libseccomp_rs/
lib.rs

1/// Replacing the SCMP_SYS() macro in C by using an enum
2/// # Examples
3/// ```rust,no_run,compile_fail
4/// let sccp = Seccomp::init(SCMP_ACT::ALLOW);
5///         let cmptr = SCMP_ARG_CMP{
6///             arg:0,
7///             op: SCMP_COMPARE::EQ,
8///             oprand1:1000,
9///             oprand2:10,
10///         };
11///         assert!(sccp.add_rule(SCMP_ACT::KILL, SCMP_SYS::setuid as i32, 1, cmptr) == Ok(0));
12/// ```
13#[cfg(all(target_os = "linux", target_arch = "x86_64"))]
14#[allow(non_camel_case_types)]
15#[derive(Debug, Clone, Copy)]
16#[repr(C)]
17pub enum SCMP_SYS {
18    read = 0,
19    write = 1,
20    open = 2,
21    close = 3,
22    stat = 4,
23    fstat = 5,
24    lstat = 6,
25    poll = 7,
26    lseek = 8,
27    mmap = 9,
28    mprotect = 10,
29    munmap = 11,
30    brk = 12,
31    rt_sigaction = 13,
32    rt_sigprocmask = 14,
33    rt_sigreturn = 15,
34    ioctl = 16,
35    pread64 = 17,
36    pwrite64 = 18,
37    readv = 19,
38    writev = 20,
39    access = 21,
40    pipe = 22,
41    select = 23,
42    sched_yield = 24,
43    mremap = 25,
44    msync = 26,
45    mincore = 27,
46    madvise = 28,
47    shmget = 29,
48    shmat = 30,
49    shmctl = 31,
50    dup = 32,
51    dup2 = 33,
52    pause = 34,
53    nanosleep = 35,
54    getitimer = 36,
55    alarm = 37,
56    setitimer = 38,
57    getpid = 39,
58    sendfile = 40,
59    socket = 41,
60    connect = 42,
61    accept = 43,
62    sendto = 44,
63    recvfrom = 45,
64    sendmsg = 46,
65    recvmsg = 47,
66    shutdown = 48,
67    bind = 49,
68    listen = 50,
69    getsockname = 51,
70    getpeername = 52,
71    socketpair = 53,
72    setsockopt = 54,
73    getsockopt = 55,
74    clone = 56,
75    fork = 57,
76    vfork = 58,
77    execve = 59,
78    exit = 60,
79    wait4 = 61,
80    kill = 62,
81    uname = 63,
82    semget = 64,
83    semop = 65,
84    semctl = 66,
85    shmdt = 67,
86    msgget = 68,
87    msgsnd = 69,
88    msgrcv = 70,
89    msgctl = 71,
90    fcntl = 72,
91    flock = 73,
92    fsync = 74,
93    fdatasync = 75,
94    truncate = 76,
95    ftruncate = 77,
96    getdents = 78,
97    getcwd = 79,
98    chdir = 80,
99    fchdir = 81,
100    rename = 82,
101    mkdir = 83,
102    rmdir = 84,
103    creat = 85,
104    link = 86,
105    unlink = 87,
106    symlink = 88,
107    readlink = 89,
108    chmod = 90,
109    fchmod = 91,
110    chown = 92,
111    fchown = 93,
112    lchown = 94,
113    umask = 95,
114    gettimeofday = 96,
115    getrlimit = 97,
116    getrusage = 98,
117    sysinfo = 99,
118    times = 100,
119    ptrace = 101,
120    getuid = 102,
121    syslog = 103,
122    getgid = 104,
123    setuid = 105,
124    setgid = 106,
125    geteuid = 107,
126    getegid = 108,
127    setpgid = 109,
128    getppid = 110,
129    getpgrp = 111,
130    setsid = 112,
131    setreuid = 113,
132    setregid = 114,
133    getgroups = 115,
134    setgroups = 116,
135    setresuid = 117,
136    getresuid = 118,
137    setresgid = 119,
138    getresgid = 120,
139    getpgid = 121,
140    setfsuid = 122,
141    setfsgid = 123,
142    getsid = 124,
143    capget = 125,
144    capset = 126,
145    rt_sigpending = 127,
146    rt_sigtimedwait = 128,
147    rt_sigqueueinfo = 129,
148    rt_sigsuspend = 130,
149    sigaltstack = 131,
150    utime = 132,
151    mknod = 133,
152    uselib = 134,
153    personality = 135,
154    ustat = 136,
155    statfs = 137,
156    fstatfs = 138,
157    sysfs = 139,
158    getpriority = 140,
159    setpriority = 141,
160    sched_setparam = 142,
161    sched_getparam = 143,
162    sched_setscheduler = 144,
163    sched_getscheduler = 145,
164    sched_get_priority_max = 146,
165    sched_get_priority_min = 147,
166    sched_rr_get_interval = 148,
167    mlock = 149,
168    munlock = 150,
169    mlockall = 151,
170    munlockall = 152,
171    vhangup = 153,
172    modify_ldt = 154,
173    pivot_root = 155,
174    _sysctl = 156,
175    prctl = 157,
176    arch_prctl = 158,
177    adjtimex = 159,
178    setrlimit = 160,
179    chroot = 161,
180    sync = 162,
181    acct = 163,
182    settimeofday = 164,
183    mount = 165,
184    umount2 = 166,
185    swapon = 167,
186    swapoff = 168,
187    reboot = 169,
188    sethostname = 170,
189    setdomainname = 171,
190    iopl = 172,
191    ioperm = 173,
192    create_module = 174,
193    init_module = 175,
194    delete_module = 176,
195    get_kernel_syms = 177,
196    query_module = 178,
197    quotactl = 179,
198    nfsservctl = 180,
199    getpmsg = 181,
200    putpmsg = 182,
201    afs_syscall = 183,
202    tuxcall = 184,
203    security = 185,
204    gettid = 186,
205    readahead = 187,
206    setxattr = 188,
207    lsetxattr = 189,
208    fsetxattr = 190,
209    getxattr = 191,
210    lgetxattr = 192,
211    fgetxattr = 193,
212    listxattr = 194,
213    llistxattr = 195,
214    flistxattr = 196,
215    removexattr = 197,
216    lremovexattr = 198,
217    fremovexattr = 199,
218    tkill = 200,
219    time = 201,
220    futex = 202,
221    sched_setaffinity = 203,
222    sched_getaffinity = 204,
223    set_thread_area = 205,
224    io_setup = 206,
225    io_destroy = 207,
226    io_getevents = 208,
227    io_submit = 209,
228    io_cancel = 210,
229    get_thread_area = 211,
230    lookup_dcookie = 212,
231    epoll_create = 213,
232    epoll_ctl_old = 214,
233    epoll_wait_old = 215,
234    remap_file_pages = 216,
235    getdents64 = 217,
236    set_tid_address = 218,
237    restart_syscall = 219,
238    semtimedop = 220,
239    fadvise64 = 221,
240    timer_create = 222,
241    timer_settime = 223,
242    timer_gettime = 224,
243    timer_getoverrun = 225,
244    timer_delete = 226,
245    clock_settime = 227,
246    clock_gettime = 228,
247    clock_getres = 229,
248    clock_nanosleep = 230,
249    exit_group = 231,
250    epoll_wait = 232,
251    epoll_ctl = 233,
252    tgkill = 234,
253    utimes = 235,
254    vserver = 236,
255    mbind = 237,
256    set_mempolicy = 238,
257    get_mempolicy = 239,
258    mq_open = 240,
259    mq_unlink = 241,
260    mq_timedsend = 242,
261    mq_timedreceive = 243,
262    mq_notify = 244,
263    mq_getsetattr = 245,
264    kexec_load = 246,
265    waitid = 247,
266    add_key = 248,
267    request_key = 249,
268    keyctl = 250,
269    ioprio_set = 251,
270    ioprio_get = 252,
271    inotify_init = 253,
272    inotify_add_watch = 254,
273    inotify_rm_watch = 255,
274    migrate_pages = 256,
275    openat = 257,
276    mkdirat = 258,
277    mknodat = 259,
278    fchownat = 260,
279    futimesat = 261,
280    newfstatat = 262,
281    unlinkat = 263,
282    renameat = 264,
283    linkat = 265,
284    symlinkat = 266,
285    readlinkat = 267,
286    fchmodat = 268,
287    faccessat = 269,
288    pselect6 = 270,
289    ppoll = 271,
290    unshare = 272,
291    set_robust_list = 273,
292    get_robust_list = 274,
293    splice = 275,
294    tee = 276,
295    sync_file_range = 277,
296    vmsplice = 278,
297    move_pages = 279,
298    utimensat = 280,
299    epoll_pwait = 281,
300    signalfd = 282,
301    timerfd_create = 283,
302    eventfd = 284,
303    fallocate = 285,
304    timerfd_settime = 286,
305    timerfd_gettime = 287,
306    accept4 = 288,
307    signalfd4 = 289,
308    eventfd2 = 290,
309    epoll_create1 = 291,
310    dup3 = 292,
311    pipe2 = 293,
312    inotify_init1 = 294,
313    preadv = 295,
314    pwritev = 296,
315    rt_tgsigqueueinfo = 297,
316    perf_event_open = 298,
317    recvmmsg = 299,
318    fanotify_init = 300,
319    fanotify_mark = 301,
320    prlimit64 = 302,
321    name_to_handle_at = 303,
322    open_by_handle_at = 304,
323    clock_adjtime = 305,
324    syncfs = 306,
325    sendmmsg = 307,
326    setns = 308,
327    getcpu = 309,
328    process_vm_readv = 310,
329    process_vm_writev = 311,
330    kcmp = 312,
331    finit_module = 313,
332    sched_setattr = 314,
333    sched_getattr = 315,
334    renameat2 = 316,
335    seccomp = 317,
336    getrandom = 318,
337    memfd_create = 319,
338    kexec_file_load = 320,
339    bpf = 321,
340    execveat = 322,
341    userfaultfd = 323,
342    membarrier = 324,
343    mlock2 = 325,
344    copy_file_range = 326,
345    preadv2 = 327,
346    pwritev2 = 328,
347}
348
349// break is keyword so i used _break
350#[cfg(all(target_os = "linux", target_arch = "x86"))]
351#[allow(non_camel_case_types)]
352#[derive(Debug, Clone, Copy)]
353#[repr(C)]
354pub enum SCMP_SYS {
355    restart_syscall = 0,
356    exit = 1,
357    fork = 2,
358    read = 3,
359    write = 4,
360    open = 5,
361    close = 6,
362    waitpid = 7,
363    creat = 8,
364    link = 9,
365    unlink = 10,
366    execve = 11,
367    chdir = 12,
368    time = 13,
369    mknod = 14,
370    chmod = 15,
371    lchown = 16,
372    _break = 17,
373    oldstat = 18,
374    lseek = 19,
375    getpid = 20,
376    mount = 21,
377    umount = 22,
378    setuid = 23,
379    getuid = 24,
380    stime = 25,
381    ptrace = 26,
382    alarm = 27,
383    oldfstat = 28,
384    pause = 29,
385    utime = 30,
386    stty = 31,
387    gtty = 32,
388    access = 33,
389    nice = 34,
390    ftime = 35,
391    sync = 36,
392    kill = 37,
393    rename = 38,
394    mkdir = 39,
395    rmdir = 40,
396    dup = 41,
397    pipe = 42,
398    times = 43,
399    prof = 44,
400    brk = 45,
401    setgid = 46,
402    getgid = 47,
403    signal = 48,
404    geteuid = 49,
405    getegid = 50,
406    acct = 51,
407    umount2 = 52,
408    lock = 53,
409    ioctl = 54,
410    fcntl = 55,
411    mpx = 56,
412    setpgid = 57,
413    ulimit = 58,
414    oldolduname = 59,
415    umask = 60,
416    chroot = 61,
417    ustat = 62,
418    dup2 = 63,
419    getppid = 64,
420    getpgrp = 65,
421    setsid = 66,
422    sigaction = 67,
423    sgetmask = 68,
424    ssetmask = 69,
425    setreuid = 70,
426    setregid = 71,
427    sigsuspend = 72,
428    sigpending = 73,
429    sethostname = 74,
430    setrlimit = 75,
431    getrlimit = 76,
432    getrusage = 77,
433    gettimeofday = 78,
434    settimeofday = 79,
435    getgroups = 80,
436    setgroups = 81,
437    select = 82,
438    symlink = 83,
439    oldlstat = 84,
440    readlink = 85,
441    uselib = 86,
442    swapon = 87,
443    reboot = 88,
444    readdir = 89,
445    mmap = 90,
446    munmap = 91,
447    truncate = 92,
448    ftruncate = 93,
449    fchmod = 94,
450    fchown = 95,
451    getpriority = 96,
452    setpriority = 97,
453    profil = 98,
454    statfs = 99,
455    fstatfs = 100,
456    ioperm = 101,
457    socketcall = 102,
458    syslog = 103,
459    setitimer = 104,
460    getitimer = 105,
461    stat = 106,
462    lstat = 107,
463    fstat = 108,
464    olduname = 109,
465    iopl = 110,
466    vhangup = 111,
467    idle = 112,
468    vm86old = 113,
469    wait4 = 114,
470    swapoff = 115,
471    sysinfo = 116,
472    ipc = 117,
473    fsync = 118,
474    sigreturn = 119,
475    clone = 120,
476    setdomainname = 121,
477    uname = 122,
478    modify_ldt = 123,
479    adjtimex = 124,
480    mprotect = 125,
481    sigprocmask = 126,
482    create_module = 127,
483    init_module = 128,
484    delete_module = 129,
485    get_kernel_syms = 130,
486    quotactl = 131,
487    getpgid = 132,
488    fchdir = 133,
489    bdflush = 134,
490    sysfs = 135,
491    personality = 136,
492    afs_syscall = 137,
493    setfsuid = 138,
494    setfsgid = 139,
495    _llseek = 140,
496    getdents = 141,
497    _newselect = 142,
498    flock = 143,
499    msync = 144,
500    readv = 145,
501    writev = 146,
502    getsid = 147,
503    fdatasync = 148,
504    _sysctl = 149,
505    mlock = 150,
506    munlock = 151,
507    mlockall = 152,
508    munlockall = 153,
509    sched_setparam = 154,
510    sched_getparam = 155,
511    sched_setscheduler = 156,
512    sched_getscheduler = 157,
513    sched_yield = 158,
514    sched_get_priority_max = 159,
515    sched_get_priority_min = 160,
516    sched_rr_get_interval = 161,
517    nanosleep = 162,
518    mremap = 163,
519    setresuid = 164,
520    getresuid = 165,
521    vm86 = 166,
522    query_module = 167,
523    poll = 168,
524    nfsservctl = 169,
525    setresgid = 170,
526    getresgid = 171,
527    prctl = 172,
528    rt_sigreturn = 173,
529    rt_sigaction = 174,
530    rt_sigprocmask = 175,
531    rt_sigpending = 176,
532    rt_sigtimedwait = 177,
533    rt_sigqueueinfo = 178,
534    rt_sigsuspend = 179,
535    pread64 = 180,
536    pwrite64 = 181,
537    chown = 182,
538    getcwd = 183,
539    capget = 184,
540    capset = 185,
541    sigaltstack = 186,
542    sendfile = 187,
543    getpmsg = 188,
544    putpmsg = 189,
545    vfork = 190,
546    ugetrlimit = 191,
547    mmap2 = 192,
548    truncate64 = 193,
549    ftruncate64 = 194,
550    stat64 = 195,
551    lstat64 = 196,
552    fstat64 = 197,
553    lchown32 = 198,
554    getuid32 = 199,
555    getgid32 = 200,
556    geteuid32 = 201,
557    getegid32 = 202,
558    setreuid32 = 203,
559    setregid32 = 204,
560    getgroups32 = 205,
561    setgroups32 = 206,
562    fchown32 = 207,
563    setresuid32 = 208,
564    getresuid32 = 209,
565    setresgid32 = 210,
566    getresgid32 = 211,
567    chown32 = 212,
568    setuid32 = 213,
569    setgid32 = 214,
570    setfsuid32 = 215,
571    setfsgid32 = 216,
572    pivot_root = 217,
573    mincore = 218,
574    madvise = 219,
575    getdents64 = 220,
576    fcntl64 = 221,
577    gettid = 224,
578    readahead = 225,
579    setxattr = 226,
580    lsetxattr = 227,
581    fsetxattr = 228,
582    getxattr = 229,
583    lgetxattr = 230,
584    fgetxattr = 231,
585    listxattr = 232,
586    llistxattr = 233,
587    flistxattr = 234,
588    removexattr = 235,
589    lremovexattr = 236,
590    fremovexattr = 237,
591    tkill = 238,
592    sendfile64 = 239,
593    futex = 240,
594    sched_setaffinity = 241,
595    sched_getaffinity = 242,
596    set_thread_area = 243,
597    get_thread_area = 244,
598    io_setup = 245,
599    io_destroy = 246,
600    io_getevents = 247,
601    io_submit = 248,
602    io_cancel = 249,
603    fadvise64 = 250,
604    exit_group = 252,
605    lookup_dcookie = 253,
606    epoll_create = 254,
607    epoll_ctl = 255,
608    epoll_wait = 256,
609    remap_file_pages = 257,
610    set_tid_address = 258,
611    timer_create = 259,
612    timer_settime = 260,
613    timer_gettime = 261,
614    timer_getoverrun = 262,
615    timer_delete = 263,
616    clock_settime = 264,
617    clock_gettime = 265,
618    clock_getres = 266,
619    clock_nanosleep = 267,
620    statfs64 = 268,
621    fstatfs64 = 269,
622    tgkill = 270,
623    utimes = 271,
624    fadvise64_64 = 272,
625    vserver = 273,
626    mbind = 274,
627    get_mempolicy = 275,
628    set_mempolicy = 276,
629    mq_open = 277,
630    mq_unlink = 278,
631    mq_timedsend = 279,
632    mq_timedreceive = 280,
633    mq_notify = 281,
634    mq_getsetattr = 282,
635    kexec_load = 283,
636    waitid = 284,
637    add_key = 286,
638    request_key = 287,
639    keyctl = 288,
640    ioprio_set = 289,
641    ioprio_get = 290,
642    inotify_init = 291,
643    inotify_add_watch = 292,
644    inotify_rm_watch = 293,
645    migrate_pages = 294,
646    openat = 295,
647    mkdirat = 296,
648    mknodat = 297,
649    fchownat = 298,
650    futimesat = 299,
651    fstatat64 = 300,
652    unlinkat = 301,
653    renameat = 302,
654    linkat = 303,
655    symlinkat = 304,
656    readlinkat = 305,
657    fchmodat = 306,
658    faccessat = 307,
659    pselect6 = 308,
660    ppoll = 309,
661    unshare = 310,
662    set_robust_list = 311,
663    get_robust_list = 312,
664    splice = 313,
665    sync_file_range = 314,
666    tee = 315,
667    vmsplice = 316,
668    move_pages = 317,
669    getcpu = 318,
670    epoll_pwait = 319,
671    utimensat = 320,
672    signalfd = 321,
673    timerfd_create = 322,
674    eventfd = 323,
675    fallocate = 324,
676    timerfd_settime = 325,
677    timerfd_gettime = 326,
678    signalfd4 = 327,
679    eventfd2 = 328,
680    epoll_create1 = 329,
681    dup3 = 330,
682    pipe2 = 331,
683    inotify_init1 = 332,
684    preadv = 333,
685    pwritev = 334,
686    rt_tgsigqueueinfo = 335,
687    perf_event_open = 336,
688    recvmmsg = 337,
689    fanotify_init = 338,
690    fanotify_mark = 339,
691    prlimit64 = 340,
692    name_to_handle_at = 341,
693    open_by_handle_at = 342,
694    clock_adjtime = 343,
695    syncfs = 344,
696    sendmmsg = 345,
697    setns = 346,
698    process_vm_readv = 347,
699    process_vm_writev = 348,
700    kcmp = 349,
701    finit_module = 350,
702    sched_setattr = 351,
703    sched_getattr = 352,
704    renameat2 = 353,
705    seccomp = 354,
706    getrandom = 355,
707    memfd_create = 356,
708    bpf = 357,
709    execveat = 358,
710    socket = 359,
711    socketpair = 360,
712    bind = 361,
713    connect = 362,
714    listen = 363,
715    accept4 = 364,
716    getsockopt = 365,
717    setsockopt = 366,
718    getsockname = 367,
719    getpeername = 368,
720    sendto = 369,
721    sendmsg = 370,
722    recvfrom = 371,
723    recvmsg = 372,
724    shutdown = 373,
725    userfaultfd = 374,
726    membarrier = 375,
727    mlock2 = 376,
728    copy_file_range = 377,
729    preadv2 = 378,
730    pwritev2 = 379,
731}
732
733// TODO: support aarch64 arm .. well is not unsupported you can also manually use i32
734
735/// SCMP_ARCH in C
736#[allow(non_camel_case_types)]
737#[derive(Debug, Clone, Copy)]
738#[repr(C)]
739pub enum SCMP_ARCH {
740    NATIVE = 0x0,
741    X86 = 0x40000003,
742    X86_64 = 0xc000003e,
743    X32 = 0x4000003e,
744    ARM = 0x40000028,
745    AARCH64 = 0xc00000b7,
746    MIPS = 0x8,
747    MIPS64 = 0x80000008,
748    MIPS64N32 = 0xa0000008,
749    MIPSEL = 0x40000008,
750    MIPSEL64 = 0xc0000008,
751    MIPSEL64N32 = 0xe0000008,
752    PPC = 0x14,
753    PPC64 = 0x80000015,
754    PPC64LE = 0xc0000015,
755    S390 = 0x16,
756    S390X = 0x80000016,
757}
758
759/// SCMP_ACT_* in C
760#[allow(non_snake_case)]
761#[allow(dead_code)]
762pub mod SCMP_ACT {
763    pub const KILL: libc::c_uint = 0x00000000;
764    pub const TRAP: libc::c_uint = 0x00030000;
765    pub const ALLOW: libc::c_uint = 0x7fff0000;
766    pub const LOG: libc::c_uint = 0x7ffc0000;
767    pub const NOTIFY: libc::c_uint = 0x7fc00000;
768    pub fn ERRNO(x: libc::c_uint) -> libc::c_uint {
769        0x00050000 | ((x) & 0x0000ffff)
770    }
771    pub fn TRACE(x: libc::c_uint) -> libc::c_uint {
772        0x7ff00000 | ((x) & 0x0000ffff)
773    }
774}
775
776/// SCMP_FILTER_ATTR in C
777#[allow(non_camel_case_types)]
778#[derive(Debug, Clone, Copy)]
779#[repr(C)]
780pub enum SCMP_FILTER_ATTR {
781    MIN,
782    ACT_DEFAULT,
783    /** default filter action */
784    ACT_BADARCH,
785    /** bad architecture action */
786    CTL_NNP,
787    /** set NO_NEW_PRIVS on filter load */
788    MAX,
789}
790
791
792/// SCMP_CMP operators
793#[allow(non_camel_case_types)]
794#[derive(Debug, Clone, Copy)]
795#[repr(C)]
796pub enum SCMP_COMPARE {
797    MIN = 0,
798    NE = 1,
799    /** not equal */
800    LT = 2,
801    /** less than */
802    LE = 3,
803    /** less than or equal */
804    EQ = 4,
805    /** equal */
806    GE = 5,
807    /** greater than or equal */
808    GT = 6,
809    /** greater than */
810    MASKED_EQ = 7,
811    /** masked equality */
812    MAX,
813}
814
815// you know using void* right...
816#[allow(non_camel_case_types)]
817pub type SCMP_FILTER_CTX = libc::c_void;
818
819/// A struct, replace SCMP_CMP
820#[derive(Debug)]
821#[repr(C)]
822pub struct SCMP_ARG_CMP {
823    pub arg: libc::c_uint,
824    /** argument number, starting at 0 */
825    pub op: SCMP_COMPARE,
826    /** the comparison op, e.g. SCMP_CMP_* */
827    pub oprand1: u64,
828    pub oprand2: u64,
829}
830
831#[link(name = "seccomp")]
832extern "C" {
833    /**
834     * Initialize the filter state
835     *
836     * @param def_action the default filter action
837     *
838     * This function initializes the internal seccomp filter state and should
839     * be called before any other functions in this library to ensure the filter
840     * state is initialized.  Returns a filter context on success, NULL on failure.
841     *
842     */
843    fn seccomp_init(def_action: libc::c_uint) -> *mut SCMP_FILTER_CTX;
844    /**
845     * Reset the filter state
846     *
847     * @param ctx the filter context
848     * @param def_action the default filter action
849     *
850     * This function resets the given seccomp filter state and ensures the
851     * filter state is reinitialized.  This function does not reset any seccomp
852     * filters already loaded into the kernel.  Returns zero on success, negative
853     * values on failure.
854     *
855     */
856    fn seccomp_reset(ctx: *mut SCMP_FILTER_CTX, def_action: libc::c_uint) -> libc::c_int;
857    /**
858     * Destroys the filter state and releases any resources
859     *
860     * @param ctx the filter context
861     *
862     * This functions destroys the given seccomp filter state and releases any
863     * resources, including memory, associated with the filter state.  This
864     * function does not reset any seccomp filters already loaded into the kernel.
865     * The filter context can no longer be used after calling this function.
866     *
867     */
868    fn seccomp_release(ctx: *mut SCMP_FILTER_CTX);
869    /**
870     * Adds an architecture to the filter
871     * @param ctx the filter context
872     * @param arch_token the architecture token, e.g. SCMP_ARCH_*
873     *
874     * This function adds a new architecture to the given seccomp filter context.
875     * Any new rules added after this function successfully returns will be added
876     * to this architecture but existing rules will not be added to this
877     * architecture.  If the architecture token is SCMP_ARCH_NATIVE then the native
878     * architecture will be assumed.  Returns zero on success, negative values on
879     * failure.
880     *
881     */
882    fn seccomp_arch_add(ctx: *mut SCMP_FILTER_CTX, arch_token: libc::c_uint) -> libc::c_int;
883    /**
884     * Removes an architecture from the filter
885     * @param ctx the filter context
886     * @param arch_token the architecture token, e.g. SCMP_ARCH_*
887     *
888     * This function removes an architecture from the given seccomp filter context.
889     * If the architecture token is SCMP_ARCH_NATIVE then the native architecture
890     * will be assumed.  Returns zero on success, negative values on failure.
891     *
892     */
893    fn seccomp_arch_remove(ctx: *mut SCMP_FILTER_CTX, arch_token: libc::c_uint) -> libc::c_int;
894    /**
895     * Loads the filter into the kernel
896     *
897     * @param ctx the filter context
898     *
899     * This function loads the given seccomp filter context into the kernel.  If
900     * the filter was loaded correctly, the kernel will be enforcing the filter
901     * when this function returns.  Returns zero on success, negative values on
902     * error.
903     *
904     */
905    fn seccomp_load(ctx: *const SCMP_FILTER_CTX) -> libc::c_int;
906    /**
907     * Get the value of a filter attribute
908     *
909     * @param ctx the filter context
910     * @param attr the filter attribute name
911     * @param value the filter attribute value
912     *
913     * This function fetches the value of the given attribute name and returns it
914     * via @value.  Returns zero on success, negative values on failure.
915     *
916     */
917    fn seccomp_attr_get(
918        ctx: *const SCMP_FILTER_CTX,
919        attr: SCMP_FILTER_ATTR,
920        value: *mut libc::c_uint,
921    ) -> libc::c_int;
922    /**
923     * Set the value of a filter attribute
924     *
925     * @param ctx the filter context
926     * @param attr the filter attribute name
927     * @param value the filter attribute value
928     *
929     * This function sets the value of the given attribute.  Returns zero on
930     * success, negative values on failure.
931     *
932     */
933    fn seccomp_attr_set(
934        ctx: *mut SCMP_FILTER_CTX,
935        attr: SCMP_FILTER_ATTR,
936        value: libc::c_uint,
937    ) -> libc::c_int;
938    /**
939     * Resolve a syscall name to a number
940     * @param name the syscall name
941     *
942     * Resolve the given syscall name to the syscall number.  Returns the syscall
943     * number on success, including negative pseudo syscall numbers (e.g. __PNR_*);
944     * returns __NR_SCMP_ERROR on failure.
945     *
946     */
947    fn seccomp_syscall_resolve_name(name: *const libc::c_char) -> libc::c_int;
948    /**
949     * Set the priority of a given syscall
950     *
951     * @param ctx the filter context
952     * @param syscall the syscall number
953     * @param priority priority value, higher value == higher priority
954     *
955     * This function sets the priority of the given syscall; this value is used
956     * when generating the seccomp filter code such that higher priority syscalls
957     * will incur less filter code overhead than the lower priority syscalls in the
958     * filter.  Returns zero on success, negative values on failure.
959     *
960     */
961    fn seccomp_syscall_priority(
962        ctx: *mut SCMP_FILTER_CTX,
963        syscall: libc::c_int,
964        priority: u8,
965    ) -> libc::c_int;
966    /**
967     * Add a new rule to the filter
968     *
969     * @param ctx the filter context
970     * @param action the filter action
971     * @param syscall the syscall number
972     * @param arg_cnt the number of argument filters in the argument filter chain
973     * @param ... SCMP_ARG_CMP structs (use of SCMP_ARG_CMP() recommended)
974     *
975     * This function adds a series of new argument/value checks to the seccomp
976     * filter for the given syscall; multiple argument/value checks can be
977     * specified and they will be chained together (AND'd together) in the filter.
978     * If the specified rule needs to be adjusted due to architecture specifics it
979     * will be adjusted without notification.  Returns zero on success, negative
980     * values on failure.
981     *
982     */
983    fn seccomp_rule_add(
984        ctx: *mut SCMP_FILTER_CTX,
985        action: libc::c_uint,
986        syscall: libc::c_int,
987        arg_cnt: libc::c_uint,
988        ...
989    ) -> libc::c_int;
990    /**
991     * Add a new rule to the filter
992     *
993     * @param ctx the filter context
994     * @param action the filter action
995     * @param syscall the syscall number
996     * @param arg_cnt the number of elements in the arg_array parameter
997     * @param arg_array array of SCMP_ARG_CMP structs
998     *
999     * This function adds a series of new argument/value checks to the seccomp
1000     * filter for the given syscall; multiple argument/value checks can be
1001     * specified and they will be chained together (AND'd together) in the filter.
1002     * If the specified rule needs to be adjusted due to architecture specifics it
1003     * will be adjusted without notification.  Returns zero on success, negative
1004     * values on failure.
1005     *
1006     */
1007    fn seccomp_rule_add_array(
1008        ctx: *mut SCMP_FILTER_CTX,
1009        action: libc::c_uint,
1010        syscall: libc::c_int,
1011        arg_cnt: libc::c_uint,
1012        arg_array: *const SCMP_ARG_CMP,
1013    ) -> libc::c_int;
1014    /**
1015     * Add a new rule to the filter
1016     *
1017     * @param ctx the filter context
1018     * @param action the filter action
1019     * @param syscall the syscall number
1020     * @param arg_cnt the number of argument filters in the argument filter chain
1021     * @param ... SCMP_ARG_CMP structs (use of SCMP_ARG_CMP() recommended)
1022     *
1023     * This function adds a series of new argument/value checks to the seccomp
1024     * filter for the given syscall; multiple argument/value checks can be
1025     * specified and they will be chained together (AND'd together) in the filter.
1026     * If the specified rule can not be represented on the architecture the
1027     * function will fail.  Returns zero on success, negative values on failure.
1028     *
1029     */
1030    fn seccomp_rule_add_exact(
1031        ctx: *mut SCMP_FILTER_CTX,
1032        action: libc::c_uint,
1033        syscall: libc::c_int,
1034        arg_cnt: libc::c_uint,
1035        ...
1036    ) -> libc::c_int;
1037    /**
1038     * Add a new rule to the filter
1039     *
1040     * @param ctx the filter context
1041     * @param action the filter action
1042     * @param syscall the syscall number
1043     * @param arg_cnt  the number of elements in the arg_array parameter
1044     * @param arg_array array of SCMP_ARG_CMP structs
1045     *
1046     * This function adds a series of new argument/value checks to the seccomp
1047     * filter for the given syscall; multiple argument/value checks can be
1048     * specified and they will be chained together (AND'd together) in the filter.
1049     * If the specified rule can not be represented on the architecture the
1050     * function will fail.  Returns zero on success, negative values on failure.
1051     *
1052     */
1053    fn seccomp_rule_add_exact_array(
1054        ctx: *mut SCMP_FILTER_CTX,
1055        action: libc::c_uint,
1056        syscall: libc::c_int,
1057        arg_cnt: libc::c_uint,
1058        arg_array: *const SCMP_ARG_CMP,
1059    ) -> libc::c_int;
1060    /**
1061     * Generate seccomp Pseudo Filter Code (PFC) and export it to a file
1062     *
1063     * @param ctx the filter context
1064     * @param fd the destination fd
1065     *
1066     * This function generates seccomp Pseudo Filter Code (PFC) and writes it to
1067     * the given fd.  Returns zero on success, negative values on failure.
1068     *
1069     */
1070    fn seccomp_export_pfc(ctx: *const SCMP_FILTER_CTX, fd: libc::c_int) -> libc::c_int;
1071    /**
1072     * Generate seccomp Berkley Packet Filter (BPF) code and export it to a file
1073     *
1074     * @param ctx the filter context
1075     * @param fd the destination fd
1076     *
1077     * This function generates seccomp Berkley Packer Filter (BPF) code and writes
1078     * it to the given fd.  Returns zero on success, negative values on failure.
1079     *
1080     */
1081    fn seccomp_export_bpf(ctx: *const SCMP_FILTER_CTX, fd: libc::c_int) -> libc::c_int;
1082}
1083
1084pub struct Seccomp{
1085    ctx : *mut SCMP_FILTER_CTX,
1086}
1087
1088impl Seccomp {
1089    /// initialize the seccomp and set the context into the struct
1090    pub fn init(act: libc::c_uint) -> Self {
1091        Seccomp{
1092            ctx:unsafe { seccomp_init(act) }
1093        }
1094    }
1095    /// load seccomp to kernel
1096    pub fn load(self) -> Result<libc::c_int, String> {
1097        match unsafe { seccomp_load(self.ctx) } {
1098            0 => Ok(0),
1099            x => Err(format!("LOAD SECCOMP FAILED WITH CODE {}", x)),
1100        }
1101    }
1102    /// add an architecture
1103    pub fn add_arch(
1104        &self,
1105        arch_token: libc::c_uint,
1106    ) -> Result<libc::c_int, String> {
1107        match unsafe { seccomp_arch_add(self.ctx, arch_token) } {
1108            0 => Ok(0),
1109            x => Err(format!("ADD SECCOMP ARCH FAILED WITH CODE {}", x)),
1110        }
1111    }
1112    /// remove an architecture
1113    pub fn remove_arch(
1114        &self,
1115        arch_token: libc::c_uint,
1116    ) -> Result<libc::c_int, String> {
1117        match unsafe { seccomp_arch_remove(self.ctx, arch_token) } {
1118            0 => Ok(0),
1119            x => Err(format!("REMOVE SECCOMP ARCH FAILED WITH CODE {}", x)),
1120        }
1121    }
1122
1123    pub fn get_attr(
1124        ctx: *const SCMP_FILTER_CTX,
1125        attr: SCMP_FILTER_ATTR,
1126        value: *mut libc::c_uint,
1127    ) -> Result<*mut libc::c_uint, String> {
1128        match unsafe { seccomp_attr_get(ctx, attr, value) } {
1129            0 => Ok(value),
1130            x => Err(format!("GET SECCOMP ATTR FAILED WITH CODE {}", x)),
1131        }
1132    }
1133
1134    pub fn set_attr(
1135        &self,
1136        attr: SCMP_FILTER_ATTR,
1137        value: libc::c_uint,
1138    ) -> Result<libc::c_int, String> {
1139        match unsafe { seccomp_attr_set(self.ctx, attr, value) } {
1140            0 => Ok(0),
1141            x => Err(format!("SET SECCOMP ATTR FAILED WITH CODE {}", x)),
1142        }
1143    }
1144
1145    pub fn add_exact_rule(
1146        &self,
1147        action: libc::c_uint,
1148        syscall: libc::c_int,
1149        arg_cnt: libc::c_uint,
1150        arg: SCMP_ARG_CMP,
1151    ) -> Result<libc::c_int, String> {
1152        match unsafe { seccomp_rule_add_exact(self.ctx, action, syscall, arg_cnt, arg) } {
1153            0 => Ok(0),
1154            x => Err(format!("LOAD SECCOMP EXACT RULE FAILED WITH CODE {}", x)),
1155        }
1156    }
1157    pub fn add_exact_rules(
1158        &self,
1159        action: libc::c_uint,
1160        syscall: libc::c_int,
1161        arg_cnt: libc::c_uint,
1162        arg_array: Vec<SCMP_ARG_CMP>,
1163    ) -> Result<libc::c_int, String> {
1164        match unsafe {
1165            seccomp_rule_add_exact_array(self.ctx, action, syscall, arg_cnt, arg_array.as_ptr())
1166        } {
1167            0 => Ok(0),
1168            x => Err(format!("LOAD SECCOMP EXACT RULES FAILED WITH CODE {}", x)),
1169        }
1170    }
1171    /// adding rule to seccomp before the seccomp loaded to kernel
1172    pub fn add_rule(
1173        &self,
1174        action: libc::c_uint,
1175        syscall: libc::c_int,
1176        arg_cnt: libc::c_uint,
1177        arg: SCMP_ARG_CMP,
1178    ) -> Result<libc::c_int, String> {
1179        match unsafe { seccomp_rule_add(self.ctx, action, syscall, arg_cnt, arg) } {
1180            0 => Ok(0),
1181            x => Err(format!("LOAD SECCOMP RULE FAILED WITH CODE {}", x)),
1182        }
1183    }
1184    /// adding rules(vector) to seccomp before the seccomp loaded to kernel
1185    pub fn add_rules(
1186        &self,
1187        action: libc::c_uint,
1188        syscall: libc::c_int,
1189        arg_cnt: libc::c_uint,
1190        arg_array: Vec<SCMP_ARG_CMP>,
1191    ) -> Result<libc::c_int, String> {
1192        match unsafe { seccomp_rule_add_array(self.ctx, action, syscall, arg_cnt, arg_array.as_ptr()) } {
1193            0 => Ok(0),
1194            x => Err(format!("LOAD SECCOMP RULES FAILED WITH CODE {}", x)),
1195        }
1196    }
1197
1198    pub fn export_bpf(ctx: *const SCMP_FILTER_CTX, fd: libc::c_int) -> Result<libc::c_int, String> {
1199        match unsafe { seccomp_export_bpf(ctx, fd) } {
1200            0 => Ok(0),
1201            x => Err(format!("EXPORT SECCOMP BPF FAILED WITH CODE {}", x)),
1202        }
1203    }
1204
1205    pub fn export_pfc(ctx: *const SCMP_FILTER_CTX, fd: libc::c_int) -> Result<libc::c_int, String> {
1206        match unsafe { seccomp_export_pfc(ctx, fd) } {
1207            0 => Ok(0),
1208            x => Err(format!("EXPORT SECCOMP PFC FAILED WITH CODE {}", x)),
1209        }
1210    }
1211    /// if you are using arm/aarch64 you could use this instead of SCMP_SYS
1212    pub fn resolve_syscall_name(name: &str) -> i32 {
1213        unsafe { seccomp_syscall_resolve_name(name.as_ptr() as *const i8) }
1214    }
1215    pub fn syscall_priority(
1216        &self,
1217        syscall: libc::c_int,
1218        priority: u8,
1219    ) -> Result<libc::c_int, String> {
1220        match unsafe { seccomp_syscall_priority(self.ctx, syscall, priority) } {
1221            0 => Ok(0),
1222            x => Err(format!(
1223                "LOAD SECCOMP SYSCALL PRIORITY FAILED WITH CODE {}",
1224                x
1225            )),
1226        }
1227    }
1228    /// reset the seccomp
1229    pub fn reset(
1230        &self,
1231        def_action: libc::c_uint,
1232    ) -> Result<libc::c_int, String> {
1233        match unsafe { seccomp_reset(self.ctx, def_action) } {
1234            0 => Ok(0),
1235            x => Err(format!("SECCOMP RESET FAILED WITH CODE {}", x)),
1236        }
1237    }
1238    /// release the seccomp from kernel
1239    pub fn release(ctx: *mut SCMP_FILTER_CTX) {
1240        unsafe { seccomp_release(ctx) }
1241    }
1242}
1243
1244
1245#[cfg(test)]
1246mod test{
1247    use super::*;
1248    #[test]
1249    fn test(){
1250        use super::*;
1251        let sccp = Seccomp::init(SCMP_ACT::ALLOW);
1252        let cmptr = SCMP_ARG_CMP{
1253            arg:0,
1254            op: SCMP_COMPARE::EQ,
1255            oprand1:1000,
1256            oprand2:10,
1257        };
1258        assert!(sccp.add_rule(SCMP_ACT::KILL, SCMP_SYS::setuid as i32, 1, cmptr) == Ok(0),"well ... if you seccomp is installed successfully it will return OK(0)");
1259        assert!(sccp.load() == Ok(0),"this will fail in wsl");
1260        println!("now if you use libc::secuid(1000) == 0 it will panic!")
1261    }
1262}