seccomp_sys/lib.rs
1extern crate libc;
2/*
3 * seccomp actions
4 */
5#[allow(non_camel_case_types)]
6pub type scmp_filter_ctx = libc::c_void;
7
8/**
9 * Error retern value
10 */
11pub const __NR_SCMP_ERROR: libc::c_int = -1;
12
13/**
14 * Kill the calling thread
15 */
16pub const SCMP_ACT_KILL: u32 = 0x00000000;
17/**
18 * Kill the calling process
19 */
20pub const SCMP_ACT_KILL_PROCESS: u32 = 0x80000000;
21/**
22 * Throw a SIGSYS signal
23 */
24pub const SCMP_ACT_TRAP: u32 = 0x00030000;
25/**
26 * Return the specified error code
27 */
28#[allow(non_snake_case)]
29pub fn SCMP_ACT_ERRNO(x: u32) -> u32 { 0x00050000 | ((x) & 0x0000ffff) }
30/**
31 * Notify a tracing process with the specified value
32 */
33#[allow(non_snake_case)]
34pub fn SCMP_ACT_TRACE(x: u32) -> u32 { 0x7ff00000 | ((x) & 0x0000ffff) }
35/**
36 * Allow the syscall to be executed
37 */
38pub const SCMP_ACT_ALLOW: u32 = 0x7fff0000;
39
40/**
41 * Filter attributes
42 */
43#[allow(non_camel_case_types)]
44#[derive(Debug,Clone,Copy)]
45#[repr(C)]
46pub enum scmp_filter_attr {
47 _SCMP_FLTATR_MIN,
48 SCMP_FLTATR_ACT_DEFAULT, /** default filter action */
49 SCMP_FLTATR_ACT_BADARCH, /** bad architecture action */
50 SCMP_FLTATR_CTL_NNP, /** set NO_NEW_PRIVS on filter load */
51 _SCMP_FLTATR_MAX,
52}
53
54/**
55 * Comparison operators
56 */
57#[allow(non_camel_case_types)]
58#[derive(Debug,Clone,Copy)]
59#[repr(C)]
60pub enum scmp_compare {
61 _SCMP_CMP_MIN = 0,
62 SCMP_CMP_NE = 1, /** not equal */
63 SCMP_CMP_LT = 2, /** less than */
64 SCMP_CMP_LE = 3, /** less than or equal */
65 SCMP_CMP_EQ = 4, /** equal */
66 SCMP_CMP_GE = 5, /** greater than or equal */
67 SCMP_CMP_GT = 6, /** greater than */
68 SCMP_CMP_MASKED_EQ = 7, /** masked equality */
69 _SCMP_CMP_MAX,
70}
71
72/**
73 * Architecutres
74 */
75#[allow(non_camel_case_types)]
76#[derive(Debug,Clone,Copy)]
77#[repr(C)]
78pub enum scmp_arch {
79 SCMP_ARCH_NATIVE = 0x0,
80 SCMP_ARCH_X86 = 0x40000003,
81 SCMP_ARCH_X86_64 = 0xc000003e,
82 SCMP_ARCH_X32 = 0x4000003e,
83 SCMP_ARCH_ARM = 0x40000028,
84 SCMP_ARCH_AARCH64 = 0xc00000b7,
85 SCMP_ARCH_MIPS = 0x8,
86 SCMP_ARCH_MIPS64 = 0x80000008,
87 SCMP_ARCH_MIPS64N32 = 0xa0000008,
88 SCMP_ARCH_MIPSEL = 0x40000008,
89 SCMP_ARCH_MIPSEL64 = 0xc0000008,
90 SCMP_ARCH_MIPSEL64N32 = 0xe0000008,
91 SCMP_ARCH_PPC = 0x14,
92 SCMP_ARCH_PPC64 = 0x80000015,
93 SCMP_ARCH_PPC64LE = 0xc0000015,
94 SCMP_ARCH_S390 = 0x16,
95 SCMP_ARCH_S390X = 0x80000016,
96}
97
98/**
99 * Argument datum
100 */
101#[allow(non_camel_case_types)]
102pub type scmp_datum_t = u64;
103
104/**
105 * Argument / Value comparison definition
106 */
107#[derive(Debug)]
108#[repr(C)]
109pub struct scmp_arg_cmp {
110 pub arg: libc::c_uint, /** argument number, starting at 0 */
111 pub op: scmp_compare, /** the comparison op, e.g. SCMP_CMP_* */
112 pub datum_a: scmp_datum_t,
113 pub datum_b: scmp_datum_t,
114}
115
116#[link(name = "seccomp")]
117extern {
118 /**
119 * Initialize the filter state
120 *
121 * @param def_action the default filter action
122 *
123 * This function initializes the internal seccomp filter state and should
124 * be called before any other functions in this library to ensure the filter
125 * state is initialized. Returns a filter context on success, NULL on failure.
126 *
127 */
128 pub fn seccomp_init(def_action: u32) -> *mut scmp_filter_ctx;
129 /**
130 * Reset the filter state
131 *
132 * @param ctx the filter context
133 * @param def_action the default filter action
134 *
135 * This function resets the given seccomp filter state and ensures the
136 * filter state is reinitialized. This function does not reset any seccomp
137 * filters already loaded into the kernel. Returns zero on success, negative
138 * values on failure.
139 *
140 */
141 pub fn seccomp_reset(ctx: *mut scmp_filter_ctx, def_action: u32) -> libc::c_int;
142 /**
143 * Destroys the filter state and releases any resources
144 *
145 * @param ctx the filter context
146 *
147 * This functions destroys the given seccomp filter state and releases any
148 * resources, including memory, associated with the filter state. This
149 * function does not reset any seccomp filters already loaded into the kernel.
150 * The filter context can no longer be used after calling this function.
151 *
152 */
153 pub fn seccomp_release(ctx: *mut scmp_filter_ctx);
154
155 /**
156 * Adds an architecture to the filter
157 * @param ctx the filter context
158 * @param arch_token the architecture token, e.g. SCMP_ARCH_*
159 *
160 * This function adds a new architecture to the given seccomp filter context.
161 * Any new rules added after this function successfully returns will be added
162 * to this architecture but existing rules will not be added to this
163 * architecture. If the architecture token is SCMP_ARCH_NATIVE then the native
164 * architecture will be assumed. Returns zero on success, negative values on
165 * failure.
166 *
167 */
168 pub fn seccomp_arch_add(ctx: *mut scmp_filter_ctx, arch_token: u32) -> libc::c_int;
169
170 /**
171 * Removes an architecture from the filter
172 * @param ctx the filter context
173 * @param arch_token the architecture token, e.g. SCMP_ARCH_*
174 *
175 * This function removes an architecture from the given seccomp filter context.
176 * If the architecture token is SCMP_ARCH_NATIVE then the native architecture
177 * will be assumed. Returns zero on success, negative values on failure.
178 *
179 */
180 pub fn seccomp_arch_remove(ctx: *mut scmp_filter_ctx, arch_token: u32)-> libc::c_int;
181
182 /**
183 * Loads the filter into the kernel
184 *
185 * @param ctx the filter context
186 *
187 * This function loads the given seccomp filter context into the kernel. If
188 * the filter was loaded correctly, the kernel will be enforcing the filter
189 * when this function returns. Returns zero on success, negative values on
190 * error.
191 *
192 */
193 pub fn seccomp_load(ctx: *const scmp_filter_ctx) -> libc::c_int;
194
195 /**
196 * Get the value of a filter attribute
197 *
198 * @param ctx the filter context
199 * @param attr the filter attribute name
200 * @param value the filter attribute value
201 *
202 * This function fetches the value of the given attribute name and returns it
203 * via @value. Returns zero on success, negative values on failure.
204 *
205 */
206 pub fn seccomp_attr_get(ctx: *const scmp_filter_ctx,
207 attr: scmp_filter_attr, value: *mut u32) -> libc::c_int;
208
209 /**
210 * Set the value of a filter attribute
211 *
212 * @param ctx the filter context
213 * @param attr the filter attribute name
214 * @param value the filter attribute value
215 *
216 * This function sets the value of the given attribute. Returns zero on
217 * success, negative values on failure.
218 *
219 */
220 pub fn seccomp_attr_set(ctx: *mut scmp_filter_ctx,
221 attr: scmp_filter_attr, value: u32) -> libc::c_int;
222
223 /**
224 * Resolve a syscall name to a number
225 * @param name the syscall name
226 *
227 * Resolve the given syscall name to the syscall number. Returns the syscall
228 * number on success, including negative pseudo syscall numbers (e.g. __PNR_*);
229 * returns __NR_SCMP_ERROR on failure.
230 *
231 */
232 pub fn seccomp_syscall_resolve_name(name: *const libc::c_char) -> libc::c_int;
233
234 /**
235 * Set the priority of a given syscall
236 *
237 * @param ctx the filter context
238 * @param syscall the syscall number
239 * @param priority priority value, higher value == higher priority
240 *
241 * This function sets the priority of the given syscall; this value is used
242 * when generating the seccomp filter code such that higher priority syscalls
243 * will incur less filter code overhead than the lower priority syscalls in the
244 * filter. Returns zero on success, negative values on failure.
245 *
246 */
247 pub fn seccomp_syscall_priority(ctx: *mut scmp_filter_ctx,
248 syscall: libc::c_int, priority: u8) -> libc::c_int;
249
250 /**
251 * Add a new rule to the filter
252 *
253 * @param ctx the filter context
254 * @param action the filter action
255 * @param syscall the syscall number
256 * @param arg_cnt the number of argument filters in the argument filter chain
257 * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended)
258 *
259 * This function adds a series of new argument/value checks to the seccomp
260 * filter for the given syscall; multiple argument/value checks can be
261 * specified and they will be chained together (AND'd together) in the filter.
262 * If the specified rule needs to be adjusted due to architecture specifics it
263 * will be adjusted without notification. Returns zero on success, negative
264 * values on failure.
265 *
266 */
267 pub fn seccomp_rule_add(ctx: *mut scmp_filter_ctx,
268 action: u32, syscall: libc::c_int, arg_cnt: libc::c_uint, ...) -> libc::c_int;
269
270
271
272 /**
273 * Add a new rule to the filter
274 *
275 * @param ctx the filter context
276 * @param action the filter action
277 * @param syscall the syscall number
278 * @param arg_cnt the number of elements in the arg_array parameter
279 * @param arg_array array of scmp_arg_cmp structs
280 *
281 * This function adds a series of new argument/value checks to the seccomp
282 * filter for the given syscall; multiple argument/value checks can be
283 * specified and they will be chained together (AND'd together) in the filter.
284 * If the specified rule needs to be adjusted due to architecture specifics it
285 * will be adjusted without notification. Returns zero on success, negative
286 * values on failure.
287 *
288 */
289 pub fn seccomp_rule_add_array(ctx: *mut scmp_filter_ctx,
290 action: u32, syscall: libc::c_int, arg_cnt: libc::c_uint,
291 arg_array: *const scmp_arg_cmp) -> libc::c_int;
292
293 /**
294 * Add a new rule to the filter
295 *
296 * @param ctx the filter context
297 * @param action the filter action
298 * @param syscall the syscall number
299 * @param arg_cnt the number of argument filters in the argument filter chain
300 * @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended)
301 *
302 * This function adds a series of new argument/value checks to the seccomp
303 * filter for the given syscall; multiple argument/value checks can be
304 * specified and they will be chained together (AND'd together) in the filter.
305 * If the specified rule can not be represented on the architecture the
306 * function will fail. Returns zero on success, negative values on failure.
307 *
308 */
309 pub fn seccomp_rule_add_exact(ctx: *mut scmp_filter_ctx, action: u32,
310 syscall: libc::c_int, arg_cnt: libc::c_uint, ...) -> libc::c_int;
311
312 /**
313 * Add a new rule to the filter
314 *
315 * @param ctx the filter context
316 * @param action the filter action
317 * @param syscall the syscall number
318 * @param arg_cnt the number of elements in the arg_array parameter
319 * @param arg_array array of scmp_arg_cmp structs
320 *
321 * This function adds a series of new argument/value checks to the seccomp
322 * filter for the given syscall; multiple argument/value checks can be
323 * specified and they will be chained together (AND'd together) in the filter.
324 * If the specified rule can not be represented on the architecture the
325 * function will fail. Returns zero on success, negative values on failure.
326 *
327 */
328 pub fn seccomp_rule_add_exact_array(ctx: *mut scmp_filter_ctx,
329 action: u32, syscall: libc::c_int, arg_cnt: libc::c_uint,
330 arg_array: *const scmp_arg_cmp) -> libc::c_int;
331
332 /**
333 * Generate seccomp Pseudo Filter Code (PFC) and export it to a file
334 *
335 * @param ctx the filter context
336 * @param fd the destination fd
337 *
338 * This function generates seccomp Pseudo Filter Code (PFC) and writes it to
339 * the given fd. Returns zero on success, negative values on failure.
340 *
341 */
342 pub fn seccomp_export_pfc(ctx: *const scmp_filter_ctx, fd: libc::c_int) -> libc::c_int;
343
344 /**
345 * Generate seccomp Berkley Packet Filter (BPF) code and export it to a file
346 *
347 * @param ctx the filter context
348 * @param fd the destination fd
349 *
350 * This function generates seccomp Berkley Packer Filter (BPF) code and writes
351 * it to the given fd. Returns zero on success, negative values on failure.
352 *
353 */
354 pub fn seccomp_export_bpf(ctx: *const scmp_filter_ctx, fd: libc::c_int) -> libc::c_int;
355}
356
357#[test]
358fn does_it_even_work() {
359 unsafe {
360 let context = seccomp_init(SCMP_ACT_ALLOW);
361 let comparator = scmp_arg_cmp {
362 arg: 0,
363 op: scmp_compare::SCMP_CMP_EQ,
364 datum_a: 1000,
365 datum_b: 0,
366 };
367 assert!(seccomp_rule_add(context, SCMP_ACT_KILL, 105, 1, comparator) == 0);
368 assert!(seccomp_load(context) == 0);
369 //assert!(libc::setuid(1000) == 0);
370 }
371}