github.com/metacubex/gvisor@v0.0.0-20240320004321-933faba989ec/pkg/abi/linux/seccomp.go (about) 1 // Copyright 2018 The gVisor Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package linux 16 17 import "fmt" 18 19 // Seccomp constants taken from <linux/seccomp.h>. 20 const ( 21 SECCOMP_MODE_NONE = 0 22 SECCOMP_MODE_FILTER = 2 23 24 SECCOMP_RET_ACTION_FULL = 0xffff0000 25 SECCOMP_RET_ACTION = 0x7fff0000 26 SECCOMP_RET_DATA = 0x0000ffff 27 28 SECCOMP_SET_MODE_FILTER = 1 29 SECCOMP_FILTER_FLAG_TSYNC = 1 30 SECCOMP_GET_ACTION_AVAIL = 2 31 ) 32 33 // BPFAction is an action for a BPF filter. 34 type BPFAction uint32 35 36 // BPFAction definitions. 37 const ( 38 SECCOMP_RET_KILL_PROCESS BPFAction = 0x80000000 39 SECCOMP_RET_KILL_THREAD BPFAction = 0x00000000 40 SECCOMP_RET_TRAP BPFAction = 0x00030000 41 SECCOMP_RET_ERRNO BPFAction = 0x00050000 42 SECCOMP_RET_TRACE BPFAction = 0x7ff00000 43 SECCOMP_RET_ALLOW BPFAction = 0x7fff0000 44 ) 45 46 func (a BPFAction) String() string { 47 switch a & SECCOMP_RET_ACTION_FULL { 48 case SECCOMP_RET_KILL_PROCESS: 49 return "kill process" 50 case SECCOMP_RET_KILL_THREAD: 51 return "kill thread" 52 case SECCOMP_RET_TRAP: 53 data := a.Data() 54 if data == 0 { 55 return "trap" 56 } 57 return fmt.Sprintf("trap (data=%#x)", data) 58 case SECCOMP_RET_ERRNO: 59 return fmt.Sprintf("return errno=%#x", a.Data()) 60 case SECCOMP_RET_TRACE: 61 data := a.Data() 62 if data == 0 { 63 return "trace" 64 } 65 return fmt.Sprintf("trace (data=%#x)", data) 66 case SECCOMP_RET_ALLOW: 67 return "allow" 68 } 69 return fmt.Sprintf("invalid action: %#x", a) 70 } 71 72 // Data returns the SECCOMP_RET_DATA portion of the action. 73 func (a BPFAction) Data() uint16 { 74 return uint16(a & SECCOMP_RET_DATA) 75 } 76 77 // WithReturnCode sets the lower 16 bits of the SECCOMP_RET_ERRNO or 78 // SECCOMP_RET_TRACE actions to the provided return code, overwriting the previous 79 // action, and returns a new BPFAction. If not SECCOMP_RET_ERRNO or 80 // SECCOMP_RET_TRACE then this panics. 81 func (a BPFAction) WithReturnCode(code uint16) BPFAction { 82 // mask out the previous return value 83 baseAction := a & SECCOMP_RET_ACTION_FULL 84 if baseAction == SECCOMP_RET_ERRNO || baseAction == SECCOMP_RET_TRACE { 85 return BPFAction(uint32(baseAction) | uint32(code)) 86 } 87 panic("WithReturnCode only valid for SECCOMP_RET_ERRNO and SECCOMP_RET_TRACE") 88 } 89 90 // SockFprog is sock_fprog taken from <linux/filter.h>. 91 type SockFprog struct { 92 Len uint16 93 pad [6]byte 94 Filter *BPFInstruction 95 } 96 97 // SeccompData is equivalent to struct seccomp_data, which contains the data 98 // passed to seccomp-bpf filters. 99 // 100 // +marshal 101 type SeccompData struct { 102 // Nr is the system call number. 103 Nr int32 104 105 // Arch is an AUDIT_ARCH_* value indicating the system call convention. 106 Arch uint32 107 108 // InstructionPointer is the value of the instruction pointer at the time 109 // of the system call. 110 InstructionPointer uint64 111 112 // Args contains the first 6 system call arguments. 113 Args [6]uint64 114 } 115 116 // String returns a human-friendly representation of this `SeccompData`. 117 func (sd SeccompData) String() string { 118 return fmt.Sprintf( 119 "sysno=%d arch=%#x rip=%#x args=[%#x %#x %#x %#x %#x %#x]", 120 sd.Nr, 121 sd.Arch, 122 sd.InstructionPointer, 123 sd.Args[0], 124 sd.Args[1], 125 sd.Args[2], 126 sd.Args[3], 127 sd.Args[4], 128 sd.Args[5], 129 ) 130 }