| /Linux-v4.19/kernel/ |
| D | seccomp.c | 195 READ_ONCE(current->seccomp.filter); in seccomp_run_filters()
226 if (current->seccomp.mode && current->seccomp.mode != seccomp_mode) in seccomp_may_assign_mode()
240 task->seccomp.mode = seccomp_mode; in seccomp_assign_mode()
291 if (thread->seccomp.mode == SECCOMP_MODE_DISABLED || in seccomp_can_sync_threads()
292 (thread->seccomp.mode == SECCOMP_MODE_FILTER && in seccomp_can_sync_threads()
293 is_ancestor(thread->seccomp.filter, in seccomp_can_sync_threads()
294 caller->seccomp.filter))) in seccomp_can_sync_threads()
338 smp_store_release(&thread->seccomp.filter, in seccomp_sync_threads()
339 caller->seccomp.filter); in seccomp_sync_threads()
356 if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) in seccomp_sync_threads()
[all …]
|
| D | Makefile | 90 obj-$(CONFIG_SECCOMP) += seccomp.o
|
| D | sys_ni.c | 315 COND_SYSCALL(seccomp);
|
| D | fork.c | 837 tsk->seccomp.filter = NULL; in dup_task_struct()
1533 p->seccomp = current->seccomp; in copy_seccomp()
1548 if (p->seccomp.mode != SECCOMP_MODE_DISABLED) in copy_seccomp()
|
| /Linux-v4.19/include/linux/ |
| D | seccomp.h | 28 struct seccomp { struct
48 static inline int seccomp_mode(struct seccomp *s) in seccomp_mode() argument
57 struct seccomp { }; struct
76 static inline int seccomp_mode(struct seccomp *s) in seccomp_mode()
|
| D | sched.h | 887 struct seccomp seccomp; member
|
| /Linux-v4.19/Documentation/userspace-api/ |
| D | seccomp_filter.rst | 24 Additionally, BPF makes it impossible for users of seccomp to fall prey
46 An additional seccomp mode is added and is enabled using the same
47 prctl(2) call as the strict seccomp. If the architecture has
87 A seccomp filter may return any of the following values. If multiple
119 ``SIGSYS`` triggered by seccomp will have a si_code of ``SYS_SECCOMP``.
144 The seccomp check will not be run again after the tracer is
145 notified. (This means that seccomp-based sandboxes MUST NOT
182 The ``samples/seccomp/`` directory contains both an x86-specific example
189 Seccomp's sysctl files can be found in the ``/proc/sys/kernel/seccomp/``
193 A read-only ordered list of seccomp return values (refer to the
[all …]
|
| D | no_new_privs.rst | 47 - Filters installed for the seccomp mode 2 sandbox persist across
|
| /Linux-v4.19/tools/testing/selftests/seccomp/ |
| D | seccomp_bpf.c | 157 #ifndef seccomp
158 int seccomp(unsigned int op, unsigned int flags, void *args) in seccomp() function
666 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, in kill_thread_or_group()
673 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog_thread)); in kill_thread_or_group()
1998 ret = seccomp(-1, 0, &prog); in TEST()
2007 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL); in TEST()
2011 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog); in TEST()
2017 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog); in TEST()
2021 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL); in TEST()
2026 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog); in TEST()
[all …]
|
| /Linux-v4.19/Documentation/features/seccomp/seccomp-filter/ |
| D | arch-support.txt | 2 # Feature name: seccomp-filter
4 # description: arch supports seccomp filters
|
| /Linux-v4.19/arch/um/ |
| D | Kconfig | 174 prompt "Enable seccomp to safely compute untrusted bytecode"
181 their own address space using seccomp. Once seccomp is
184 defined by each seccomp mode.
|
| /Linux-v4.19/samples/ |
| D | Makefile | 4 hw_breakpoint/ kfifo/ kdb/ hidraw/ rpmsg/ seccomp/ \
|
| D | Kconfig | 106 tristate "Build seccomp sample code -- loadable modules only"
109 Build samples of seccomp filters using various methods of
|
| /Linux-v4.19/arch/microblaze/ |
| D | Kconfig | 124 bool "Enable seccomp to safely compute untrusted bytecode"
133 their own address space using seccomp. Once seccomp is
134 enabled via /proc/<pid>/seccomp, it cannot be disabled
136 defined by each seccomp mode.
|
| /Linux-v4.19/arch/arm/include/asm/ |
| D | Kbuild | 16 generic-y += seccomp.h
|
| /Linux-v4.19/arch/parisc/include/asm/ |
| D | Kbuild | 18 generic-y += seccomp.h
|
| /Linux-v4.19/arch/parisc/ |
| D | Kconfig | 357 prompt "Enable seccomp to safely compute untrusted bytecode"
364 their own address space using seccomp. Once seccomp is
367 defined by each seccomp mode.
|
| /Linux-v4.19/arch/sparc/ |
| D | Kconfig | 240 bool "Enable seccomp to safely compute untrusted bytecode"
249 their own address space using seccomp. Once seccomp is
250 enabled via /proc/<pid>/seccomp, it cannot be disabled
252 defined by each seccomp mode.
|
| /Linux-v4.19/tools/testing/selftests/ |
| D | Makefile | 34 TARGETS += seccomp
|
| /Linux-v4.19/arch/sh/ |
| D | Kconfig | 656 bool "Enable seccomp to safely compute untrusted bytecode"
664 their own address space using seccomp. Once seccomp is
666 allowed to execute a few safe syscalls defined by each seccomp
|
| /Linux-v4.19/arch/s390/ |
| D | Kconfig | 797 prompt "Enable seccomp to safely compute untrusted bytecode"
805 their own address space using seccomp. Once seccomp is
806 enabled via /proc/<pid>/seccomp, it cannot be disabled
808 defined by each seccomp mode.
|
| /Linux-v4.19/arch/powerpc/ |
| D | Kconfig | 832 bool "Enable seccomp to safely compute untrusted bytecode"
841 their own address space using seccomp. Once seccomp is
842 enabled via /proc/<pid>/seccomp, it cannot be disabled
844 defined by each seccomp mode.
|
| /Linux-v4.19/arch/powerpc/include/asm/ |
| D | systbl.h | 366 SYSCALL_SPU(seccomp)
|
| /Linux-v4.19/arch/parisc/kernel/ |
| D | syscall_table.S | 436 ENTRY_SAME(seccomp)
|
| /Linux-v4.19/Documentation/dev-tools/ |
| D | kselftest.rst | 168 from tools/testing/selftests/seccomp/seccomp_bpf.c can be used as example.
|
