github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/cmd/snap-confine/seccomp-support.h

github.com/kubiko/snapd@v0.0.0-20201013125620-d4f3094d9ddf/cmd/snap-confine/seccomp-support.h (about)

     1  /*
     2   * Copyright (C) 2015-2017 Canonical Ltd
     3   *
     4   * This program is free software: you can redistribute it and/or modify
     5   * it under the terms of the GNU General Public License version 3 as
     6   * published by the Free Software Foundation.
     7   *
     8   * This program is distributed in the hope that it will be useful,
     9   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    10   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    11   * GNU General Public License for more details.
    12   *
    13   * You should have received a copy of the GNU General Public License
    14   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    15   *
    16   */
    17  #ifndef SNAP_CONFINE_SECCOMP_SUPPORT_H
    18  #define SNAP_CONFINE_SECCOMP_SUPPORT_H
    19  
    20  #include <stdbool.h>
    21  
    22  /** 
    23   * sc_apply_seccomp_profile_for_security_tag applies a seccomp profile to the
    24   * current process. The filter is loaded from a pre-compiled bpf bytecode
    25   * stored in "/var/lib/snap/seccomp/bpf" using the security tag and the
    26   * extension ".bin". All components along that path must be owned by root and
    27   * cannot be writable by UNIX _other_.
    28   *
    29   * The security tag is shared with other parts of snapd.
    30   * For applications it is the string "snap.${SNAP_INSTANCE_NAME}.${app}".
    31   * For hooks it is "snap.${SNAP_INSTANCE_NAME}.hook.{hook_name}".
    32   *
    33   * Profiles must be present in the file-system. If a profile is not present
    34   * then several attempts are made, each coupled with a sleep period. Up 3600
    35   * seconds may elapse before the function gives up. Unless
    36   * $SNAP_CONFINE_MAX_PROFILE_WAIT environment variable dictates otherwise, the
    37   * default wait time is 120 seconds.
    38   *
    39   * A profile may contain valid BPF program or the string "@unrestricted\n".  In
    40   * the former case the profile is applied to the current process using
    41   * sc_apply_seccomp_filter. In the latter case no action takes place.
    42   *
    43   * The return value indicates if the process uses confinement or runs under the
    44   * special non-confining "@unrestricted" profile.
    45   **/
    46  bool sc_apply_seccomp_profile_for_security_tag(const char *security_tag);
    47  
    48  void sc_apply_global_seccomp_profile(void);
    49  
    50  #endif