| OLD | NEW |
|---|
| 1 // Copyright 2015 The Chromium Authors. All rights reserved. | 1 // Copyright 2015 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ | 5 #ifndef SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ |
| 6 #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ | 6 #define SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ |
| 7 | 7 |
| 8 #include <linux/filter.h> | |
| 9 | |
| 10 // The Seccomp2 kernel ABI is not part of older versions of glibc. | 8 // The Seccomp2 kernel ABI is not part of older versions of glibc. |
| 11 // As we can't break compilation with these versions of the library, | 9 // As we can't break compilation with these versions of the library, |
| 12 // we explicitly define all missing symbols. | 10 // we explicitly define all missing symbols. |
| 13 // If we ever decide that we can now rely on system headers, the following | 11 // If we ever decide that we can now rely on system headers, the following |
| 14 // include files should be enabled: | 12 // include files should be enabled: |
| 15 // #include <linux/audit.h> | 13 // #include <linux/audit.h> |
| 16 // #include <linux/seccomp.h> | 14 // #include <linux/seccomp.h> |
| 17 | 15 |
| 18 // For audit.h | 16 // For audit.h |
| 19 #ifndef EM_ARM | 17 #ifndef EM_ARM |
| (...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 60 #define PR_GET_SECCOMP 21 | 58 #define PR_GET_SECCOMP 21 |
| 61 #endif | 59 #endif |
| 62 #ifndef PR_SET_NO_NEW_PRIVS | 60 #ifndef PR_SET_NO_NEW_PRIVS |
| 63 #define PR_SET_NO_NEW_PRIVS 38 | 61 #define PR_SET_NO_NEW_PRIVS 38 |
| 64 #define PR_GET_NO_NEW_PRIVS 39 | 62 #define PR_GET_NO_NEW_PRIVS 39 |
| 65 #endif | 63 #endif |
| 66 #ifndef IPC_64 | 64 #ifndef IPC_64 |
| 67 #define IPC_64 0x0100 | 65 #define IPC_64 0x0100 |
| 68 #endif | 66 #endif |
| 69 | 67 |
| 70 #ifndef BPF_MOD | |
| 71 #define BPF_MOD 0x90 | |
| 72 #endif | |
| 73 #ifndef BPF_XOR | |
| 74 #define BPF_XOR 0xA0 | |
| 75 #endif | |
| 76 | |
| 77 // In order to build will older tool chains, we currently have to avoid | 68 // In order to build will older tool chains, we currently have to avoid |
| 78 // including <linux/seccomp.h>. Until that can be fixed (if ever). Rely on | 69 // including <linux/seccomp.h>. Until that can be fixed (if ever). Rely on |
| 79 // our own definitions of the seccomp kernel ABI. | 70 // our own definitions of the seccomp kernel ABI. |
| 80 #ifndef SECCOMP_MODE_FILTER | 71 #ifndef SECCOMP_MODE_FILTER |
| 81 #define SECCOMP_MODE_DISABLED 0 | 72 #define SECCOMP_MODE_DISABLED 0 |
| 82 #define SECCOMP_MODE_STRICT 1 | 73 #define SECCOMP_MODE_STRICT 1 |
| 83 #define SECCOMP_MODE_FILTER 2 // User user-supplied filter | 74 #define SECCOMP_MODE_FILTER 2 // User user-supplied filter |
| 84 #endif | 75 #endif |
| 85 | 76 |
| 86 #ifndef SECCOMP_SET_MODE_STRICT | 77 #ifndef SECCOMP_SET_MODE_STRICT |
| (...skipping 20 matching lines...) Expand all Loading... |
| 107 #define SECCOMP_RET_DATA 0x0000ffffU // sections | 98 #define SECCOMP_RET_DATA 0x0000ffffU // sections |
| 108 #else | 99 #else |
| 109 #define SECCOMP_RET_INVALID 0x00010000U // Illegal return value | 100 #define SECCOMP_RET_INVALID 0x00010000U // Illegal return value |
| 110 #endif | 101 #endif |
| 111 | 102 |
| 112 #ifndef SYS_SECCOMP | 103 #ifndef SYS_SECCOMP |
| 113 #define SYS_SECCOMP 1 | 104 #define SYS_SECCOMP 1 |
| 114 #endif | 105 #endif |
| 115 | 106 |
| 116 #endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ | 107 #endif // SANDBOX_LINUX_SYSTEM_HEADERS_LINUX_SECCOMP_H_ |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1029283003:
WIP: Implement seccomp-bpf sandbox for nacl_helper_nonsfi.
Base URL: https://chromium.googlesource.com/chromium/src.git@master