Lines Matching refs:seccomp
3 * linux/kernel/seccomp.c
16 #define pr_fmt(fmt) "seccomp: " fmt
27 #include <linux/seccomp.h>
71 * The seccomp data. This pointer is valid the entire time this
94 * dying, a new seccomp addfd message, or changing to REPLIED
138 * struct notification - container for seccomp userspace notifications. Since
139 * most seccomp filters will not have notification listeners attached and this
160 * struct action_cache - per-filter cache of seccomp actions per
191 * struct seccomp_filter - container for seccomp BPF programs
218 * with current->seccomp.filter, the most recently attached or inherited filter.
269 * seccomp_check_filter - verify seccomp filter code
363 * seccomp_cache_check_allow - lookup seccomp cache
364 * @sfilter: The seccomp filter
365 * @sd: The seccomp data to lookup the cache with
398 * seccomp_run_filters - evaluates all seccomp filters against @sd
399 * @sd: optional seccomp data to be passed to filters
404 * Returns valid seccomp BPF response codes.
412 READ_ONCE(current->seccomp.filter);
441 if (current->seccomp.mode && current->seccomp.mode != seccomp_mode)
455 task->seccomp.mode = seccomp_mode;
461 /* Assume default seccomp processes want spec flaw mitigation. */
487 * either not in the correct seccomp mode or did not have an ancestral
488 * seccomp filter.
506 if (thread->seccomp.mode == SECCOMP_MODE_DISABLED ||
507 (thread->seccomp.mode == SECCOMP_MODE_FILTER &&
508 is_ancestor(thread->seccomp.filter,
509 caller->seccomp.filter)))
571 struct seccomp_filter *orig = tsk->seccomp.filter;
577 tsk->seccomp.filter = NULL;
613 __seccomp_filter_release(thread->seccomp.filter);
616 smp_store_release(&thread->seccomp.filter,
617 caller->seccomp.filter);
618 atomic_set(&thread->seccomp.filter_count,
619 atomic_read(&caller->seccomp.filter_count));
624 * a thread that sets it up, enters seccomp,
631 * Opt the other thread into seccomp if needed.
636 if (thread->seccomp.mode == SECCOMP_MODE_DISABLED)
643 * seccomp_prepare_filter: Prepares a seccomp filter for use.
665 * Installing a seccomp filter requires that the task has
726 * @sd: The seccomp data to check against, only syscall number and arch
840 * @sfilter: The seccomp filter
867 * @filter: seccomp filter to add to the current process
873 * seccomp mode or did not have an ancestral seccomp filter
886 for (walker = current->seccomp.filter; walker; walker = walker->prev)
916 filter->prev = current->seccomp.filter;
918 current->seccomp.filter = filter;
919 atomic_inc(¤t->seccomp.filter_count);
936 struct seccomp_filter *orig = tsk->seccomp.filter;
1031 current->seccomp.mode = SECCOMP_MODE_DEAD;
1039 int mode = current->seccomp.mode;
1306 current->seccomp.mode = SECCOMP_MODE_DEAD;
1339 int mode = current->seccomp.mode;
1368 return current->seccomp.mode;
1372 * seccomp_set_mode_strict: internal function for setting strict seccomp
1374 * Once current->seccomp.mode is non-zero, it may not be changed.
1848 ret = anon_inode_getfile("seccomp notify", &seccomp_notify_ops,
1869 * we use current->seccomp.filter.
1880 for (cur = current->seccomp.filter; cur; cur = cur->prev) {
1889 * seccomp_set_mode_filter: internal function for setting seccomp filter
1897 * Once current->seccomp.mode is non-zero, it may not be changed.
1955 * Make sure we cannot change seccomp or nnp state via TSYNC
2071 SYSCALL_DEFINE3(seccomp, unsigned int, op, unsigned int, flags,
2078 * prctl_set_seccomp: configures current->seccomp.mode
2124 if (task->seccomp.mode != SECCOMP_MODE_FILTER) {
2129 orig = task->seccomp.filter;
2166 current->seccomp.mode != SECCOMP_MODE_DISABLED) {
2204 current->seccomp.mode != SECCOMP_MODE_DISABLED) {
2452 register_sysctl_init("kernel/seccomp", seccomp_sysctl_table);
2482 * We don't want some sandboxed process to know what their seccomp
2491 f = READ_ONCE(task->seccomp.filter);