github.com/MerlinKodo/gvisor@v0.0.0-20231110090155-957f62ecf90e/pkg/abi/linux/seccomp.go (about)

     1  // Copyright 2018 The gVisor Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package linux
    16  
    17  import "fmt"
    18  
    19  // Seccomp constants taken from <linux/seccomp.h>.
    20  const (
    21  	SECCOMP_MODE_NONE   = 0
    22  	SECCOMP_MODE_FILTER = 2
    23  
    24  	SECCOMP_RET_ACTION_FULL = 0xffff0000
    25  	SECCOMP_RET_ACTION      = 0x7fff0000
    26  	SECCOMP_RET_DATA        = 0x0000ffff
    27  
    28  	SECCOMP_SET_MODE_FILTER   = 1
    29  	SECCOMP_FILTER_FLAG_TSYNC = 1
    30  	SECCOMP_GET_ACTION_AVAIL  = 2
    31  )
    32  
    33  // BPFAction is an action for a BPF filter.
    34  type BPFAction uint32
    35  
    36  // BPFAction definitions.
    37  const (
    38  	SECCOMP_RET_KILL_PROCESS BPFAction = 0x80000000
    39  	SECCOMP_RET_KILL_THREAD  BPFAction = 0x00000000
    40  	SECCOMP_RET_TRAP         BPFAction = 0x00030000
    41  	SECCOMP_RET_ERRNO        BPFAction = 0x00050000
    42  	SECCOMP_RET_TRACE        BPFAction = 0x7ff00000
    43  	SECCOMP_RET_ALLOW        BPFAction = 0x7fff0000
    44  )
    45  
    46  func (a BPFAction) String() string {
    47  	switch a & SECCOMP_RET_ACTION_FULL {
    48  	case SECCOMP_RET_KILL_PROCESS:
    49  		return "kill process"
    50  	case SECCOMP_RET_KILL_THREAD:
    51  		return "kill thread"
    52  	case SECCOMP_RET_TRAP:
    53  		return fmt.Sprintf("trap (%d)", a.Data())
    54  	case SECCOMP_RET_ERRNO:
    55  		return fmt.Sprintf("errno (%d)", a.Data())
    56  	case SECCOMP_RET_TRACE:
    57  		return fmt.Sprintf("trace (%d)", a.Data())
    58  	case SECCOMP_RET_ALLOW:
    59  		return "allow"
    60  	}
    61  	return fmt.Sprintf("invalid action: %#x", a)
    62  }
    63  
    64  // Data returns the SECCOMP_RET_DATA portion of the action.
    65  func (a BPFAction) Data() uint16 {
    66  	return uint16(a & SECCOMP_RET_DATA)
    67  }
    68  
    69  // WithReturnCode sets the lower 16 bits of the SECCOMP_RET_ERRNO or
    70  // SECCOMP_RET_TRACE actions to the provided return code, overwriting the previous
    71  // action, and returns a new BPFAction. If not SECCOMP_RET_ERRNO or
    72  // SECCOMP_RET_TRACE then this panics.
    73  func (a BPFAction) WithReturnCode(code uint16) BPFAction {
    74  	// mask out the previous return value
    75  	baseAction := a & SECCOMP_RET_ACTION_FULL
    76  	if baseAction == SECCOMP_RET_ERRNO || baseAction == SECCOMP_RET_TRACE {
    77  		return BPFAction(uint32(baseAction) | uint32(code))
    78  	}
    79  	panic("WithReturnCode only valid for SECCOMP_RET_ERRNO and SECCOMP_RET_TRACE")
    80  }
    81  
    82  // SockFprog is sock_fprog taken from <linux/filter.h>.
    83  type SockFprog struct {
    84  	Len    uint16
    85  	pad    [6]byte
    86  	Filter *BPFInstruction
    87  }
    88  
    89  // SeccompData is equivalent to struct seccomp_data, which contains the data
    90  // passed to seccomp-bpf filters.
    91  //
    92  // +marshal
    93  type SeccompData struct {
    94  	// Nr is the system call number.
    95  	Nr int32
    96  
    97  	// Arch is an AUDIT_ARCH_* value indicating the system call convention.
    98  	Arch uint32
    99  
   100  	// InstructionPointer is the value of the instruction pointer at the time
   101  	// of the system call.
   102  	InstructionPointer uint64
   103  
   104  	// Args contains the first 6 system call arguments.
   105  	Args [6]uint64
   106  }