seccomp/
raw.rs

1#![allow(non_camel_case_types)]
2//! The raw FFI to libseccomp.
3//! This is all unsafe. Use it only if you understand what values should be returned,
4//! what objects you need to manage, etc.
5
6use std::ffi::{c_char, c_int, c_uint, c_void};
7
8/// A SECCOMP context.
9pub type scmp_filter_ctx = *mut c_void;
10
11/// Syscall data.
12#[repr(C)]
13pub struct seccomp_data {
14    pub nr: c_int,
15    pub arch: u32,
16    pub instruction_pointer: u64,
17    pub args: [u64; 6],
18}
19
20/// A notification from the kernel.
21#[repr(C)]
22pub struct seccomp_notif {
23    pub id: u64,
24    pub pid: u32,
25    pub flags: u32,
26    pub data: seccomp_data,
27}
28
29/// A Notification Response structure.
30#[repr(C)]
31pub struct seccomp_notif_resp {
32    pub id: u64,
33    pub val: i64,
34    pub error: i32,
35    pub flags: u32,
36}
37
38/// Kill the process
39pub static SCMP_ACT_KILL_PROCESS: u32 = 0x80000000;
40
41/// Kill the thread
42pub static SCMP_ACT_KILL_THREAD: u32 = 0x00000000;
43
44/// Trap Signal
45pub static SCMP_ACT_TRAP: u32 = 0x00030000;
46
47/// Request a decision from the notify monitor.
48pub static SCMP_ACT_NOTIFY: u32 = 0x7fc00000;
49
50/// Log the request to the Audit log
51pub static SCMP_ACT_LOG: u32 = 0x7ffc0000;
52
53/// Allow the action.
54pub static SCMP_ACT_ALLOW: u32 = 0x7fff0000;
55
56/// Attributes. ACT_DEFAULT is not included because seccomp_init already takes it.
57#[repr(C)]
58pub enum scmp_filter_attr {
59    SCMP_FLTATR_ACT_BADARCH = 2,
60    SCMP_FLTATR_CTL_NNP = 3,
61    SCMP_FLTATR_CTL_TSYNC = 4,
62    SCMP_FLTATR_API_TSKIP = 5,
63    SCMP_FLTATR_CTL_LOG = 6,
64    SCMP_FLTATR_CTL_SSB = 7,
65    SCMP_FLTATR_CTL_OPTIMIZE = 8,
66    SCMP_FLTATR_API_SYSRAWRC = 9,
67}
68
69#[link(name = "seccomp")]
70unsafe extern "C" {
71
72    /// Get the current API level.
73    ///
74    /// 0. Reserved.
75    /// 1. Base Level
76    /// 2. Support for TSYNC.
77    /// 3. Support for LOG.
78    /// 4. Support for KILL_PROCESS
79    /// 5. Support for NOTIFY
80    /// 6. Simultaneous support for TSYNC and NOTIFY.
81    ///
82    /// Note: This function is never used by wrappers. You are
83    /// expected to test the API if you want to use a particular feature.
84    pub fn seccomp_api_get() -> c_uint;
85
86    /// Initialize a SECCOMP context
87    pub fn seccomp_init(def_action: u32) -> scmp_filter_ctx;
88
89    /// Release a context.
90    pub fn seccomp_release(ctx: scmp_filter_ctx);
91
92    /// Set an attribute. See seccomp.h for expected values, or see the Attributes trait.
93    pub fn seccomp_attr_set(ctx: scmp_filter_ctx, attr: scmp_filter_attr, value: u32) -> c_int;
94
95    /// Resolve names, like "ptrace" to the associated number for the current architecture
96    pub fn seccomp_syscall_resolve_name(name: *const c_char) -> c_int;
97
98    /// Resolve a syscall number with an architecture to the name.
99    pub fn seccomp_syscall_resolve_num_arch(arch_token: u32, num: c_int) -> *mut c_char;
100
101    pub fn seccomp_syscall_resolve_name_arch(arch_token: u32, name: *const c_char) -> c_int;
102
103    /// Get the native architecture.
104    pub fn seccomp_arch_native() -> u32;
105
106    /// Add a rule.
107    pub fn seccomp_rule_add(
108        ctx: scmp_filter_ctx,
109        action: u32,
110        syscall: c_int,
111        arg_cnt: c_uint,
112        ...
113    ) -> c_int;
114
115    /// Set the priority of a syscall.
116    pub fn seccomp_set_priority(ctx: scmp_filter_attr, syscall: c_int, priority: u8) -> c_int;
117
118    /// Export the filter to BPF for Bubblewrap.
119    pub fn seccomp_export_bpf(ctx: scmp_filter_ctx, fd: c_int) -> c_int;
120
121    /// Load the filter into the current process.
122    pub fn seccomp_load(ctx: scmp_filter_ctx) -> c_int;
123
124    /// Allocate a notification pair.
125    pub fn seccomp_notify_alloc(
126        req: *mut *mut seccomp_notif,
127        resp: *mut *mut seccomp_notif_resp,
128    ) -> c_int;
129
130    /// Free a notification pair.
131    pub fn seccomp_notify_free(req: *mut seccomp_notif, resp: *mut seccomp_notif_resp);
132
133    /// Receive an event from the kernel.
134    pub fn seccomp_notify_receive(fd: c_int, req: *mut seccomp_notif) -> c_int;
135
136    /// Send a response to an event.
137    pub fn seccomp_notify_respond(fd: c_int, resp: *mut seccomp_notif_resp) -> c_int;
138
139    /// Check if a event is still valid.
140    pub fn seccomp_notify_id_valid(fd: c_int, id: u64) -> c_int;
141
142    /// Get the Notify FD to receive and respond over.
143    pub fn seccomp_notify_fd(ctx: scmp_filter_ctx) -> c_int;
144}