seccomp: Add tgid and tid into seccomp_data

Add the current thread and thread group IDs into the data available for seccomp-bpf programs to work on. This allows installation of filters that police syscalls based on thread or process ID, e.g. tgkill(2)/kill(2)/prctl(2).
google · May 7, 2014 · e163c63 · e163c63
1 parent 13499e6
commit e163c63
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/include/uapi/linux/seccomp.h b/include/uapi/linux/seccomp.h
@@ -54,12 +54,16 @@
  * @instruction_pointer: at the time of the system call.
  * @args: up to 6 system call arguments always stored as 64-bit values
  *        regardless of the architecture.
+ * @tgid: thread group ID of the thread executing the BPF program.
+ * @tid: thread ID of the thread executing the BPF program.
  */
 struct seccomp_data {
 	int nr;
 	__u32 arch;
 	__u64 instruction_pointer;
 	__u64 args[6];
+	__u32 tgid;
+	__u32 tid;
 };
 
 #endif /* _UAPI_LINUX_SECCOMP_H */
diff --git a/kernel/seccomp.c b/kernel/seccomp.c
@@ -114,6 +114,10 @@ u32 seccomp_bpf_load(int off)
 		return get_u32(KSTK_EIP(current), 0);
 	if (off == BPF_DATA(instruction_pointer) + sizeof(u32))
 		return get_u32(KSTK_EIP(current), 1);
+	if (off == BPF_DATA(tgid))
+		return task_tgid_vnr(current);
+	if (off == BPF_DATA(tid))
+		return task_pid_vnr(current);
 	/* seccomp_check_filter should make this impossible. */
 	BUG();
 }