| /linux/kernel/ |
| A D | seccomp.c | 402 READ_ONCE(current->seccomp.filter); in seccomp_run_filters()
431 if (current->seccomp.mode && current->seccomp.mode != seccomp_mode) in seccomp_may_assign_mode()
445 task->seccomp.mode = seccomp_mode; in seccomp_assign_mode()
499 caller->seccomp.filter))) in seccomp_can_sync_threads()
565 tsk->seccomp.filter = NULL; in seccomp_filter_release()
603 caller->seccomp.filter); in seccomp_sync_threads()
900 current->seccomp.filter = filter; in seccomp_attach_filter()
1020 int mode = current->seccomp.mode; in secure_computing_strict()
1296 int mode = current->seccomp.mode; in __secure_computing()
1320 return current->seccomp.mode; in prctl_get_seccomp()
[all …]
|
| A D | .seccomp.o.cmd | 1 …seccomp.o := /usr/bin/ccache /home/test/workspace/code/optee_3.16/build/../toolchains/aarch64/bin/…
3 source_kernel/seccomp.o := kernel/seccomp.c
5 deps_kernel/seccomp.o := \
583 include/linux/seccomp.h \
585 include/uapi/linux/seccomp.h \
586 arch/arm64/include/asm/seccomp.h \
590 include/asm-generic/seccomp.h \
1486 kernel/seccomp.o: $(deps_kernel/seccomp.o)
1488 $(deps_kernel/seccomp.o):
|
| A D | .built-in.a.cmd | 1 … kernel/audit_watch.o kernel/audit_fsnotify.o kernel/audit_tree.o kernel/seccomp.o kernel/utsname_…
|
| A D | ptrace.c | 671 if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || in ptrace_setoptions()
967 info->seccomp.ret_data = child->ptrace_message; in ptrace_get_syscall_info_seccomp()
970 return offsetofend(struct ptrace_syscall_info, seccomp.ret_data); in ptrace_get_syscall_info_seccomp()
|
| A D | Makefile | 98 obj-$(CONFIG_SECCOMP) += seccomp.o
|
| A D | sys_ni.c | 334 COND_SYSCALL(seccomp);
|
| A D | built-in.a | 175 seccomp.o/
|
| /linux/Documentation/userspace-api/ |
| A D | seccomp_filter.rst | 46 An additional seccomp mode is added and is enabled using the same
47 prctl(2) call as the strict seccomp. If the architecture has
149 The seccomp check will not be run again after the tracer is
150 notified. (This means that seccomp-based sandboxes MUST NOT
200 argument to the ``seccomp()`` syscall:
244 seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes);
247 samples/seccomp/user-trap.c for an example.
294 The list represents the set of seccomp return values supported
296 determine if the actions found in the ``seccomp.h``, when the
316 support seccomp filter with minor fixup: ``SIGSYS`` support and seccomp return
[all …]
|
| A D | no_new_privs.rst | 47 - Filters installed for the seccomp mode 2 sandbox persist across
|
| /linux/include/linux/ |
| A D | seccomp.h | 35 struct seccomp { struct
56 static inline int seccomp_mode(struct seccomp *s) in seccomp_mode() argument
65 struct seccomp { }; struct
86 static inline int seccomp_mode(struct seccomp *s) in seccomp_mode()
|
| /linux/tools/testing/selftests/seccomp/ |
| A D | seccomp_bpf.c | 271 #ifndef seccomp
822 ASSERT_EQ(0, seccomp(SECCOMP_SET_MODE_FILTER, 0, in kill_thread_or_group()
2082 FIXTURE_VARIANT_ADD(TRACE_syscall, seccomp) { in FIXTURE_VARIANT_ADD() argument
2254 ret = seccomp(-1, 0, &prog); in TEST()
2263 ret = seccomp(SECCOMP_SET_MODE_STRICT, -1, NULL); in TEST()
2267 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, &prog); in TEST()
2277 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, NULL); in TEST()
2282 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog); in TEST()
2305 ret = seccomp(SECCOMP_SET_MODE_FILTER, 0, &prog); in TEST()
2319 ret = seccomp(SECCOMP_SET_MODE_STRICT, 0, NULL); in TEST()
[all …]
|
| /linux/Documentation/features/seccomp/seccomp-filter/ |
| A D | arch-support.txt | 2 # Feature name: seccomp-filter
4 # description: arch supports seccomp filters
|
| /linux/samples/seccomp/ |
| A D | user-trap.c | 26 static int seccomp(unsigned int op, unsigned int flags, void *args) in seccomp() function
101 return seccomp(SECCOMP_SET_MODE_FILTER, flags, &prog); in user_trap_syscall()
293 if (seccomp(SECCOMP_GET_NOTIF_SIZES, 0, &sizes) < 0) { in main()
|
| /linux/samples/ |
| A D | Makefile | 20 subdir-$(CONFIG_SAMPLE_SECCOMP) += seccomp
|
| A D | Kconfig | 157 bool "Build seccomp sample code"
160 Build samples of seccomp filters using various methods of
|
| /linux/include/uapi/linux/ |
| A D | ptrace.h | 101 } seccomp; member
|
| /linux/arch/ |
| A D | Kconfig | 472 An arch should select this symbol to support seccomp mode 1 (the fixed
474 and compat syscalls if the asm-generic/seccomp.h defaults need adjustment:
494 - seccomp syscall wired up
500 prompt "Enable seccomp to safely execute untrusted bytecode"
509 own address space using seccomp. Once seccomp is enabled via
510 prctl(PR_SET_SECCOMP) or the seccomp() syscall, it cannot be
512 syscalls defined by each seccomp mode.
527 bool "Show seccomp filter cache status in /proc/pid/seccomp_cache"
532 seccomp cache data. The file format is subject to change. Reading
536 an adversary may be able to infer the seccomp filter logic.
|
| /linux/arch/mips/kernel/ |
| A D | scall64-n32.S | 78 bltz v0, 1f # seccomp failed? Skip syscall
|
| A D | scall64-n64.S | 89 bltz v0, 1f # seccomp failed? Skip syscall
|
| A D | scall32-o32.S | 129 bltz v0, 1f # seccomp failed? Skip syscall
|
| A D | scall64-o32.S | 133 bltz v0, 1f # seccomp failed? Skip syscall
|
| /linux/init/ |
| A D | init_task.c | 215 .seccomp = { .filter_count = ATOMIC_INIT(0) },
|
| /linux/tools/testing/selftests/ |
| A D | Makefile | 57 TARGETS += seccomp
|
| /linux/Documentation/security/ |
| A D | landlock.rst | 36 seccomp-bpf.
|
| /linux/fs/proc/ |
| A D | array.c | 334 seq_put_decimal_ull(m, "\nSeccomp:\t", p->seccomp.mode); in task_seccomp()
337 atomic_read(&p->seccomp.filter_count)); in task_seccomp()
|