OLD | NEW |
---|---|
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__ | 5 #ifndef SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__ |
6 #define SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__ | 6 #define SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__ |
7 | 7 |
8 // The Seccomp2 kernel ABI is not part of older versions of glibc. | 8 // The Seccomp2 kernel ABI is not part of older versions of glibc. |
9 // As we can't break compilation with these versions of the library, | 9 // As we can't break compilation with these versions of the library, |
10 // we explicitly define all missing symbols. | 10 // we explicitly define all missing symbols. |
11 // If we ever decide that we can now rely on system headers, the following | 11 // If we ever decide that we can now rely on system headers, the following |
12 // include files should be enabled: | 12 // include files should be enabled: |
13 // #include <linux/audit.h> | 13 // #include <linux/audit.h> |
14 // #include <linux/seccomp.h> | 14 // #include <linux/seccomp.h> |
15 | 15 |
16 #include <asm/unistd.h> | 16 #include <asm/unistd.h> |
17 #include <linux/filter.h> | 17 #include <linux/filter.h> |
18 | |
19 #include <sys/cdefs.h> | 18 #include <sys/cdefs.h> |
20 // Old Bionic versions do not have sys/user.h. The if can be removed once we no | 19 // Old Bionic versions do not have sys/user.h. The if can be removed once we no |
21 // longer need to support these old Bionic versions. | 20 // longer need to support these old Bionic versions. |
22 // All x86_64 builds use a new enough bionic to have sys/user.h. | 21 // All x86_64 builds use a new enough bionic to have sys/user.h. |
23 #if !defined(__BIONIC__) || defined(__x86_64__) | 22 #if !defined(__BIONIC__) || defined(__x86_64__) |
23 #if defined(__mips__) | |
24 // sys/user.h in eglibc misses size_t definition | |
25 #include <unistd.h> | |
26 #endif | |
24 #include <sys/user.h> | 27 #include <sys/user.h> |
25 #endif | 28 #endif |
26 | 29 |
27 // For audit.h | 30 // For audit.h |
28 #ifndef EM_ARM | 31 #ifndef EM_ARM |
29 #define EM_ARM 40 | 32 #define EM_ARM 40 |
30 #endif | 33 #endif |
31 #ifndef EM_386 | 34 #ifndef EM_386 |
32 #define EM_386 3 | 35 #define EM_386 3 |
33 #endif | 36 #endif |
34 #ifndef EM_X86_64 | 37 #ifndef EM_X86_64 |
35 #define EM_X86_64 62 | 38 #define EM_X86_64 62 |
36 #endif | 39 #endif |
40 #ifndef EM_MIPS | |
41 #define EM_MIPS 8 | |
42 #endif | |
37 | 43 |
38 #ifndef __AUDIT_ARCH_64BIT | 44 #ifndef __AUDIT_ARCH_64BIT |
39 #define __AUDIT_ARCH_64BIT 0x80000000 | 45 #define __AUDIT_ARCH_64BIT 0x80000000 |
40 #endif | 46 #endif |
41 #ifndef __AUDIT_ARCH_LE | 47 #ifndef __AUDIT_ARCH_LE |
42 #define __AUDIT_ARCH_LE 0x40000000 | 48 #define __AUDIT_ARCH_LE 0x40000000 |
43 #endif | 49 #endif |
44 #ifndef AUDIT_ARCH_ARM | 50 #ifndef AUDIT_ARCH_ARM |
45 #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) | 51 #define AUDIT_ARCH_ARM (EM_ARM|__AUDIT_ARCH_LE) |
46 #endif | 52 #endif |
47 #ifndef AUDIT_ARCH_I386 | 53 #ifndef AUDIT_ARCH_I386 |
48 #define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE) | 54 #define AUDIT_ARCH_I386 (EM_386|__AUDIT_ARCH_LE) |
49 #endif | 55 #endif |
50 #ifndef AUDIT_ARCH_X86_64 | 56 #ifndef AUDIT_ARCH_X86_64 |
51 #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) | 57 #define AUDIT_ARCH_X86_64 (EM_X86_64|__AUDIT_ARCH_64BIT|__AUDIT_ARCH_LE) |
52 #endif | 58 #endif |
59 #ifndef AUDIT_ARCH_MIPSEL | |
60 #define AUDIT_ARCH_MIPSEL (EM_MIPS|__AUDIT_ARCH_LE) | |
61 #endif | |
53 | 62 |
54 // For prctl.h | 63 // For prctl.h |
55 #ifndef PR_SET_SECCOMP | 64 #ifndef PR_SET_SECCOMP |
56 #define PR_SET_SECCOMP 22 | 65 #define PR_SET_SECCOMP 22 |
57 #define PR_GET_SECCOMP 21 | 66 #define PR_GET_SECCOMP 21 |
58 #endif | 67 #endif |
59 #ifndef PR_SET_NO_NEW_PRIVS | 68 #ifndef PR_SET_NO_NEW_PRIVS |
60 #define PR_SET_NO_NEW_PRIVS 38 | 69 #define PR_SET_NO_NEW_PRIVS 38 |
61 #define PR_GET_NO_NEW_PRIVS 39 | 70 #define PR_GET_NO_NEW_PRIVS 39 |
62 #endif | 71 #endif |
(...skipping 216 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
279 #define SECCOMP_PT_RESULT(_regs) (_regs).REG_r0 | 288 #define SECCOMP_PT_RESULT(_regs) (_regs).REG_r0 |
280 #define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_r7 | 289 #define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_r7 |
281 #define SECCOMP_PT_IP(_regs) (_regs).REG_pc | 290 #define SECCOMP_PT_IP(_regs) (_regs).REG_pc |
282 #define SECCOMP_PT_PARM1(_regs) (_regs).REG_r0 | 291 #define SECCOMP_PT_PARM1(_regs) (_regs).REG_r0 |
283 #define SECCOMP_PT_PARM2(_regs) (_regs).REG_r1 | 292 #define SECCOMP_PT_PARM2(_regs) (_regs).REG_r1 |
284 #define SECCOMP_PT_PARM3(_regs) (_regs).REG_r2 | 293 #define SECCOMP_PT_PARM3(_regs) (_regs).REG_r2 |
285 #define SECCOMP_PT_PARM4(_regs) (_regs).REG_r3 | 294 #define SECCOMP_PT_PARM4(_regs) (_regs).REG_r3 |
286 #define SECCOMP_PT_PARM5(_regs) (_regs).REG_r4 | 295 #define SECCOMP_PT_PARM5(_regs) (_regs).REG_r4 |
287 #define SECCOMP_PT_PARM6(_regs) (_regs).REG_r5 | 296 #define SECCOMP_PT_PARM6(_regs) (_regs).REG_r5 |
288 | 297 |
298 #elif defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32) | |
299 #define MIN_SYSCALL __NR_O32_Linux | |
300 #define MAX_PUBLIC_SYSCALL (MIN_SYSCALL + __NR_Linux_syscalls) | |
301 #define MAX_SYSCALL MAX_PUBLIC_SYSCALL | |
302 #define SECCOMP_ARCH AUDIT_ARCH_MIPSEL | |
303 | |
304 // MIPS sigcontext_t is different from i386/x86_64 and ARM. | |
305 // See </arch/mips/include/uapi/asm/sigcontext.h> in the Linux kernel. | |
306 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[_reg]) | |
307 // Based on MIPS o32 ABI syscall convention. | |
308 // On MIPS, when indirect syscall is being made (syscall(__NR_foo)), | |
309 // real identificator (__NR_foo) is not in v0, but in a0 | |
310 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, 2) | |
311 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, 2) | |
312 #define SECCOMP_IP(_ctx) (_ctx)->uc_mcontext.pc | |
313 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, 4) | |
314 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, 5) | |
315 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, 6) | |
316 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, 7) | |
317 // Only the first 4 arguments of syscall are in registers. | |
318 // The rest are on the stack. | |
jln (very slow on Chromium)
2014/06/20 00:37:06
By the way, how does the kernel handle that?
The
nedeljko
2014/06/20 14:09:51
Yes, you are correct. Kernel copies arguments befo
| |
319 #define SECCOMP_PARM5(_ctx) (long int)(*((intptr_t*)SECCOMP_REG(_ctx, \ | |
320 29) + 4)) | |
321 #define SECCOMP_PARM6(_ctx) (long int)(*((intptr_t*)SECCOMP_REG(_ctx, \ | |
322 29) + 5)) | |
323 #define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr)) | |
324 #define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch)) | |
325 #define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \ | |
326 instruction_pointer) + 4) | |
327 #define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \ | |
328 instruction_pointer) + 0) | |
329 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \ | |
330 8*(nr) + 4) | |
331 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \ | |
332 8*(nr) + 0) | |
333 | |
334 // On Mips we don't have structures like user_regs or user_regs_struct in | |
335 // sys/user.h that we could use, so we just define regs_struct directly. | |
336 struct regs_struct { | |
337 unsigned long long regs[32]; | |
338 }; | |
339 | |
340 #define REG_a3 regs[7] | |
341 #define REG_a2 regs[6] | |
342 #define REG_a1 regs[5] | |
343 #define REG_a0 regs[4] | |
344 #define REG_v1 regs[3] | |
345 #define REG_v0 regs[2] | |
346 | |
347 #define SECCOMP_PT_RESULT(_regs) (_regs).REG_v0 | |
348 #define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_v0 | |
349 #define SECCOMP_PT_PARM1(_regs) (_regs).REG_a0 | |
350 #define SECCOMP_PT_PARM2(_regs) (_regs).REG_a1 | |
351 #define SECCOMP_PT_PARM3(_regs) (_regs).REG_a2 | |
352 #define SECCOMP_PT_PARM4(_regs) (_regs).REG_a3 | |
353 | |
289 #else | 354 #else |
290 #error Unsupported target platform | 355 #error Unsupported target platform |
291 | 356 |
292 #endif | 357 #endif |
293 | 358 |
294 #endif // SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__ | 359 #endif // SANDBOX_LINUX_SECCOMP_BPF_LINUX_SECCOMP_H__ |
OLD | NEW |