diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-10-24 20:23:21 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-10-24 20:23:21 -0400 |
| commit | 8d3eafa161af22bb04dc0210885ffe79560a59ee (patch) | |
| tree | 3a98a0dddd08bcc7c66ae527d10e871734db4ff8 /src/shared/seccomp-util.h | |
| parent | f2e5f466cbd8e0a93325e4ea8c2c38db3bbd1bc8 (diff) | |
| parent | 171ae2cd86390c17d51121f9dff607911b888c5a (diff) | |
Merge pull request #4450 from poettering/seccompfixes
Various seccomp fixes and NEWS update.
Diffstat (limited to 'src/shared/seccomp-util.h')
| -rw-r--r-- | src/shared/seccomp-util.h | 37 |
1 files changed, 32 insertions, 5 deletions
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index cca7c17912..8050fc6fbf 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -20,18 +20,45 @@ ***/ #include <seccomp.h> +#include <stdbool.h> #include <stdint.h> const char* seccomp_arch_to_string(uint32_t c); int seccomp_arch_from_string(const char *n, uint32_t *ret); -int seccomp_add_secondary_archs(scmp_filter_ctx *c); +int seccomp_init_conservative(scmp_filter_ctx *ret, uint32_t default_action); + +int seccomp_add_secondary_archs(scmp_filter_ctx c); bool is_seccomp_available(void); -typedef struct SystemCallFilterSet { - const char *set_name; +typedef struct SyscallFilterSet { + const char *name; const char *value; -} SystemCallFilterSet; +} SyscallFilterSet; + +enum { + SYSCALL_FILTER_SET_CLOCK, + SYSCALL_FILTER_SET_CPU_EMULATION, + SYSCALL_FILTER_SET_DEBUG, + SYSCALL_FILTER_SET_DEFAULT, + SYSCALL_FILTER_SET_IO_EVENT, + SYSCALL_FILTER_SET_IPC, + SYSCALL_FILTER_SET_KEYRING, + SYSCALL_FILTER_SET_MODULE, + SYSCALL_FILTER_SET_MOUNT, + SYSCALL_FILTER_SET_NETWORK_IO, + SYSCALL_FILTER_SET_OBSOLETE, + SYSCALL_FILTER_SET_PRIVILEGED, + SYSCALL_FILTER_SET_PROCESS, + SYSCALL_FILTER_SET_RAW_IO, + _SYSCALL_FILTER_SET_MAX +}; + +extern const SyscallFilterSet syscall_filter_sets[]; + +const SyscallFilterSet *syscall_filter_set_find(const char *name); + +int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action); -extern const SystemCallFilterSet syscall_filter_sets[]; +int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action); |