1 files changed, 133 insertions, 0 deletions
diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h
new file mode 100644
index 000000000..175079552
--- /dev/null
+++ b/include/linux/seccomp.h
@@ -0,0 +1,133 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef _LINUX_SECCOMP_H
+#define _LINUX_SECCOMP_H
+
+#include <uapi/linux/seccomp.h>
+
+#define SECCOMP_FILTER_FLAG_MASK	(SECCOMP_FILTER_FLAG_TSYNC | \
+					 SECCOMP_FILTER_FLAG_LOG | \
+					 SECCOMP_FILTER_FLAG_SPEC_ALLOW | \
+					 SECCOMP_FILTER_FLAG_NEW_LISTENER | \
+					 SECCOMP_FILTER_FLAG_TSYNC_ESRCH | \
+					 SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV)
+
+/* sizeof() the first published struct seccomp_notif_addfd */
+#define SECCOMP_NOTIFY_ADDFD_SIZE_VER0 24
+#define SECCOMP_NOTIFY_ADDFD_SIZE_LATEST SECCOMP_NOTIFY_ADDFD_SIZE_VER0
+
+#ifdef CONFIG_SECCOMP
+
+#include <linux/thread_info.h>
+#include <linux/atomic.h>
+#include <asm/seccomp.h>
+
+struct seccomp_filter;
+/**
+ * struct seccomp - the state of a seccomp'ed process
+ *
+ * @mode:  indicates one of the valid values above for controlled
+ *         system calls available to a process.
+ * @filter_count: number of seccomp filters
+ * @filter: must always point to a valid seccomp-filter or NULL as it is
+ *          accessed without locking during system call entry.
+ *
+ *          @filter must only be accessed from the context of current as there
+ *          is no read locking.
+ */
+struct seccomp {
+	int mode;
+	atomic_t filter_count;
+	struct seccomp_filter *filter;
+};
+
+#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
+extern int __secure_computing(const struct seccomp_data *sd);
+static inline int secure_computing(void)
+{
+	if (unlikely(test_syscall_work(SECCOMP)))
+		return  __secure_computing(NULL);
+	return 0;
+}
+#else
+extern void secure_computing_strict(int this_syscall);
+#endif
+
+extern long prctl_get_seccomp(void);
+extern long prctl_set_seccomp(unsigned long, void __user *);
+
+static inline int seccomp_mode(struct seccomp *s)
+{
+	return s->mode;
+}
+
+#else /* CONFIG_SECCOMP */
+
+#include <linux/errno.h>
+
+struct seccomp { };
+struct seccomp_filter { };
+struct seccomp_data;
+
+#ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
+static inline int secure_computing(void) { return 0; }
+static inline int __secure_computing(const struct seccomp_data *sd) { return 0; }
+#else
+static inline void secure_computing_strict(int this_syscall) { return; }
+#endif
+
+static inline long prctl_get_seccomp(void)
+{
+	return -EINVAL;
+}
+
+static inline long prctl_set_seccomp(unsigned long arg2, char __user *arg3)
+{
+	return -EINVAL;
+}
+
+static inline int seccomp_mode(struct seccomp *s)
+{
+	return SECCOMP_MODE_DISABLED;
+}
+#endif /* CONFIG_SECCOMP */
+
+#ifdef CONFIG_SECCOMP_FILTER
+extern void seccomp_filter_release(struct task_struct *tsk);
+extern void get_seccomp_filter(struct task_struct *tsk);
+#else  /* CONFIG_SECCOMP_FILTER */
+static inline void seccomp_filter_release(struct task_struct *tsk)
+{
+	return;
+}
+static inline void get_seccomp_filter(struct task_struct *tsk)
+{
+	return;
+}
+#endif /* CONFIG_SECCOMP_FILTER */
+
+#if defined(CONFIG_SECCOMP_FILTER) && defined(CONFIG_CHECKPOINT_RESTORE)
+extern long seccomp_get_filter(struct task_struct *task,
+			       unsigned long filter_off, void __user *data);
+extern long seccomp_get_metadata(struct task_struct *task,
+				 unsigned long filter_off, void __user *data);
+#else
+static inline long seccomp_get_filter(struct task_struct *task,
+				      unsigned long n, void __user *data)
+{
+	return -EINVAL;
+}
+static inline long seccomp_get_metadata(struct task_struct *task,
+					unsigned long filter_off,
+					void __user *data)
+{
+	return -EINVAL;
+}
+#endif /* CONFIG_SECCOMP_FILTER && CONFIG_CHECKPOINT_RESTORE */
+
+#ifdef CONFIG_SECCOMP_CACHE_DEBUG
+struct seq_file;
+
+int proc_pid_seccomp_cache(struct seq_file *m, struct pid_namespace *ns,
+			   struct pid *pid, struct task_struct *task);
+#endif
+#endif /* _LINUX_SECCOMP_H */