seccomp: add "seccomp" syscall
This adds the new "seccomp" syscall with both an "operation" and "flags" parameter for future expansion. The third argument is a pointer value, used with the SECCOMP_SET_MODE_FILTER operation. Currently, flags must be 0. This is functionally equivalent to prctl(PR_SET_SECCOMP, ...). In addition to the TSYNC flag later in this patch series, there is a non-zero chance that this syscall could be used for configuring a fixed argument area for seccomp-tracer-aware processes to pass syscall arguments in the future. Hence, the use of "seccomp" not simply "seccomp_add_filter" for this syscall. Additionally, this syscall uses operation, flags, and user pointer for arguments because strictly passing arguments via a user pointer would mean seccomp itself would be unable to trivially filter the seccomp syscall itself. Signed-off-by:Kees Cook <keescook@chromium.org> Reviewed-by:
Oleg Nesterov <oleg@redhat.com> Reviewed-by:
Andy Lutomirski <luto@amacapital.net>
Showing
- arch/Kconfig 1 addition, 0 deletionsarch/Kconfig
- arch/x86/syscalls/syscall_32.tbl 1 addition, 0 deletionsarch/x86/syscalls/syscall_32.tbl
- arch/x86/syscalls/syscall_64.tbl 1 addition, 0 deletionsarch/x86/syscalls/syscall_64.tbl
- include/linux/syscalls.h 2 additions, 0 deletionsinclude/linux/syscalls.h
- include/uapi/asm-generic/unistd.h 3 additions, 1 deletioninclude/uapi/asm-generic/unistd.h
- include/uapi/linux/seccomp.h 4 additions, 0 deletionsinclude/uapi/linux/seccomp.h
- kernel/seccomp.c 50 additions, 5 deletionskernel/seccomp.c
- kernel/sys_ni.c 3 additions, 0 deletionskernel/sys_ni.c
Please register or sign in to comment