diff options
author | Tyler Hicks <tyhicks@canonical.com> | 2017-08-11 06:33:53 +0200 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2017-08-14 22:46:44 +0200 |
commit | d612b1fd8010d0d67b5287fe146b8b55bcbb8655 (patch) | |
tree | cadcaeebf71ffa28aced54e9fc8b7c0ee42cc6d3 /include | |
parent | seccomp: Sysctl to display available actions (diff) | |
download | linux-d612b1fd8010d0d67b5287fe146b8b55bcbb8655.tar.xz linux-d612b1fd8010d0d67b5287fe146b8b55bcbb8655.zip |
seccomp: Operation for checking if an action is available
Userspace code that needs to check if the kernel supports a given action
may not be able to use the /proc/sys/kernel/seccomp/actions_avail
sysctl. The process may be running in a sandbox and, therefore,
sufficient filesystem access may not be available. This patch adds an
operation to the seccomp(2) syscall that allows userspace code to ask
the kernel if a given action is available.
If the action is supported by the kernel, 0 is returned. If the action
is not supported by the kernel, -1 is returned with errno set to
-EOPNOTSUPP. If this check is attempted on a kernel that doesn't support
this new operation, -1 is returned with errno set to -EINVAL meaning
that userspace code will have the ability to differentiate between the
two error cases.
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Suggested-by: Andy Lutomirski <luto@amacapital.net>
Signed-off-by: Kees Cook <keescook@chromium.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/uapi/linux/seccomp.h | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h index 0f238a43ff1e..aaad61cc46bc 100644 --- a/include/uapi/linux/seccomp.h +++ b/include/uapi/linux/seccomp.h @@ -11,8 +11,9 @@ #define SECCOMP_MODE_FILTER 2 /* uses user-supplied filter. */ /* Valid operations for seccomp syscall. */ -#define SECCOMP_SET_MODE_STRICT 0 -#define SECCOMP_SET_MODE_FILTER 1 +#define SECCOMP_SET_MODE_STRICT 0 +#define SECCOMP_SET_MODE_FILTER 1 +#define SECCOMP_GET_ACTION_AVAIL 2 /* Valid flags for SECCOMP_SET_MODE_FILTER */ #define SECCOMP_FILTER_FLAG_TSYNC 1 |