| /Linux-v5.4/include/linux/ |
| D | seccomp.h | 29 struct seccomp { struct
49 static inline int seccomp_mode(struct seccomp *s) in seccomp_mode() argument
58 struct seccomp { }; struct
77 static inline int seccomp_mode(struct seccomp *s) in seccomp_mode()
|
| /Linux-v5.4/Documentation/userspace-api/ |
| D | seccomp_filter.rst | 24 Additionally, BPF makes it impossible for users of seccomp to fall prey
46 An additional seccomp mode is added and is enabled using the same
47 prctl(2) call as the strict seccomp. If the architecture has
87 A seccomp filter may return any of the following values. If multiple
119 ``SIGSYS`` triggered by seccomp will have a si_code of ``SYS_SECCOMP``.
149 The seccomp check will not be run again after the tracer is
150 notified. (This means that seccomp-based sandboxes MUST NOT
187 The ``samples/seccomp/`` directory contains both an x86-specific example
194 The ``SECCOMP_RET_USER_NOTIF`` return code lets seccomp filters pass a
200 argument to the ``seccomp()`` syscall:
[all …]
|
| D | no_new_privs.rst | 47 - Filters installed for the seccomp mode 2 sandbox persist across
|
| /Linux-v5.4/kernel/ |
| D | seccomp.c | 260 READ_ONCE(current->seccomp.filter); in seccomp_run_filters()
288 if (current->seccomp.mode && current->seccomp.mode != seccomp_mode) in seccomp_may_assign_mode()
302 task->seccomp.mode = seccomp_mode; in seccomp_assign_mode()
353 if (thread->seccomp.mode == SECCOMP_MODE_DISABLED || in seccomp_can_sync_threads()
354 (thread->seccomp.mode == SECCOMP_MODE_FILTER && in seccomp_can_sync_threads()
355 is_ancestor(thread->seccomp.filter, in seccomp_can_sync_threads()
356 caller->seccomp.filter))) in seccomp_can_sync_threads()
400 smp_store_release(&thread->seccomp.filter, in seccomp_sync_threads()
401 caller->seccomp.filter); in seccomp_sync_threads()
418 if (thread->seccomp.mode == SECCOMP_MODE_DISABLED) in seccomp_sync_threads()
[all …]
|
| D | ptrace.c | 655 if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || in ptrace_setoptions()
933 info->seccomp.ret_data = child->ptrace_message; in ptrace_get_syscall_info_seccomp()
936 return offsetofend(struct ptrace_syscall_info, seccomp.ret_data); in ptrace_get_syscall_info_seccomp()
|
| D | Makefile | 89 obj-$(CONFIG_SECCOMP) += seccomp.o
|
| D | sys_ni.c | 328 COND_SYSCALL(seccomp);
|
| /Linux-v5.4/Documentation/features/seccomp/seccomp-filter/ |
| D | arch-support.txt | 2 # Feature name: seccomp-filter
4 # description: arch supports seccomp filters
|
| /Linux-v5.4/tools/testing/selftests/seccomp/ |
| D | seccomp_bpf.c | 207 #ifndef seccomp
208 int seccomp(unsigned int op, unsigned int flags, void *args) in seccomp() function
716 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, in kill_thread_or_group()
723 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog_thread)); in kill_thread_or_group()
2095 ret = seccomp(-1, 0, &prog); in TEST()
2104 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL); in TEST()
2108 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog); in TEST()
2114 ret = seccomp(SECCOMP_SET_MODE_FILTER, -1, &prog); in TEST()
2118 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL); in TEST()
2123 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog); in TEST()
[all …]
|
| /Linux-v5.4/samples/seccomp/ |
| D | user-trap.c | 26 static int seccomp(unsigned int op, unsigned int flags, void *args) in seccomp() function
101 return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog); in user_trap_syscall()
293 if (seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes) < 0) { in main()
|
| /Linux-v5.4/arch/microblaze/ |
| D | Kconfig | 124 bool "Enable seccomp to safely compute untrusted bytecode"
133 their own address space using seccomp. Once seccomp is
134 enabled via /proc/<pid>/seccomp, it cannot be disabled
136 defined by each seccomp mode.
|
| /Linux-v5.4/arch/um/ |
| D | Kconfig | 174 prompt "Enable seccomp to safely compute untrusted bytecode"
181 their own address space using seccomp. Once seccomp is
184 defined by each seccomp mode.
|
| /Linux-v5.4/samples/ |
| D | Makefile | 17 subdir-$(CONFIG_SAMPLE_SECCOMP) += seccomp
|
| D | Kconfig | 113 bool "Build seccomp sample code"
116 Build samples of seccomp filters using various methods of
|
| /Linux-v5.4/arch/arm/include/asm/ |
| D | Kbuild | 18 generic-y += seccomp.h
|
| /Linux-v5.4/include/uapi/linux/ |
| D | ptrace.h | 100 } seccomp; member
|
| /Linux-v5.4/arch/parisc/include/asm/ |
| D | Kbuild | 22 generic-y += seccomp.h
|
| /Linux-v5.4/arch/parisc/ |
| D | Kconfig | 378 prompt "Enable seccomp to safely compute untrusted bytecode"
385 their own address space using seccomp. Once seccomp is
388 defined by each seccomp mode.
|
| /Linux-v5.4/arch/mips/kernel/ |
| D | scall64-n32.S | 78 bltz v0, 1f # seccomp failed? Skip syscall
|
| D | scall64-n64.S | 89 bltz v0, 1f # seccomp failed? Skip syscall
|
| D | scall32-o32.S | 131 bltz v0, 1f # seccomp failed? Skip syscall
|
| D | scall64-o32.S | 133 bltz v0, 1f # seccomp failed? Skip syscall
|
| /Linux-v5.4/arch/sparc/ |
| D | Kconfig | 236 bool "Enable seccomp to safely compute untrusted bytecode"
245 their own address space using seccomp. Once seccomp is
246 enabled via /proc/<pid>/seccomp, it cannot be disabled
248 defined by each seccomp mode.
|
| /Linux-v5.4/tools/testing/selftests/ |
| D | Makefile | 42 TARGETS += seccomp
|
| /Linux-v5.4/arch/sh/ |
| D | Kconfig | 649 bool "Enable seccomp to safely compute untrusted bytecode"
657 their own address space using seccomp. Once seccomp is
659 allowed to execute a few safe syscalls defined by each seccomp
|
