github.com/MerlinKodo/gvisor@v0.0.0-20231110090155-957f62ecf90e/pkg/abi/linux/seccomp.go (about) 1 // Copyright 2018 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package linux 16 17 import "fmt" 18 19 // Seccomp constants taken from <linux/seccomp.h>. 20 const ( 21 SECCOMP_MODE_NONE = 0 22 SECCOMP_MODE_FILTER = 2 23 24 SECCOMP_RET_ACTION_FULL = 0xffff0000 25 SECCOMP_RET_ACTION = 0x7fff0000 26 SECCOMP_RET_DATA = 0x0000ffff 27 28 SECCOMP_SET_MODE_FILTER = 1 29 SECCOMP_FILTER_FLAG_TSYNC = 1 30 SECCOMP_GET_ACTION_AVAIL = 2 31 ) 32 33 // BPFAction is an action for a BPF filter. 34 type BPFAction uint32 35 36 // BPFAction definitions. 37 const ( 38 SECCOMP_RET_KILL_PROCESS BPFAction = 0x80000000 39 SECCOMP_RET_KILL_THREAD BPFAction = 0x00000000 40 SECCOMP_RET_TRAP BPFAction = 0x00030000 41 SECCOMP_RET_ERRNO BPFAction = 0x00050000 42 SECCOMP_RET_TRACE BPFAction = 0x7ff00000 43 SECCOMP_RET_ALLOW BPFAction = 0x7fff0000 44 ) 45 46 func (a BPFAction) String() string { 47 switch a & SECCOMP_RET_ACTION_FULL { 48 case SECCOMP_RET_KILL_PROCESS: 49 return "kill process" 50 case SECCOMP_RET_KILL_THREAD: 51 return "kill thread" 52 case SECCOMP_RET_TRAP: 53 return fmt.Sprintf("trap (%d)", a.Data()) 54 case SECCOMP_RET_ERRNO: 55 return fmt.Sprintf("errno (%d)", a.Data()) 56 case SECCOMP_RET_TRACE: 57 return fmt.Sprintf("trace (%d)", a.Data()) 58 case SECCOMP_RET_ALLOW: 59 return "allow" 60 } 61 return fmt.Sprintf("invalid action: %#x", a) 62 } 63 64 // Data returns the SECCOMP_RET_DATA portion of the action. 65 func (a BPFAction) Data() uint16 { 66 return uint16(a & SECCOMP_RET_DATA) 67 } 68 69 // WithReturnCode sets the lower 16 bits of the SECCOMP_RET_ERRNO or 70 // SECCOMP_RET_TRACE actions to the provided return code, overwriting the previous 71 // action, and returns a new BPFAction. If not SECCOMP_RET_ERRNO or 72 // SECCOMP_RET_TRACE then this panics. 73 func (a BPFAction) WithReturnCode(code uint16) BPFAction { 74 // mask out the previous return value 75 baseAction := a & SECCOMP_RET_ACTION_FULL 76 if baseAction == SECCOMP_RET_ERRNO || baseAction == SECCOMP_RET_TRACE { 77 return BPFAction(uint32(baseAction) | uint32(code)) 78 } 79 panic("WithReturnCode only valid for SECCOMP_RET_ERRNO and SECCOMP_RET_TRACE") 80 } 81 82 // SockFprog is sock_fprog taken from <linux/filter.h>. 83 type SockFprog struct { 84 Len uint16 85 pad [6]byte 86 Filter *BPFInstruction 87 } 88 89 // SeccompData is equivalent to struct seccomp_data, which contains the data 90 // passed to seccomp-bpf filters. 91 // 92 // +marshal 93 type SeccompData struct { 94 // Nr is the system call number. 95 Nr int32 96 97 // Arch is an AUDIT_ARCH_* value indicating the system call convention. 98 Arch uint32 99 100 // InstructionPointer is the value of the instruction pointer at the time 101 // of the system call. 102 InstructionPointer uint64 103 104 // Args contains the first 6 system call arguments. 105 Args [6]uint64 106 }