else +#define __SNR_pidfd_open __PNR_pidfd_open +#endif + +#ifdef __NR_pidfd_send_signal +#define __SNR_pidfd_send_signal __NR_pidfd_send_signal +#else +#define __SNR_pidfd_send_signal __PNR_pidfd_send_signal +#endif + +#ifdef __NR_pipe +#define __SNR_pipe __NR_pipe +#else +#define __SNR_pipe __PNR_pipe +#endif + +#define __SNR_pipe2 __NR_pipe2 + +#define __SNR_pivot_root __NR_pivot_root + +#ifdef __NR_pkey_alloc +#define __SNR_pkey_alloc __NR_pkey_alloc +#else +#define __SNR_pkey_alloc __PNR_pkey_alloc +#endif + +#ifdef __NR_pkey_free +#define __SNR_pkey_free __NR_pkey_free +#else +#define __SNR_pkey_free __PNR_pkey_free +#endif + +#ifdef __NR_pkey_mprotect +#define __SNR_pkey_mprotect __NR_pkey_mprotect +#else +#define __SNR_pkey_mprotect __PNR_pkey_mprotect +#endif + +#ifdef __NR_poll +#define __SNR_poll __NR_poll +#else +#define __SNR_poll __PNR_poll +#endif + +#ifdef __NR_ppoll +#define __SNR_ppoll __NR_ppoll +#else +#define __SNR_ppoll __PNR_ppoll +#endif + +#ifdef __NR_ppoll_time64 +#define __SNR_ppoll_time64 __NR_ppoll_time64 +#else +#define __SNR_ppoll_time64 __PNR_ppoll_time64 +#endif + +#define __SNR_prctl __NR_prctl + +#define __SNR_pread64 __NR_pread64 + +#define __SNR_preadv __NR_preadv + +#define __SNR_preadv2 __NR_preadv2 + +#define __SNR_prlimit64 __NR_prlimit64 + +#define __SNR_process_madvise __NR_process_madvise + +#define __SNR_process_mrelease __NR_process_mrelease + +#define __SNR_process_vm_readv __NR_process_vm_readv + +#define __SNR_process_vm_writev __NR_process_vm_writev + +#ifdef __NR_prof +#define __SNR_prof __NR_prof +#else +#define __SNR_prof __PNR_prof +#endif + +#ifdef __NR_profil +#define __SNR_profil __NR_profil +#else +#define __SNR_profil __PNR_profil +#endif + +#define __SNR_pselect6 __NR_pselect6 + +#ifdef __NR_pselect6_time64 +#define __SNR_pselect6_time64 __NR_pselect6_time64 +#else +#define __SNR_pselect6_time64 __PNR_pselect6_time64 +#endif + +#define __SNR_ptrace __NR_ptrace + +#ifdef __NR_putpmsg +#define __SNR_putpmsg __NR_putpmsg +#else +#define __SNR_putpmsg __PNR_putpmsg +#endif + +#define __SNR_pwrite64 __NR_pwrite64 + +#define __SNR_pwritev __NR_pwritev + +#define __SNR_pwritev2 __NR_pwritev2 + +#ifdef __NR_query_module +#define __SNR_query_module __NR_query_module +#else +#define __SNR_query_module __PNR_query_module +#endif + +#define __SNR_quotactl __NR_quotactl + +#define __SNR_quotactl_fd __NR_quotactl_fd + +#ifdef __NR_read +#define __SNR_read __NR_read +#else +#define __SNR_read __PNR_read +#endif + +#define __SNR_readahead __NR_readahead + +#ifdef __NR_readdir +#define __SNR_readdir __NR_readdir +#else +#define __SNR_readdir __PNR_readdir +#endif + +#ifdef __NR_readlink +#define __SNR_readlink __NR_readlink +#else +#define __SNR_readlink __PNR_readlink +#endif + +#define __SNR_readlinkat __NR_readlinkat + +#define __SNR_readv __NR_readv + +#define __SNR_reboot __NR_reboot + +#ifdef __NR_recv +#define __SNR_recv __NR_recv +#else +#define __SNR_recv __PNR_recv +#endif + +#ifdef __NR_recvfrom +#define __SNR_recvfrom __NR_recvfrom +#else +#define __SNR_recvfrom __PNR_recvfrom +#endif + +#ifdef __NR_recvmmsg +#define __SNR_recvmmsg __NR_recvmmsg +#else +#define __SNR_recvmmsg __PNR_recvmmsg +#endif + +#ifdef __NR_recvmmsg_time64 +#define __SNR_recvmmsg_time64 __NR_recvmmsg_time64 +#else +#define __SNR_recvmmsg_time64 __PNR_recvmmsg_time64 +#endif + +#ifdef __NR_recvmsg +#define __SNR_recvmsg __NR_recvmsg +#else +#define __SNR_recvmsg __PNR_recvmsg +#endif + +#define __SNR_remap_file_pages __NR_remap_file_pages + +#define __SNR_removexattr __NR_removexattr + +#ifdef __NR_rename +#define __SNR_rename __NR_rename +#else +#define __SNR_rename __PNR_rename +#endif + +#ifdef __NR_renameat +#define __SNR_renameat __NR_renameat +#else +#define __SNR_renameat __PNR_renameat +#endif + +#define __SNR_renameat2 __NR_renameat2 + +#define __SNR_request_key __NR_request_key + +#define __SNR_restart_syscall __NR_restart_syscall + +#ifdef __NR_riscv_flush_icache +#define __SNR_riscv_flush_icache __NR_riscv_flush_icache +#else +#define __SNR_riscv_flush_icache __PNR_riscv_flush_icache +#endif + +#ifdef __NR_rmdir +#define __SNR_rmdir __NR_rmdir +#else +#define __SNR_rmdir __PNR_rmdir +#endif + +#ifdef __NR_rseq +#define __SNR_rseq __NR_rseq +#else +#define __SNR_rseq __PNR_rseq +#endif + +#define __SNR_rt_sigaction __NR_rt_sigaction + +#define __SNR_rt_sigpending __NR_rt_sigpending + +#define __SNR_rt_sigprocmask __NR_rt_sigprocmask + +#define __SNR_rt_sigqueueinfo __NR_rt_sigqueueinfo + +#define __SNR_rt_sigreturn __NR_rt_sigreturn + +#define __SNR_rt_sigsuspend __NR_rt_sigsuspend + +#define __SNR_rt_sigtimedwait __NR_rt_sigtimedwait + +#ifdef __NR_rt_sigtimedwait_time64 +#define __SNR_rt_sigtimedwait_time64 __NR_rt_sigtimedwait_time64 +#else +#define __SNR_rt_sigtimedwait_time64 __PNR_rt_sigtimedwait_time64 +#endif + +#define __SNR_rt_tgsigqueueinfo __NR_rt_tgsigqueueinfo + +#ifdef __NR_rtas +#define __SNR_rtas __NR_rtas +#else +#define __SNR_rtas __PNR_rtas +#endif + +#ifdef __NR_s390_guarded_storage +#define __SNR_s390_guarded_storage __NR_s390_guarded_storage +#else +#define __SNR_s390_guarded_storage __PNR_s390_guarded_storage +#endif + +#ifdef __NR_s390_pci_mmio_read +#define __SNR_s390_pci_mmio_read __NR_s390_pci_mmio_read +#else +#define __SNR_s390_pci_mmio_read __PNR_s390_pci_mmio_read +#endif + +#ifdef __NR_s390_pci_mmio_write +#define __SNR_s390_pci_mmio_write __NR_s390_pci_mmio_write +#else +#define __SNR_s390_pci_mmio_write __PNR_s390_pci_mmio_write +#endif + +#ifdef __NR_s390_runtime_instr +#define __SNR_s390_runtime_instr __NR_s390_runtime_instr +#else +#define __SNR_s390_runtime_instr __PNR_s390_runtime_instr +#endif + +#ifdef __NR_s390_sthyi +#define __SNR_s390_sthyi __NR_s390_sthyi +#else +#define __SNR_s390_sthyi __PNR_s390_sthyi +#endif + +#define __SNR_sched_get_priority_max __NR_sched_get_priority_max + +#define __SNR_sched_get_priority_min __NR_sched_get_priority_min + +#define __SNR_sched_getaffinity __NR_sched_getaffinity + +#define __SNR_sched_getattr __NR_sched_getattr + +#define __SNR_sched_getparam __NR_sched_getparam + +#define __SNR_sched_getscheduler __NR_sched_getscheduler + +#define __SNR_sched_rr_get_interval __NR_sched_rr_get_interval + +#ifdef __NR_sched_rr_get_interval_time64 +#define __SNR_sched_rr_get_interval_time64 __NR_sched_rr_get_interval_time64 +#else +#define __SNR_sched_rr_get_interval_time64 __PNR_sched_rr_get_interval_time64 +#endif + +#define __SNR_sched_setaffinity __NR_sched_setaffinity + +#define __SNR_sched_setattr __NR_sched_setattr + +#define __SNR_sched_setparam __NR_sched_setparam + +#define __SNR_sched_setscheduler __NR_sched_setscheduler + +#define __SNR_sched_yield __NR_sched_yield + +#define __SNR_seccomp __NR_seccomp + +#ifdef __NR_security +#define __SNR_security __NR_security +#else +#define __SNR_security __PNR_security +#endif + +#ifdef __NR_select +#define __SNR_select __NR_select +#else +#define __SNR_select __PNR_select +#endif + +#ifdef __NR_semctl +#define __SNR_semctl __NR_semctl +#else +#define __SNR_semctl __PNR_semctl +#endif + +#ifdef __NR_semget +#define __SNR_semget __NR_semget +#else +#define __SNR_semget __PNR_semget +#endif + +#ifdef __NR_semop +#define __SNR_semop __NR_semop +#else +#define __SNR_semop __PNR_semop +#endif + +#ifdef __NR_semtimedop +#define __SNR_semtimedop __NR_semtimedop +#else +#define __SNR_semtimedop __PNR_semtimedop +#endif + +#ifdef __NR_semtimedop_time64 +#define __SNR_semtimedop_time64 __NR_semtimedop_time64 +#else +#define __SNR_semtimedop_time64 __PNR_semtimedop_time64 +#endif + +#ifdef __NR_send +#define __SNR_send __NR_send +#else +#define __SNR_send __PNR_send +#endif + +#ifdef __NR_sendfile +#define __SNR_sendfile __NR_sendfile +#else +#define __SNR_sendfile __PNR_sendfile +#endif + +#ifdef __NR_sendfile64 +#define __SNR_sendfile64 __NR_sendfile64 +#else +#define __SNR_sendfile64 __PNR_sendfile64 +#endif + +#ifdef __NR_sendmmsg +#define __SNR_sendmmsg __NR_sendmmsg +#else +#define __SNR_sendmmsg __PNR_sendmmsg +#endif + +#ifdef __NR_sendmsg +#define __SNR_sendmsg __NR_sendmsg +#else +#define __SNR_sendmsg __PNR_sendmsg +#endif + +#ifdef __NR_sendto +#define __SNR_sendto __NR_sendto +#else +#define __SNR_sendto __PNR_sendto +#endif + +#ifdef __NR_set_mempolicy +#define __SNR_set_mempolicy __NR_set_mempolicy +#else +#define __SNR_set_mempolicy __PNR_set_mempolicy +#endif + +#define __SNR_set_mempolicy_home_node __NR_set_mempolicy_home_node + +#define __SNR_set_robust_list __NR_set_robust_list + +#ifdef __NR_set_thread_area +#define __SNR_set_thread_area __NR_set_thread_area +#else +#define __SNR_set_thread_area __PNR_set_thread_area +#endif + +#define __SNR_set_tid_address __NR_set_tid_address + +#ifdef __NR_set_tls +#ifdef __ARM_NR_set_tls +#define __SNR_set_tls __ARM_NR_set_tls +#else +#define __SNR_set_tls __NR_set_tls +#endif +#else +#define __SNR_set_tls __PNR_set_tls +#endif + +#define __SNR_setdomainname __NR_setdomainname + +#ifdef __NR_setfsgid +#define __SNR_setfsgid __NR_setfsgid +#else +#define __SNR_setfsgid __PNR_setfsgid +#endif + +#ifdef __NR_setfsgid32 +#define __SNR_setfsgid32 __NR_setfsgid32 +#else +#define __SNR_setfsgid32 __PNR_setfsgid32 +#endif + +#ifdef __NR_setfsuid +#define __SNR_setfsuid __NR_setfsuid +#else +#define __SNR_setfsuid __PNR_setfsuid +#endif + +#ifdef __NR_setfsuid32 +#define __SNR_setfsuid32 __NR_setfsuid32 +#else +#define __SNR_setfsuid32 __PNR_setfsuid32 +#endif + +#ifdef __NR_setgid +#define __SNR_setgid __NR_setgid +#else +#define __SNR_setgid __PNR_setgid +#endif + +#ifdef __NR_setgid32 +#define __SNR_setgid32 __NR_setgid32 +#else +#define __SNR_setgid32 __PNR_setgid32 +#endif + +#ifdef __NR_setgroups +#define __SNR_setgroups __NR_setgroups +#else +#define __SNR_setgroups __PNR_setgroups +#endif + +#ifdef __NR_setgroups32 +#define __SNR_setgroups32 __NR_setgroups32 +#else +#define __SNR_setgroups32 __PNR_setgroups32 +#endif + +#define __SNR_sethostname __NR_sethostname + +#define __SNR_setitimer __NR_setitimer + +#define __SNR_setns __NR_setns + +#define __SNR_setpgid __NR_setpgid + +#define __SNR_setpriority __NR_setpriority + +#ifdef __NR_setregid +#define __SNR_setregid __NR_setregid +#else +#define __SNR_setregid __PNR_setregid +#endif + +#ifdef __NR_setregid32 +#define __SNR_setregid32 __NR_setregid32 +#else +#define __SNR_setregid32 __PNR_setregid32 +#endif + +#ifdef __NR_setresgid +#define __SNR_setresgid __NR_setresgid +#else +#define __SNR_setresgid __PNR_setresgid +#endif + +#ifdef __NR_setresgid32 +#define __SNR_setresgid32 __NR_setresgid32 +#else +#define __SNR_setresgid32 __PNR_setresgid32 +#endif + +#ifdef __NR_setresuid +#define __SNR_setresuid __NR_setresuid +#else +#define __SNR_setresuid __PNR_setresuid +#endif + +#ifdef __NR_setresuid32 +#define __SNR_setresuid32 __NR_setresuid32 +#else +#define __SNR_setresuid32 __PNR_setresuid32 +#endif + +#ifdef __NR_setreuid +#define __SNR_setreuid __NR_setreuid +#else +#define __SNR_setreuid __PNR_setreuid +#endif + +#ifdef __NR_setreuid32 +#define __SNR_setreuid32 __NR_setreuid32 +#else +#define __SNR_setreuid32 __PNR_setreuid32 +#endif + +#ifdef __NR_setrlimit +#define __SNR_setrlimit __NR_setrlimit +#else +#define __SNR_setrlimit __PNR_setrlimit +#endif + +#define __SNR_setsid __NR_setsid + +#ifdef __NR_setsockopt +#define __SNR_setsockopt __NR_setsockopt +#else +#define __SNR_setsockopt __PNR_setsockopt +#endif + +#define __SNR_settimeofday __NR_settimeofday + +#ifdef __NR_setuid +#define __SNR_setuid __NR_setuid +#else +#define __SNR_setuid __PNR_setuid +#endif + +#ifdef __NR_setuid32 +#define __SNR_setuid32 __NR_setuid32 +#else +#define __SNR_setuid32 __PNR_setuid32 +#endif + +#define __SNR_setxattr __NR_setxattr + +#ifdef __NR_sgetmask +#define __SNR_sgetmask __NR_sgetmask +#else +#define __SNR_sgetmask __PNR_sgetmask +#endif + +#ifdef __NR_shmat +#define __SNR_shmat __NR_shmat +#else +#define __SNR_shmat __PNR_shmat +#endif + +#ifdef __NR_shmctl +#define __SNR_shmctl __NR_shmctl +#else +#define __SNR_shmctl __PNR_shmctl +#endif + +#ifdef __NR_shmdt +#define __SNR_shmdt __NR_shmdt +#else +#define __SNR_shmdt __PNR_shmdt +#endif + +#ifdef __NR_shmget +#define __SNR_shmget __NR_shmget +#else +#define __SNR_shmget __PNR_shmget +#endif + +#ifdef __NR_shutdown +#define __SNR_shutdown __NR_shutdown +#else +#define __SNR_shutdown __PNR_shutdown +#endif + +#ifdef __NR_sigaction +#define __SNR_sigaction __NR_sigaction +#else +#define __SNR_sigaction __PNR_sigaction +#endif + +#define __SNR_sigaltstack __NR_sigaltstack + +#ifdef __NR_signal +#define __SNR_signal __NR_signal +#else +#define __SNR_signal __PNR_signal +#endif + +#ifdef __NR_signalfd +#define __SNR_signalfd __NR_signalfd +#else +#define __SNR_signalfd __PNR_signalfd +#endif + +#define __SNR_signalfd4 __NR_signalfd4 + +#ifdef __NR_sigpending +#define __SNR_sigpending __NR_sigpending +#else +#define __SNR_sigpending __PNR_sigpending +#endif + +#ifdef __NR_sigprocmask +#define __SNR_sigprocmask __NR_sigprocmask +#else +#define __SNR_sigprocmask __PNR_sigprocmask +#endif + +#ifdef __NR_sigreturn +#define __SNR_sigreturn __NR_sigreturn +#else +#define __SNR_sigreturn __PNR_sigreturn +#endif + +#ifdef __NR_sigsuspend +#define __SNR_sigsuspend __NR_sigsuspend +#else +#define __SNR_sigsuspend __PNR_sigsuspend +#endif + +#ifdef __NR_socket +#define __SNR_socket __NR_socket +#else +#define __SNR_socket __PNR_socket +#endif + +#ifdef __NR_socketcall +#define __SNR_socketcall __NR_socketcall +#else +#define __SNR_socketcall __PNR_socketcall +#endif + +#ifdef __NR_socketpair +#define __SNR_socketpair __NR_socketpair +#else +#define __SNR_socketpair __PNR_socketpair +#endif + +#define __SNR_splice __NR_splice + +#ifdef __NR_spu_create +#define __SNR_spu_create __NR_spu_create +#else +#define __SNR_spu_create __PNR_spu_create +#endif + +#ifdef __NR_spu_run +#define __SNR_spu_run __NR_spu_run +#else +#define __SNR_spu_run __PNR_spu_run +#endif + +#ifdef __NR_ssetmask +#define __SNR_ssetmask __NR_ssetmask +#else +#define __SNR_ssetmask __PNR_ssetmask +#endif + +#ifdef __NR_stat +#define __SNR_stat __NR_stat +#else +#define __SNR_stat __PNR_stat +#endif + +#ifdef __NR_stat64 +#define __SNR_stat64 __NR_stat64 +#else +#define __SNR_stat64 __PNR_stat64 +#endif + +#ifdef __NR_statfs +#define __SNR_statfs __NR_statfs +#else +#define __SNR_statfs __PNR_statfs +#endif + +#ifdef __NR_statfs64 +#define __SNR_statfs64 __NR_statfs64 +#else +#define __SNR_statfs64 __PNR_statfs64 +#endif + +#ifdef __NR_statx +#define __SNR_statx __NR_statx +#else +#define __SNR_statx __PNR_statx +#endif + +#ifdef __NR_stime +#define __SNR_stime __NR_stime +#else +#define __SNR_stime __PNR_stime +#endif + +#ifdef __NR_stty +#define __SNR_stty __NR_stty +#else +#define __SNR_stty __PNR_stty +#endif + +#ifdef __NR_subpage_prot +#define __SNR_subpage_prot __NR_subpage_prot +#else +#define __SNR_subpage_prot __PNR_subpage_prot +#endif + +#ifdef __NR_swapcontext +#define __SNR_swapcontext __NR_swapcontext +#else +#define __SNR_swapcontext __PNR_swapcontext +#endif + +#define __SNR_swapoff __NR_swapoff + +#define __SNR_swapon __NR_swapon + +#ifdef __NR_switch_endian +#define __SNR_switch_endian __NR_switch_endian +#else +#define __SNR_switch_endian __PNR_switch_endian +#endif + +#ifdef __NR_symlink +#define __SNR_symlink __NR_symlink +#else +#define __SNR_symlink __PNR_symlink +#endif + +#define __SNR_symlinkat __NR_symlinkat + +#ifdef __NR_sync +#define __SNR_sync __NR_sync +#else +#define __SNR_sync __PNR_sync +#endif + +#ifdef __NR_sync_file_range +#define __SNR_sync_file_range __NR_sync_file_range +#else +#define __SNR_sync_file_range __PNR_sync_file_range +#endif + +#ifdef __NR_sync_file_range2 +#define __SNR_sync_file_range2 __NR_sync_file_range2 +#else +#define __SNR_sync_file_range2 __PNR_sync_file_range2 +#endif + +#define __SNR_syncfs __NR_syncfs + +#ifdef __NR_syscall +#define __SNR_syscall __NR_syscall +#else +#define __SNR_syscall __PNR_syscall +#endif + +#ifdef __NR_sys_debug_setcontext +#define __SNR_sys_debug_setcontext __NR_sys_debug_setcontext +#else +#define __SNR_sys_debug_setcontext __PNR_sys_debug_setcontext +#endif + +#ifdef __NR_sysfs +#define __SNR_sysfs __NR_sysfs +#else +#define __SNR_sysfs __PNR_sysfs +#endif + +#define __SNR_sysinfo __NR_sysinfo + +#define __SNR_syslog __NR_syslog + +#ifdef __NR_sysmips +#define __SNR_sysmips __NR_sysmips +#else +#define __SNR_sysmips __PNR_sysmips +#endif + +#define __SNR_tee __NR_tee + +#define __SNR_tgkill __NR_tgkill + +#ifdef __NR_time +#define __SNR_time __NR_time +#else +#define __SNR_time __PNR_time +#endif + +#define __SNR_timer_create __NR_timer_create + +#define __SNR_timer_delete __NR_timer_delete + +#define __SNR_timer_getoverrun __NR_timer_getoverrun + +#define __SNR_timer_gettime __NR_timer_gettime + +#ifdef __NR_timer_gettime64 +#define __SNR_timer_gettime64 __NR_timer_gettime64 +#else +#define __SNR_timer_gettime64 __PNR_timer_gettime64 +#endif + +#define __SNR_timer_settime __NR_timer_settime + +#ifdef __NR_timer_settime64 +#define __SNR_timer_settime64 __NR_timer_settime64 +#else +#define __SNR_timer_settime64 __PNR_timer_settime64 +#endif + +#ifdef __NR_timerfd +#define __SNR_timerfd __NR_timerfd +#else +#define __SNR_timerfd __PNR_timerfd +#endif + +#define __SNR_timerfd_create __NR_timerfd_create + +#define __SNR_timerfd_gettime __NR_timerfd_gettime + +#ifdef __NR_timerfd_gettime64 +#define __SNR_timerfd_gettime64 __NR_timerfd_gettime64 +#else +#define __SNR_timerfd_gettime64 __PNR_timerfd_gettime64 +#endif + +#define __SNR_timerfd_settime __NR_timerfd_settime + +#ifdef __NR_timerfd_settime64 +#define __SNR_timerfd_settime64 __NR_timerfd_settime64 +#else +#define __SNR_timerfd_settime64 __PNR_timerfd_settime64 +#endif + +#define __SNR_times __NR_times + +#define __SNR_tkill __NR_tkill + +#ifdef __NR_truncate +#define __SNR_truncate __NR_truncate +#else +#define __SNR_truncate __PNR_truncate +#endif + +#ifdef __NR_truncate64 +#define __SNR_truncate64 __NR_truncate64 +#else +#define __SNR_truncate64 __PNR_truncate64 +#endif + +#ifdef __NR_tuxcall +#define __SNR_tuxcall __NR_tuxcall +#else +#define __SNR_tuxcall __PNR_tuxcall +#endif + +#ifdef __NR_ugetrlimit +#define __SNR_ugetrlimit __NR_ugetrlimit +#else +#define __SNR_ugetrlimit __PNR_ugetrlimit +#endif + +#ifdef __NR_ulimit +#define __SNR_ulimit __NR_ulimit +#else +#define __SNR_ulimit __PNR_ulimit +#endif + +#define __SNR_umask __NR_umask + +#ifdef __NR_umount +#define __SNR_umount __NR_umount +#else +#define __SNR_umount __PNR_umount +#endif + +#define __SNR_umount2 __NR_umount2 + +#define __SNR_uname __NR_uname + +#ifdef __NR_unlink +#define __SNR_unlink __NR_unlink +#else +#define __SNR_unlink __PNR_unlink +#endif + +#define __SNR_unlinkat __NR_unlinkat + +#define __SNR_unshare __NR_unshare + +#ifdef __NR_uselib +#define __SNR_uselib __NR_uselib +#else +#define __SNR_uselib __PNR_uselib +#endif + +#ifdef __NR_userfaultfd +#define __SNR_userfaultfd __NR_userfaultfd +#else +#define __SNR_userfaultfd __PNR_userfaultfd +#endif + +#ifdef __NR_usr26 +#ifdef __ARM_NR_usr26 +#define __SNR_usr26 __NR_usr26 +#else +#define __SNR_usr26 __NR_usr26 +#endif +#else +#define __SNR_usr26 __PNR_usr26 +#endif + +#ifdef __NR_usr32 +#ifdef __ARM_NR_usr32 +#define __SNR_usr32 __NR_usr32 +#else +#define __SNR_usr32 __NR_usr32 +#endif +#else +#define __SNR_usr32 __PNR_usr32 +#endif + +#ifdef __NR_ustat +#define __SNR_ustat __NR_ustat +#else +#define __SNR_ustat __PNR_ustat +#endif + +#ifdef __NR_utime +#define __SNR_utime __NR_utime +#else +#define __SNR_utime __PNR_utime +#endif + +#define __SNR_utimensat __NR_utimensat + +#ifdef __NR_utimensat_time64 +#define __SNR_utimensat_time64 __NR_utimensat_time64 +#else +#define __SNR_utimensat_time64 __PNR_utimensat_time64 +#endif + +#ifdef __NR_utimes +#define __SNR_utimes __NR_utimes +#else +#define __SNR_utimes __PNR_utimes +#endif + +#ifdef __NR_vfork +#define __SNR_vfork __NR_vfork +#else +#define __SNR_vfork __PNR_vfork +#endif + +#define __SNR_vhangup __NR_vhangup + +#ifdef __NR_vm86 +#define __SNR_vm86 __NR_vm86 +#else +#define __SNR_vm86 __PNR_vm86 +#endif + +#ifdef __NR_vm86old +#define __SNR_vm86old __NR_vm86old +#else +#define __SNR_vm86old __PNR_vm86old +#endif + +#define __SNR_vmsplice __NR_vmsplice + +#ifdef __NR_vserver +#define __SNR_vserver __NR_vserver +#else +#define __SNR_vserver __PNR_vserver +#endif + +#define __SNR_wait4 __NR_wait4 + +#define __SNR_waitid __NR_waitid + +#ifdef __NR_waitpid +#define __SNR_waitpid __NR_waitpid +#else +#define __SNR_waitpid __PNR_waitpid +#endif + +#define __SNR_write __NR_write + +#define __SNR_writev __NR_writev diff --git a/include/seccomp.h b/include/seccomp.h new file mode 100644 index 0000000..d407a51 --- /dev/null +++ b/include/seccomp.h @@ -0,0 +1,827 @@ +/** + * Seccomp Library + * + * Copyright (c) 2019 Cisco Systems <pmoore2@cisco.com> + * Copyright (c) 2012,2013 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#ifndef _SECCOMP_H +#define _SECCOMP_H + +#include <elf.h> +#include <inttypes.h> +#include <asm/unistd.h> +#include <linux/audit.h> +#include <linux/types.h> +#include <linux/seccomp.h> + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * version information + */ + +#define SCMP_VER_MAJOR 2 +#define SCMP_VER_MINOR 5 +#define SCMP_VER_MICRO 5 + +struct scmp_version { + unsigned int major; + unsigned int minor; + unsigned int micro; +}; + +/* + * types + */ + +/** + * Filter context/handle + */ +typedef void *scmp_filter_ctx; + +/** + * Filter attributes + */ +enum scmp_filter_attr { + _SCMP_FLTATR_MIN = 0, + SCMP_FLTATR_ACT_DEFAULT = 1, /**< default filter action */ + SCMP_FLTATR_ACT_BADARCH = 2, /**< bad architecture action */ + SCMP_FLTATR_CTL_NNP = 3, /**< set NO_NEW_PRIVS on filter load */ + SCMP_FLTATR_CTL_TSYNC = 4, /**< sync threads on filter load */ + SCMP_FLTATR_API_TSKIP = 5, /**< allow rules with a -1 syscall */ + SCMP_FLTATR_CTL_LOG = 6, /**< log not-allowed actions */ + SCMP_FLTATR_CTL_SSB = 7, /**< disable SSB mitigation */ + SCMP_FLTATR_CTL_OPTIMIZE = 8, /**< filter optimization level: + * 0 - currently unused + * 1 - rules weighted by priority and + * complexity (DEFAULT) + * 2 - binary tree sorted by syscall + * number + */ + SCMP_FLTATR_API_SYSRAWRC = 9, /**< return the system return codes */ + _SCMP_FLTATR_MAX, +}; + +/** + * Comparison operators + */ +enum scmp_compare { + _SCMP_CMP_MIN = 0, + SCMP_CMP_NE = 1, /**< not equal */ + SCMP_CMP_LT = 2, /**< less than */ + SCMP_CMP_LE = 3, /**< less than or equal */ + SCMP_CMP_EQ = 4, /**< equal */ + SCMP_CMP_GE = 5, /**< greater than or equal */ + SCMP_CMP_GT = 6, /**< greater than */ + SCMP_CMP_MASKED_EQ = 7, /**< masked equality */ + _SCMP_CMP_MAX, +}; + +/** + * Argument datum + */ +typedef uint64_t scmp_datum_t; + +/** + * Argument / Value comparison definition + */ +struct scmp_arg_cmp { + unsigned int arg; /**< argument number, starting at 0 */ + enum scmp_compare op; /**< the comparison op, e.g. SCMP_CMP_* */ + scmp_datum_t datum_a; + scmp_datum_t datum_b; +}; + +/* + * macros/defines + */ + +/** + * The native architecture token + */ +#define SCMP_ARCH_NATIVE 0 + +/** + * The x86 (32-bit) architecture token + */ +#define SCMP_ARCH_X86 AUDIT_ARCH_I386 + +/** + * The x86-64 (64-bit) architecture token + */ +#define SCMP_ARCH_X86_64 AUDIT_ARCH_X86_64 + +/** + * The x32 (32-bit x86_64) architecture token + * + * NOTE: this is different from the value used by the kernel because we need to + * be able to distinguish between x32 and x86_64 + */ +#define SCMP_ARCH_X32 (EM_X86_64|__AUDIT_ARCH_LE) + +/** + * The ARM architecture tokens + */ +#define SCMP_ARCH_ARM AUDIT_ARCH_ARM +/* AArch64 support for audit was merged in 3.17-rc1 */ +#ifndef AUDIT_ARCH_AARCH64 +#ifndef EM_AARCH64 +#define EM_AARCH64 183 +#endif /* EM_AARCH64 */ +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif /* AUDIT_ARCH_AARCH64 */ +#define SCMP_ARCH_AARCH64 AUDIT_ARCH_AARCH64 + +/** + * The MIPS architecture tokens + */ +#ifndef __AUDIT_ARCH_CONVENTION_MIPS64_N32 +#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000 +#endif +#ifndef EM_MIPS +#define EM_MIPS 8 +#endif +#ifndef AUDIT_ARCH_MIPS +#define AUDIT_ARCH_MIPS (EM_MIPS) +#endif +#ifndef AUDIT_ARCH_MIPS64 +#define AUDIT_ARCH_MIPS64 (EM_MIPS|__AUDIT_ARCH_64BIT) +#endif +/* MIPS64N32 support was merged in 3.15 */ +#ifndef AUDIT_ARCH_MIPS64N32 +#define AUDIT_ARCH_MIPS64N32 (EM_MIPS|__AUDIT_ARCH_64BIT|\ + __AUDIT_ARCH_CONVENTION_MIPS64_N32) +#endif +/* MIPSEL64N32 support was merged in 3.15 */ +#ifndef AUDIT_ARCH_MIPSEL64N32 +#define AUDIT_ARCH_MIPSEL64N32 (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE|\ + __AUDIT_ARCH_CONVENTION_MIPS64_N32) +#endif +#define SCMP_ARCH_MIPS AUDIT_ARCH_MIPS +#define SCMP_ARCH_MIPS64 AUDIT_ARCH_MIPS64 +#define SCMP_ARCH_MIPS64N32 AUDIT_ARCH_MIPS64N32 +#define SCMP_ARCH_MIPSEL AUDIT_ARCH_MIPSEL +#define SCMP_ARCH_MIPSEL64 AUDIT_ARCH_MIPSEL64 +#define SCMP_ARCH_MIPSEL64N32 AUDIT_ARCH_MIPSEL64N32 + +/** + * The PowerPC architecture tokens + */ +#define SCMP_ARCH_PPC AUDIT_ARCH_PPC +#define SCMP_ARCH_PPC64 AUDIT_ARCH_PPC64 +#ifndef AUDIT_ARCH_PPC64LE +#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif +#define SCMP_ARCH_PPC64LE AUDIT_ARCH_PPC64LE + +/** + * The S390 architecture tokens + */ +#define SCMP_ARCH_S390 AUDIT_ARCH_S390 +#define SCMP_ARCH_S390X AUDIT_ARCH_S390X + +/** + * The PA-RISC hppa architecture tokens + */ +#define SCMP_ARCH_PARISC AUDIT_ARCH_PARISC +#define SCMP_ARCH_PARISC64 AUDIT_ARCH_PARISC64 + +/** + * The RISC-V architecture tokens + */ +/* RISC-V support for audit was merged in 5.0-rc1 */ +#ifndef AUDIT_ARCH_RISCV64 +#ifndef EM_RISCV +#define EM_RISCV 243 +#endif /* EM_RISCV */ +#define AUDIT_ARCH_RISCV64 (EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif /* AUDIT_ARCH_RISCV64 */ +#define SCMP_ARCH_RISCV64 AUDIT_ARCH_RISCV64 + +/** + * Convert a syscall name into the associated syscall number + * @param x the syscall name + */ +#define SCMP_SYS(x) (__SNR_##x) + +/* Helpers for the argument comparison macros, DO NOT USE directly */ +#define _SCMP_VA_NUM_ARGS(...) _SCMP_VA_NUM_ARGS_IMPL(__VA_ARGS__,2,1) +#define _SCMP_VA_NUM_ARGS_IMPL(_1,_2,N,...) N +#define _SCMP_MACRO_DISPATCHER(func, ...) \ + _SCMP_MACRO_DISPATCHER_IMPL1(func, _SCMP_VA_NUM_ARGS(__VA_ARGS__)) +#define _SCMP_MACRO_DISPATCHER_IMPL1(func, nargs) \ + _SCMP_MACRO_DISPATCHER_IMPL2(func, nargs) +#define _SCMP_MACRO_DISPATCHER_IMPL2(func, nargs) \ + func ## nargs +#define _SCMP_CMP32_1(x, y, z) \ + SCMP_CMP64(x, y, (uint32_t)(z)) +#define _SCMP_CMP32_2(x, y, z, q) \ + SCMP_CMP64(x, y, (uint32_t)(z), (uint32_t)(q)) + +/** + * Specify a 64-bit argument comparison struct for use in declaring rules + * @param arg the argument number, starting at 0 + * @param op the comparison operator, e.g. SCMP_CMP_* + * @param datum_a dependent on comparison + * @param datum_b dependent on comparison, optional + */ +#define SCMP_CMP64(...) ((struct scmp_arg_cmp){__VA_ARGS__}) +#define SCMP_CMP SCMP_CMP64 + +/** + * Specify a 32-bit argument comparison struct for use in declaring rules + * @param arg the argument number, starting at 0 + * @param op the comparison operator, e.g. SCMP_CMP_* + * @param datum_a dependent on comparison (32-bits) + * @param datum_b dependent on comparison, optional (32-bits) + */ +#define SCMP_CMP32(x, y, ...) \ + _SCMP_MACRO_DISPATCHER(_SCMP_CMP32_, __VA_ARGS__)(x, y, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 0 + */ +#define SCMP_A0_64(...) SCMP_CMP64(0, __VA_ARGS__) +#define SCMP_A0 SCMP_A0_64 + +/** + * Specify a 32-bit argument comparison struct for argument 0 + */ +#define SCMP_A0_32(x, ...) SCMP_CMP32(0, x, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 1 + */ +#define SCMP_A1_64(...) SCMP_CMP64(1, __VA_ARGS__) +#define SCMP_A1 SCMP_A1_64 + +/** + * Specify a 32-bit argument comparison struct for argument 1 + */ +#define SCMP_A1_32(x, ...) SCMP_CMP32(1, x, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 2 + */ +#define SCMP_A2_64(...) SCMP_CMP64(2, __VA_ARGS__) +#define SCMP_A2 SCMP_A2_64 + +/** + * Specify a 32-bit argument comparison struct for argument 2 + */ +#define SCMP_A2_32(x, ...) SCMP_CMP32(2, x, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 3 + */ +#define SCMP_A3_64(...) SCMP_CMP64(3, __VA_ARGS__) +#define SCMP_A3 SCMP_A3_64 + +/** + * Specify a 32-bit argument comparison struct for argument 3 + */ +#define SCMP_A3_32(x, ...) SCMP_CMP32(3, x, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 4 + */ +#define SCMP_A4_64(...) SCMP_CMP64(4, __VA_ARGS__) +#define SCMP_A4 SCMP_A4_64 + +/** + * Specify a 32-bit argument comparison struct for argument 4 + */ +#define SCMP_A4_32(x, ...) SCMP_CMP32(4, x, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 5 + */ +#define SCMP_A5_64(...) SCMP_CMP64(5, __VA_ARGS__) +#define SCMP_A5 SCMP_A5_64 + +/** + * Specify a 32-bit argument comparison struct for argument 5 + */ +#define SCMP_A5_32(x, ...) SCMP_CMP32(5, x, __VA_ARGS__) + +/* + * seccomp actions + */ + +/** + * Kill the process + */ +#define SCMP_ACT_KILL_PROCESS 0x80000000U +/** + * Kill the thread + */ +#define SCMP_ACT_KILL_THREAD 0x00000000U +/** + * Kill the thread, defined for backward compatibility + */ +#define SCMP_ACT_KILL SCMP_ACT_KILL_THREAD +/** + * Throw a SIGSYS signal + */ +#define SCMP_ACT_TRAP 0x00030000U +/** + * Notifies userspace + */ +#define SCMP_ACT_NOTIFY 0x7fc00000U +/** + * Return the specified error code + */ +#define SCMP_ACT_ERRNO(x) (0x00050000U | ((x) & 0x0000ffffU)) +/** + * Notify a tracing process with the specified value + */ +#define SCMP_ACT_TRACE(x) (0x7ff00000U | ((x) & 0x0000ffffU)) +/** + * Allow the syscall to be executed after the action has been logged + */ +#define SCMP_ACT_LOG 0x7ffc0000U +/** + * Allow the syscall to be executed + */ +#define SCMP_ACT_ALLOW 0x7fff0000U + +/* SECCOMP_RET_USER_NOTIF was added in kernel v5.0. */ +#ifndef SECCOMP_RET_USER_NOTIF +#define SECCOMP_RET_USER_NOTIF 0x7fc00000U + +struct seccomp_notif { + __u64 id; + __u32 pid; + __u32 flags; + struct seccomp_data data; +}; + +struct seccomp_notif_resp { + __u64 id; + __s64 val; + __s32 error; + __u32 flags; +}; +#endif + +/* + * functions + */ + +/** + * Query the library version information + * + * This function returns a pointer to a populated scmp_version struct, the + * caller does not need to free the structure when finished. + * + */ +const struct scmp_version *seccomp_version(void); + +/** + * Query the library's level of API support + * + * This function returns an API level value indicating the current supported + * functionality. It is important to note that this level of support is + * determined at runtime and therefore can change based on the running kernel + * and system configuration (e.g. any previously loaded seccomp filters). This + * function can be called multiple times, but it only queries the system the + * first time it is called, the API level is cached and used in subsequent + * calls. + * + * The current API levels are described below: + * 0 : reserved + * 1 : base level + * 2 : support for the SCMP_FLTATR_CTL_TSYNC filter attribute + * uses the seccomp(2) syscall instead of the prctl(2) syscall + * 3 : support for the SCMP_FLTATR_CTL_LOG filter attribute + * support for the SCMP_ACT_LOG action + * support for the SCMP_ACT_KILL_PROCESS action + * 4 : support for the SCMP_FLTATR_CTL_SSB filter attrbute + * 5 : support for the SCMP_ACT_NOTIFY action and notify APIs + * 6 : support the simultaneous use of SCMP_FLTATR_CTL_TSYNC and notify APIs + * + */ +unsigned int seccomp_api_get(void); + +/** + * Set the library's level of API support + * + * This function forcibly sets the API level of the library at runtime. Valid + * API levels are discussed in the description of the seccomp_api_get() + * function. General use of this function is strongly discouraged. + * + */ +int seccomp_api_set(unsigned int level); + +/** + * Initialize the filter state + * @param def_action the default filter action + * + * This function initializes the internal seccomp filter state and should + * be called before any other functions in this library to ensure the filter + * state is initialized. Returns a filter context on success, NULL on failure. + * + */ +scmp_filter_ctx seccomp_init(uint32_t def_action); + +/** + * Reset the filter state + * @param ctx the filter context + * @param def_action the default filter action + * + * This function resets the given seccomp filter state and ensures the + * filter state is reinitialized. This function does not reset any seccomp + * filters already loaded into the kernel. Returns zero on success, negative + * values on failure. + * + */ +int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action); + +/** + * Destroys the filter state and releases any resources + * @param ctx the filter context + * + * This functions destroys the given seccomp filter state and releases any + * resources, including memory, associated with the filter state. This + * function does not reset any seccomp filters already loaded into the kernel. + * The filter context can no longer be used after calling this function. + * + */ +void seccomp_release(scmp_filter_ctx ctx); + +/** + * Merge two filters + * @param ctx_dst the destination filter context + * @param ctx_src the source filter context + * + * This function merges two filter contexts into a single filter context and + * destroys the second filter context. The two filter contexts must have the + * same attribute values and not contain any of the same architectures; if they + * do, the merge operation will fail. On success, the source filter context + * will be destroyed and should no longer be used; it is not necessary to + * call seccomp_release() on the source filter context. Returns zero on + * success, negative values on failure. + * + */ +int seccomp_merge(scmp_filter_ctx ctx_dst, scmp_filter_ctx ctx_src); + +/** + * Resolve the architecture name to a architecture token + * @param arch_name the architecture name + * + * This function resolves the given architecture name to a token suitable for + * use with libseccomp, returns zero on failure. + * + */ +uint32_t seccomp_arch_resolve_name(const char *arch_name); + +/** + * Return the native architecture token + * + * This function returns the native architecture token value, e.g. SCMP_ARCH_*. + * + */ +uint32_t seccomp_arch_native(void); + +/** + * Check to see if an existing architecture is present in the filter + * @param ctx the filter context + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * + * This function tests to see if a given architecture is included in the filter + * context. If the architecture token is SCMP_ARCH_NATIVE then the native + * architecture will be assumed. Returns zero if the architecture exists in + * the filter, -EEXIST if it is not present, and other negative values on + * failure. + * + */ +int seccomp_arch_exist(const scmp_filter_ctx ctx, uint32_t arch_token); + +/** + * Adds an architecture to the filter + * @param ctx the filter context + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * + * This function adds a new architecture to the given seccomp filter context. + * Any new rules added after this function successfully returns will be added + * to this architecture but existing rules will not be added to this + * architecture. If the architecture token is SCMP_ARCH_NATIVE then the native + * architecture will be assumed. Returns zero on success, -EEXIST if + * specified architecture is already present, other negative values on failure. + * + */ +int seccomp_arch_add(scmp_filter_ctx ctx, uint32_t arch_token); + +/** + * Removes an architecture from the filter + * @param ctx the filter context + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * + * This function removes an architecture from the given seccomp filter context. + * If the architecture token is SCMP_ARCH_NATIVE then the native architecture + * will be assumed. Returns zero on success, negative values on failure. + * + */ +int seccomp_arch_remove(scmp_filter_ctx ctx, uint32_t arch_token); + +/** + * Loads the filter into the kernel + * @param ctx the filter context + * + * This function loads the given seccomp filter context into the kernel. If + * the filter was loaded correctly, the kernel will be enforcing the filter + * when this function returns. Returns zero on success, negative values on + * error. + * + */ +int seccomp_load(const scmp_filter_ctx ctx); + +/** + * Get the value of a filter attribute + * @param ctx the filter context + * @param attr the filter attribute name + * @param value the filter attribute value + * + * This function fetches the value of the given attribute name and returns it + * via @value. Returns zero on success, negative values on failure. + * + */ +int seccomp_attr_get(const scmp_filter_ctx ctx, + enum scmp_filter_attr attr, uint32_t *value); + +/** + * Set the value of a filter attribute + * @param ctx the filter context + * @param attr the filter attribute name + * @param value the filter attribute value + * + * This function sets the value of the given attribute. Returns zero on + * success, negative values on failure. + * + */ +int seccomp_attr_set(scmp_filter_ctx ctx, + enum scmp_filter_attr attr, uint32_t value); + +/** + * Resolve a syscall number to a name + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name for the given + * architecture; it is up to the caller to free the returned string. Returns + * the syscall name on success, NULL on failure. + * + */ +char *seccomp_syscall_resolve_num_arch(uint32_t arch_token, int num); + +/** + * Resolve a syscall name to a number + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number for the given + * architecture. Returns the syscall number on success, including negative + * pseudo syscall numbers (e.g. __PNR_*); returns __NR_SCMP_ERROR on failure. + * + */ +int seccomp_syscall_resolve_name_arch(uint32_t arch_token, const char *name); + +/** + * Resolve a syscall name to a number and perform any rewriting necessary + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number for the given + * architecture and do any necessary syscall rewriting needed by the + * architecture. Returns the syscall number on success, including negative + * pseudo syscall numbers (e.g. __PNR_*); returns __NR_SCMP_ERROR on failure. + * + */ +int seccomp_syscall_resolve_name_rewrite(uint32_t arch_token, const char *name); + +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number. Returns the syscall + * number on success, including negative pseudo syscall numbers (e.g. __PNR_*); + * returns __NR_SCMP_ERROR on failure. + * + */ +int seccomp_syscall_resolve_name(const char *name); + +/** + * Set the priority of a given syscall + * @param ctx the filter context + * @param syscall the syscall number + * @param priority priority value, higher value == higher priority + * + * This function sets the priority of the given syscall; this value is used + * when generating the seccomp filter code such that higher priority syscalls + * will incur less filter code overhead than the lower priority syscalls in the + * filter. Returns zero on success, negative values on failure. + * + */ +int seccomp_syscall_priority(scmp_filter_ctx ctx, + int syscall, uint8_t priority); + +/** + * Add a new rule to the filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of argument filters in the argument filter chain + * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) + * + * This function adds a series of new argument/value checks to the seccomp + * filter for the given syscall; multiple argument/value checks can be + * specified and they will be chained together (AND'd together) in the filter. + * If the specified rule needs to be adjusted due to architecture specifics it + * will be adjusted without notification. Returns zero on success, negative + * values on failure. + * + */ +int seccomp_rule_add(scmp_filter_ctx ctx, + uint32_t action, int syscall, unsigned int arg_cnt, ...); + + +/** + * Add a new rule to the filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of elements in the arg_array parameter + * @param arg_array array of scmp_arg_cmp structs + * + * This function adds a series of new argument/value checks to the seccomp + * filter for the given syscall; multiple argument/value checks can be + * specified and they will be chained together (AND'd together) in the filter. + * If the specified rule needs to be adjusted due to architecture specifics it + * will be adjusted without notification. Returns zero on success, negative + * values on failure. + * + */ +int seccomp_rule_add_array(scmp_filter_ctx ctx, + uint32_t action, int syscall, unsigned int arg_cnt, + const struct scmp_arg_cmp *arg_array); + +/** + * Add a new rule to the filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of argument filters in the argument filter chain + * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) + * + * This function adds a series of new argument/value checks to the seccomp + * filter for the given syscall; multiple argument/value checks can be + * specified and they will be chained together (AND'd together) in the filter. + * If the specified rule can not be represented on the architecture the + * function will fail. Returns zero on success, negative values on failure. + * + */ +int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, + int syscall, unsigned int arg_cnt, ...); + +/** + * Add a new rule to the filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of elements in the arg_array parameter + * @param arg_array array of scmp_arg_cmp structs + * + * This function adds a series of new argument/value checks to the seccomp + * filter for the given syscall; multiple argument/value checks can be + * specified and they will be chained together (AND'd together) in the filter. + * If the specified rule can not be represented on the architecture the + * function will fail. Returns zero on success, negative values on failure. + * + */ +int seccomp_rule_add_exact_array(scmp_filter_ctx ctx, + uint32_t action, int syscall, + unsigned int arg_cnt, + const struct scmp_arg_cmp *arg_array); + +/** + * Allocate a pair of notification request/response structures + * @param req the request location + * @param resp the response location + * + * This function allocates a pair of request/response structure by computing + * the correct sized based on the currently running kernel. It returns zero on + * success, and negative values on failure. + * + */ +int seccomp_notify_alloc(struct seccomp_notif **req, + struct seccomp_notif_resp **resp); + +/** + * Free a pair of notification request/response structures. + * @param req the request location + * @param resp the response location + */ +void seccomp_notify_free(struct seccomp_notif *req, + struct seccomp_notif_resp *resp); + +/** + * Receive a notification from a seccomp notification fd + * @param fd the notification fd + * @param req the request buffer to save into + * + * Blocks waiting for a notification on this fd. This function is thread safe + * (synchronization is performed in the kernel). Returns zero on success, + * negative values on error. + * + */ +int seccomp_notify_receive(int fd, struct seccomp_notif *req); + +/** + * Send a notification response to a seccomp notification fd + * @param fd the notification fd + * @param resp the response buffer to use + * + * Sends a notification response on this fd. This function is thread safe + * (synchronization is performed in the kernel). Returns zero on success, + * negative values on error. + * + */ +int seccomp_notify_respond(int fd, struct seccomp_notif_resp *resp); + +/** + * Check if a notification id is still valid + * @param fd the notification fd + * @param id the id to test + * + * Checks to see if a notification id is still valid. Returns 0 on success, and + * negative values on failure. + * + */ +int seccomp_notify_id_valid(int fd, uint64_t id); + +/** + * Return the notification fd from a filter that has already been loaded + * @param ctx the filter context + * + * This returns the listener fd that was generated when the seccomp policy was + * loaded. This is only valid after seccomp_load() with a filter that makes + * use of SCMP_ACT_NOTIFY. + * + */ +int seccomp_notify_fd(const scmp_filter_ctx ctx); + +/** + * Generate seccomp Pseudo Filter Code (PFC) and export it to a file + * @param ctx the filter context + * @param fd the destination fd + * + * This function generates seccomp Pseudo Filter Code (PFC) and writes it to + * the given fd. Returns zero on success, negative values on failure. + * + */ +int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd); + +/** + * Generate seccomp Berkley Packet Filter (BPF) code and export it to a file + * @param ctx the filter context + * @param fd the destination fd + * + * This function generates seccomp Berkley Packer Filter (BPF) code and writes + * it to the given fd. Returns zero on success, negative values on failure. + * + */ +int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd); + +/* + * pseudo syscall definitions + */ + +/* NOTE - pseudo syscall values {-1..-99} are reserved */ +#define __NR_SCMP_ERROR -1 +#define __NR_SCMP_UNDEF -2 + +#include <seccomp-syscalls.h> + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/include/seccomp.h.in b/include/seccomp.h.in new file mode 100644 index 0000000..ef4c6e4 --- /dev/null +++ b/include/seccomp.h.in @@ -0,0 +1,827 @@ +/** + * Seccomp Library + * + * Copyright (c) 2019 Cisco Systems <pmoore2@cisco.com> + * Copyright (c) 2012,2013 Red Hat <pmoore@redhat.com> + * Author: Paul Moore <paul@paul-moore.com> + */ + +/* + * This library is free software; you can redistribute it and/or modify it + * under the terms of version 2.1 of the GNU Lesser General Public License as + * published by the Free Software Foundation. + * + * This library is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or + * FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License + * for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, see <http://www.gnu.org/licenses>. + */ + +#ifndef _SECCOMP_H +#define _SECCOMP_H + +#include <elf.h> +#include <inttypes.h> +#include <asm/unistd.h> +#include <linux/audit.h> +#include <linux/types.h> +#include <linux/seccomp.h> + +#ifdef __cplusplus +extern "C" { +#endif + +/* + * version information + */ + +#define SCMP_VER_MAJOR @VERSION_MAJOR@ +#define SCMP_VER_MINOR @VERSION_MINOR@ +#define SCMP_VER_MICRO @VERSION_MICRO@ + +struct scmp_version { + unsigned int major; + unsigned int minor; + unsigned int micro; +}; + +/* + * types + */ + +/** + * Filter context/handle + */ +typedef void *scmp_filter_ctx; + +/** + * Filter attributes + */ +enum scmp_filter_attr { + _SCMP_FLTATR_MIN = 0, + SCMP_FLTATR_ACT_DEFAULT = 1, /**< default filter action */ + SCMP_FLTATR_ACT_BADARCH = 2, /**< bad architecture action */ + SCMP_FLTATR_CTL_NNP = 3, /**< set NO_NEW_PRIVS on filter load */ + SCMP_FLTATR_CTL_TSYNC = 4, /**< sync threads on filter load */ + SCMP_FLTATR_API_TSKIP = 5, /**< allow rules with a -1 syscall */ + SCMP_FLTATR_CTL_LOG = 6, /**< log not-allowed actions */ + SCMP_FLTATR_CTL_SSB = 7, /**< disable SSB mitigation */ + SCMP_FLTATR_CTL_OPTIMIZE = 8, /**< filter optimization level: + * 0 - currently unused + * 1 - rules weighted by priority and + * complexity (DEFAULT) + * 2 - binary tree sorted by syscall + * number + */ + SCMP_FLTATR_API_SYSRAWRC = 9, /**< return the system return codes */ + _SCMP_FLTATR_MAX, +}; + +/** + * Comparison operators + */ +enum scmp_compare { + _SCMP_CMP_MIN = 0, + SCMP_CMP_NE = 1, /**< not equal */ + SCMP_CMP_LT = 2, /**< less than */ + SCMP_CMP_LE = 3, /**< less than or equal */ + SCMP_CMP_EQ = 4, /**< equal */ + SCMP_CMP_GE = 5, /**< greater than or equal */ + SCMP_CMP_GT = 6, /**< greater than */ + SCMP_CMP_MASKED_EQ = 7, /**< masked equality */ + _SCMP_CMP_MAX, +}; + +/** + * Argument datum + */ +typedef uint64_t scmp_datum_t; + +/** + * Argument / Value comparison definition + */ +struct scmp_arg_cmp { + unsigned int arg; /**< argument number, starting at 0 */ + enum scmp_compare op; /**< the comparison op, e.g. SCMP_CMP_* */ + scmp_datum_t datum_a; + scmp_datum_t datum_b; +}; + +/* + * macros/defines + */ + +/** + * The native architecture token + */ +#define SCMP_ARCH_NATIVE 0 + +/** + * The x86 (32-bit) architecture token + */ +#define SCMP_ARCH_X86 AUDIT_ARCH_I386 + +/** + * The x86-64 (64-bit) architecture token + */ +#define SCMP_ARCH_X86_64 AUDIT_ARCH_X86_64 + +/** + * The x32 (32-bit x86_64) architecture token + * + * NOTE: this is different from the value used by the kernel because we need to + * be able to distinguish between x32 and x86_64 + */ +#define SCMP_ARCH_X32 (EM_X86_64|__AUDIT_ARCH_LE) + +/** + * The ARM architecture tokens + */ +#define SCMP_ARCH_ARM AUDIT_ARCH_ARM +/* AArch64 support for audit was merged in 3.17-rc1 */ +#ifndef AUDIT_ARCH_AARCH64 +#ifndef EM_AARCH64 +#define EM_AARCH64 183 +#endif /* EM_AARCH64 */ +#define AUDIT_ARCH_AARCH64 (EM_AARCH64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif /* AUDIT_ARCH_AARCH64 */ +#define SCMP_ARCH_AARCH64 AUDIT_ARCH_AARCH64 + +/** + * The MIPS architecture tokens + */ +#ifndef __AUDIT_ARCH_CONVENTION_MIPS64_N32 +#define __AUDIT_ARCH_CONVENTION_MIPS64_N32 0x20000000 +#endif +#ifndef EM_MIPS +#define EM_MIPS 8 +#endif +#ifndef AUDIT_ARCH_MIPS +#define AUDIT_ARCH_MIPS (EM_MIPS) +#endif +#ifndef AUDIT_ARCH_MIPS64 +#define AUDIT_ARCH_MIPS64 (EM_MIPS|__AUDIT_ARCH_64BIT) +#endif +/* MIPS64N32 support was merged in 3.15 */ +#ifndef AUDIT_ARCH_MIPS64N32 +#define AUDIT_ARCH_MIPS64N32 (EM_MIPS|__AUDIT_ARCH_64BIT|\ + __AUDIT_ARCH_CONVENTION_MIPS64_N32) +#endif +/* MIPSEL64N32 support was merged in 3.15 */ +#ifndef AUDIT_ARCH_MIPSEL64N32 +#define AUDIT_ARCH_MIPSEL64N32 (EM_MIPS|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE|\ + __AUDIT_ARCH_CONVENTION_MIPS64_N32) +#endif +#define SCMP_ARCH_MIPS AUDIT_ARCH_MIPS +#define SCMP_ARCH_MIPS64 AUDIT_ARCH_MIPS64 +#define SCMP_ARCH_MIPS64N32 AUDIT_ARCH_MIPS64N32 +#define SCMP_ARCH_MIPSEL AUDIT_ARCH_MIPSEL +#define SCMP_ARCH_MIPSEL64 AUDIT_ARCH_MIPSEL64 +#define SCMP_ARCH_MIPSEL64N32 AUDIT_ARCH_MIPSEL64N32 + +/** + * The PowerPC architecture tokens + */ +#define SCMP_ARCH_PPC AUDIT_ARCH_PPC +#define SCMP_ARCH_PPC64 AUDIT_ARCH_PPC64 +#ifndef AUDIT_ARCH_PPC64LE +#define AUDIT_ARCH_PPC64LE (EM_PPC64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif +#define SCMP_ARCH_PPC64LE AUDIT_ARCH_PPC64LE + +/** + * The S390 architecture tokens + */ +#define SCMP_ARCH_S390 AUDIT_ARCH_S390 +#define SCMP_ARCH_S390X AUDIT_ARCH_S390X + +/** + * The PA-RISC hppa architecture tokens + */ +#define SCMP_ARCH_PARISC AUDIT_ARCH_PARISC +#define SCMP_ARCH_PARISC64 AUDIT_ARCH_PARISC64 + +/** + * The RISC-V architecture tokens + */ +/* RISC-V support for audit was merged in 5.0-rc1 */ +#ifndef AUDIT_ARCH_RISCV64 +#ifndef EM_RISCV +#define EM_RISCV 243 +#endif /* EM_RISCV */ +#define AUDIT_ARCH_RISCV64 (EM_RISCV|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) +#endif /* AUDIT_ARCH_RISCV64 */ +#define SCMP_ARCH_RISCV64 AUDIT_ARCH_RISCV64 + +/** + * Convert a syscall name into the associated syscall number + * @param x the syscall name + */ +#define SCMP_SYS(x) (__SNR_##x) + +/* Helpers for the argument comparison macros, DO NOT USE directly */ +#define _SCMP_VA_NUM_ARGS(...) _SCMP_VA_NUM_ARGS_IMPL(__VA_ARGS__,2,1) +#define _SCMP_VA_NUM_ARGS_IMPL(_1,_2,N,...) N +#define _SCMP_MACRO_DISPATCHER(func, ...) \ + _SCMP_MACRO_DISPATCHER_IMPL1(func, _SCMP_VA_NUM_ARGS(__VA_ARGS__)) +#define _SCMP_MACRO_DISPATCHER_IMPL1(func, nargs) \ + _SCMP_MACRO_DISPATCHER_IMPL2(func, nargs) +#define _SCMP_MACRO_DISPATCHER_IMPL2(func, nargs) \ + func ## nargs +#define _SCMP_CMP32_1(x, y, z) \ + SCMP_CMP64(x, y, (uint32_t)(z)) +#define _SCMP_CMP32_2(x, y, z, q) \ + SCMP_CMP64(x, y, (uint32_t)(z), (uint32_t)(q)) + +/** + * Specify a 64-bit argument comparison struct for use in declaring rules + * @param arg the argument number, starting at 0 + * @param op the comparison operator, e.g. SCMP_CMP_* + * @param datum_a dependent on comparison + * @param datum_b dependent on comparison, optional + */ +#define SCMP_CMP64(...) ((struct scmp_arg_cmp){__VA_ARGS__}) +#define SCMP_CMP SCMP_CMP64 + +/** + * Specify a 32-bit argument comparison struct for use in declaring rules + * @param arg the argument number, starting at 0 + * @param op the comparison operator, e.g. SCMP_CMP_* + * @param datum_a dependent on comparison (32-bits) + * @param datum_b dependent on comparison, optional (32-bits) + */ +#define SCMP_CMP32(x, y, ...) \ + _SCMP_MACRO_DISPATCHER(_SCMP_CMP32_, __VA_ARGS__)(x, y, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 0 + */ +#define SCMP_A0_64(...) SCMP_CMP64(0, __VA_ARGS__) +#define SCMP_A0 SCMP_A0_64 + +/** + * Specify a 32-bit argument comparison struct for argument 0 + */ +#define SCMP_A0_32(x, ...) SCMP_CMP32(0, x, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 1 + */ +#define SCMP_A1_64(...) SCMP_CMP64(1, __VA_ARGS__) +#define SCMP_A1 SCMP_A1_64 + +/** + * Specify a 32-bit argument comparison struct for argument 1 + */ +#define SCMP_A1_32(x, ...) SCMP_CMP32(1, x, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 2 + */ +#define SCMP_A2_64(...) SCMP_CMP64(2, __VA_ARGS__) +#define SCMP_A2 SCMP_A2_64 + +/** + * Specify a 32-bit argument comparison struct for argument 2 + */ +#define SCMP_A2_32(x, ...) SCMP_CMP32(2, x, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 3 + */ +#define SCMP_A3_64(...) SCMP_CMP64(3, __VA_ARGS__) +#define SCMP_A3 SCMP_A3_64 + +/** + * Specify a 32-bit argument comparison struct for argument 3 + */ +#define SCMP_A3_32(x, ...) SCMP_CMP32(3, x, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 4 + */ +#define SCMP_A4_64(...) SCMP_CMP64(4, __VA_ARGS__) +#define SCMP_A4 SCMP_A4_64 + +/** + * Specify a 32-bit argument comparison struct for argument 4 + */ +#define SCMP_A4_32(x, ...) SCMP_CMP32(4, x, __VA_ARGS__) + +/** + * Specify a 64-bit argument comparison struct for argument 5 + */ +#define SCMP_A5_64(...) SCMP_CMP64(5, __VA_ARGS__) +#define SCMP_A5 SCMP_A5_64 + +/** + * Specify a 32-bit argument comparison struct for argument 5 + */ +#define SCMP_A5_32(x, ...) SCMP_CMP32(5, x, __VA_ARGS__) + +/* + * seccomp actions + */ + +/** + * Kill the process + */ +#define SCMP_ACT_KILL_PROCESS 0x80000000U +/** + * Kill the thread + */ +#define SCMP_ACT_KILL_THREAD 0x00000000U +/** + * Kill the thread, defined for backward compatibility + */ +#define SCMP_ACT_KILL SCMP_ACT_KILL_THREAD +/** + * Throw a SIGSYS signal + */ +#define SCMP_ACT_TRAP 0x00030000U +/** + * Notifies userspace + */ +#define SCMP_ACT_NOTIFY 0x7fc00000U +/** + * Return the specified error code + */ +#define SCMP_ACT_ERRNO(x) (0x00050000U | ((x) & 0x0000ffffU)) +/** + * Notify a tracing process with the specified value + */ +#define SCMP_ACT_TRACE(x) (0x7ff00000U | ((x) & 0x0000ffffU)) +/** + * Allow the syscall to be executed after the action has been logged + */ +#define SCMP_ACT_LOG 0x7ffc0000U +/** + * Allow the syscall to be executed + */ +#define SCMP_ACT_ALLOW 0x7fff0000U + +/* SECCOMP_RET_USER_NOTIF was added in kernel v5.0. */ +#ifndef SECCOMP_RET_USER_NOTIF +#define SECCOMP_RET_USER_NOTIF 0x7fc00000U + +struct seccomp_notif { + __u64 id; + __u32 pid; + __u32 flags; + struct seccomp_data data; +}; + +struct seccomp_notif_resp { + __u64 id; + __s64 val; + __s32 error; + __u32 flags; +}; +#endif + +/* + * functions + */ + +/** + * Query the library version information + * + * This function returns a pointer to a populated scmp_version struct, the + * caller does not need to free the structure when finished. + * + */ +const struct scmp_version *seccomp_version(void); + +/** + * Query the library's level of API support + * + * This function returns an API level value indicating the current supported + * functionality. It is important to note that this level of support is + * determined at runtime and therefore can change based on the running kernel + * and system configuration (e.g. any previously loaded seccomp filters). This + * function can be called multiple times, but it only queries the system the + * first time it is called, the API level is cached and used in subsequent + * calls. + * + * The current API levels are described below: + * 0 : reserved + * 1 : base level + * 2 : support for the SCMP_FLTATR_CTL_TSYNC filter attribute + * uses the seccomp(2) syscall instead of the prctl(2) syscall + * 3 : support for the SCMP_FLTATR_CTL_LOG filter attribute + * support for the SCMP_ACT_LOG action + * support for the SCMP_ACT_KILL_PROCESS action + * 4 : support for the SCMP_FLTATR_CTL_SSB filter attrbute + * 5 : support for the SCMP_ACT_NOTIFY action and notify APIs + * 6 : support the simultaneous use of SCMP_FLTATR_CTL_TSYNC and notify APIs + * + */ +unsigned int seccomp_api_get(void); + +/** + * Set the library's level of API support + * + * This function forcibly sets the API level of the library at runtime. Valid + * API levels are discussed in the description of the seccomp_api_get() + * function. General use of this function is strongly discouraged. + * + */ +int seccomp_api_set(unsigned int level); + +/** + * Initialize the filter state + * @param def_action the default filter action + * + * This function initializes the internal seccomp filter state and should + * be called before any other functions in this library to ensure the filter + * state is initialized. Returns a filter context on success, NULL on failure. + * + */ +scmp_filter_ctx seccomp_init(uint32_t def_action); + +/** + * Reset the filter state + * @param ctx the filter context + * @param def_action the default filter action + * + * This function resets the given seccomp filter state and ensures the + * filter state is reinitialized. This function does not reset any seccomp + * filters already loaded into the kernel. Returns zero on success, negative + * values on failure. + * + */ +int seccomp_reset(scmp_filter_ctx ctx, uint32_t def_action); + +/** + * Destroys the filter state and releases any resources + * @param ctx the filter context + * + * This functions destroys the given seccomp filter state and releases any + * resources, including memory, associated with the filter state. This + * function does not reset any seccomp filters already loaded into the kernel. + * The filter context can no longer be used after calling this function. + * + */ +void seccomp_release(scmp_filter_ctx ctx); + +/** + * Merge two filters + * @param ctx_dst the destination filter context + * @param ctx_src the source filter context + * + * This function merges two filter contexts into a single filter context and + * destroys the second filter context. The two filter contexts must have the + * same attribute values and not contain any of the same architectures; if they + * do, the merge operation will fail. On success, the source filter context + * will be destroyed and should no longer be used; it is not necessary to + * call seccomp_release() on the source filter context. Returns zero on + * success, negative values on failure. + * + */ +int seccomp_merge(scmp_filter_ctx ctx_dst, scmp_filter_ctx ctx_src); + +/** + * Resolve the architecture name to a architecture token + * @param arch_name the architecture name + * + * This function resolves the given architecture name to a token suitable for + * use with libseccomp, returns zero on failure. + * + */ +uint32_t seccomp_arch_resolve_name(const char *arch_name); + +/** + * Return the native architecture token + * + * This function returns the native architecture token value, e.g. SCMP_ARCH_*. + * + */ +uint32_t seccomp_arch_native(void); + +/** + * Check to see if an existing architecture is present in the filter + * @param ctx the filter context + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * + * This function tests to see if a given architecture is included in the filter + * context. If the architecture token is SCMP_ARCH_NATIVE then the native + * architecture will be assumed. Returns zero if the architecture exists in + * the filter, -EEXIST if it is not present, and other negative values on + * failure. + * + */ +int seccomp_arch_exist(const scmp_filter_ctx ctx, uint32_t arch_token); + +/** + * Adds an architecture to the filter + * @param ctx the filter context + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * + * This function adds a new architecture to the given seccomp filter context. + * Any new rules added after this function successfully returns will be added + * to this architecture but existing rules will not be added to this + * architecture. If the architecture token is SCMP_ARCH_NATIVE then the native + * architecture will be assumed. Returns zero on success, -EEXIST if + * specified architecture is already present, other negative values on failure. + * + */ +int seccomp_arch_add(scmp_filter_ctx ctx, uint32_t arch_token); + +/** + * Removes an architecture from the filter + * @param ctx the filter context + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * + * This function removes an architecture from the given seccomp filter context. + * If the architecture token is SCMP_ARCH_NATIVE then the native architecture + * will be assumed. Returns zero on success, negative values on failure. + * + */ +int seccomp_arch_remove(scmp_filter_ctx ctx, uint32_t arch_token); + +/** + * Loads the filter into the kernel + * @param ctx the filter context + * + * This function loads the given seccomp filter context into the kernel. If + * the filter was loaded correctly, the kernel will be enforcing the filter + * when this function returns. Returns zero on success, negative values on + * error. + * + */ +int seccomp_load(const scmp_filter_ctx ctx); + +/** + * Get the value of a filter attribute + * @param ctx the filter context + * @param attr the filter attribute name + * @param value the filter attribute value + * + * This function fetches the value of the given attribute name and returns it + * via @value. Returns zero on success, negative values on failure. + * + */ +int seccomp_attr_get(const scmp_filter_ctx ctx, + enum scmp_filter_attr attr, uint32_t *value); + +/** + * Set the value of a filter attribute + * @param ctx the filter context + * @param attr the filter attribute name + * @param value the filter attribute value + * + * This function sets the value of the given attribute. Returns zero on + * success, negative values on failure. + * + */ +int seccomp_attr_set(scmp_filter_ctx ctx, + enum scmp_filter_attr attr, uint32_t value); + +/** + * Resolve a syscall number to a name + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * @param num the syscall number + * + * Resolve the given syscall number to the syscall name for the given + * architecture; it is up to the caller to free the returned string. Returns + * the syscall name on success, NULL on failure. + * + */ +char *seccomp_syscall_resolve_num_arch(uint32_t arch_token, int num); + +/** + * Resolve a syscall name to a number + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number for the given + * architecture. Returns the syscall number on success, including negative + * pseudo syscall numbers (e.g. __PNR_*); returns __NR_SCMP_ERROR on failure. + * + */ +int seccomp_syscall_resolve_name_arch(uint32_t arch_token, const char *name); + +/** + * Resolve a syscall name to a number and perform any rewriting necessary + * @param arch_token the architecture token, e.g. SCMP_ARCH_* + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number for the given + * architecture and do any necessary syscall rewriting needed by the + * architecture. Returns the syscall number on success, including negative + * pseudo syscall numbers (e.g. __PNR_*); returns __NR_SCMP_ERROR on failure. + * + */ +int seccomp_syscall_resolve_name_rewrite(uint32_t arch_token, const char *name); + +/** + * Resolve a syscall name to a number + * @param name the syscall name + * + * Resolve the given syscall name to the syscall number. Returns the syscall + * number on success, including negative pseudo syscall numbers (e.g. __PNR_*); + * returns __NR_SCMP_ERROR on failure. + * + */ +int seccomp_syscall_resolve_name(const char *name); + +/** + * Set the priority of a given syscall + * @param ctx the filter context + * @param syscall the syscall number + * @param priority priority value, higher value == higher priority + * + * This function sets the priority of the given syscall; this value is used + * when generating the seccomp filter code such that higher priority syscalls + * will incur less filter code overhead than the lower priority syscalls in the + * filter. Returns zero on success, negative values on failure. + * + */ +int seccomp_syscall_priority(scmp_filter_ctx ctx, + int syscall, uint8_t priority); + +/** + * Add a new rule to the filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of argument filters in the argument filter chain + * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) + * + * This function adds a series of new argument/value checks to the seccomp + * filter for the given syscall; multiple argument/value checks can be + * specified and they will be chained together (AND'd together) in the filter. + * If the specified rule needs to be adjusted due to architecture specifics it + * will be adjusted without notification. Returns zero on success, negative + * values on failure. + * + */ +int seccomp_rule_add(scmp_filter_ctx ctx, + uint32_t action, int syscall, unsigned int arg_cnt, ...); + + +/** + * Add a new rule to the filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of elements in the arg_array parameter + * @param arg_array array of scmp_arg_cmp structs + * + * This function adds a series of new argument/value checks to the seccomp + * filter for the given syscall; multiple argument/value checks can be + * specified and they will be chained together (AND'd together) in the filter. + * If the specified rule needs to be adjusted due to architecture specifics it + * will be adjusted without notification. Returns zero on success, negative + * values on failure. + * + */ +int seccomp_rule_add_array(scmp_filter_ctx ctx, + uint32_t action, int syscall, unsigned int arg_cnt, + const struct scmp_arg_cmp *arg_array); + +/** + * Add a new rule to the filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of argument filters in the argument filter chain + * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) + * + * This function adds a series of new argument/value checks to the seccomp + * filter for the given syscall; multiple argument/value checks can be + * specified and they will be chained together (AND'd together) in the filter. + * If the specified rule can not be represented on the architecture the + * function will fail. Returns zero on success, negative values on failure. + * + */ +int seccomp_rule_add_exact(scmp_filter_ctx ctx, uint32_t action, + int syscall, unsigned int arg_cnt, ...); + +/** + * Add a new rule to the filter + * @param ctx the filter context + * @param action the filter action + * @param syscall the syscall number + * @param arg_cnt the number of elements in the arg_array parameter + * @param arg_array array of scmp_arg_cmp structs + * + * This function adds a series of new argument/value checks to the seccomp + * filter for the given syscall; multiple argument/value checks can be + * specified and they will be chained together (AND'd together) in the filter. + * If the specified rule can not be represented on the architecture the + * function will fail. Returns zero on success, negative values on failure. + * + */ +int seccomp_rule_add_exact_array(scmp_filter_ctx ctx, + uint32_t action, int syscall, + unsigned int arg_cnt, + const struct scmp_arg_cmp *arg_array); + +/** + * Allocate a pair of notification request/response structures + * @param req the request location + * @param resp the response location + * + * This function allocates a pair of request/response structure by computing + * the correct sized based on the currently running kernel. It returns zero on + * success, and negative values on failure. + * + */ +int seccomp_notify_alloc(struct seccomp_notif **req, + struct seccomp_notif_resp **resp); + +/** + * Free a pair of notification request/response structures. + * @param req the request location + * @param resp the response location + */ +void seccomp_notify_free(struct seccomp_notif *req, + struct seccomp_notif_resp *resp); + +/** + * Receive a notification from a seccomp notification fd + * @param fd the notification fd + * @param req the request buffer to save into + * + * Blocks waiting for a notification on this fd. This function is thread safe + * (synchronization is performed in the kernel). Returns zero on success, + * negative values on error. + * + */ +int seccomp_notify_receive(int fd, struct seccomp_notif *req); + +/** + * Send a notification response to a seccomp notification fd + * @param fd the notification fd + * @param resp the response buffer to use + * + * Sends a notification response on this fd. This function is thread safe + * (synchronization is performed in the kernel). Returns zero on success, + * negative values on error. + * + */ +int seccomp_notify_respond(int fd, struct seccomp_notif_resp *resp); + +/** + * Check if a notification id is still valid + * @param fd the notification fd + * @param id the id to test + * + * Checks to see if a notification id is still valid. Returns 0 on success, and + * negative values on failure. + * + */ +int seccomp_notify_id_valid(int fd, uint64_t id); + +/** + * Return the notification fd from a filter that has already been loaded + * @param ctx the filter context + * + * This returns the listener fd that was generated when the seccomp policy was + * loaded. This is only valid after seccomp_load() with a filter that makes + * use of SCMP_ACT_NOTIFY. + * + */ +int seccomp_notify_fd(const scmp_filter_ctx ctx); + +/** + * Generate seccomp Pseudo Filter Code (PFC) and export it to a file + * @param ctx the filter context + * @param fd the destination fd + * + * This function generates seccomp Pseudo Filter Code (PFC) and writes it to + * the given fd. Returns zero on success, negative values on failure. + * + */ +int seccomp_export_pfc(const scmp_filter_ctx ctx, int fd); + +/** + * Generate seccomp Berkley Packet Filter (BPF) code and export it to a file + * @param ctx the filter context + * @param fd the destination fd + * + * This function generates seccomp Berkley Packer Filter (BPF) code and writes + * it to the given fd. Returns zero on success, negative values on failure. + * + */ +int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd); + +/* + * pseudo syscall definitions + */ + +/* NOTE - pseudo syscall values {-1..-99} are reserved */ +#define __NR_SCMP_ERROR -1 +#define __NR_SCMP_UNDEF -2 + +#include <seccomp-syscalls.h> + +#ifdef __cplusplus +} +#endif + +#endif |