Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tag: v2.6.19-rc1
Fetching contributors…

Octocat-spinner-32-eaf2f5

Cannot retrieve contributors at this time

file 57 lines (49 sloc) 1.155 kb
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56
/*
* linux/kernel/seccomp.c
*
* Copyright 2004-2005 Andrea Arcangeli <andrea@cpushare.com>
*
* This defines a simple but solid secure-computing mode.
*/

#include <linux/seccomp.h>
#include <linux/sched.h>

/* #define SECCOMP_DEBUG 1 */

/*
* Secure computing mode 1 allows only read/write/exit/sigreturn.
* To be fully secure this must be combined with rlimit
* to limit the stack allocations too.
*/
static int mode1_syscalls[] = {
__NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn,
0, /* null terminated */
};

#ifdef TIF_32BIT
static int mode1_syscalls_32[] = {
__NR_seccomp_read_32, __NR_seccomp_write_32, __NR_seccomp_exit_32, __NR_seccomp_sigreturn_32,
0, /* null terminated */
};
#endif

void __secure_computing(int this_syscall)
{
int mode = current->seccomp.mode;
int * syscall;

switch (mode) {
case 1:
syscall = mode1_syscalls;
#ifdef TIF_32BIT
if (test_thread_flag(TIF_32BIT))
syscall = mode1_syscalls_32;
#endif
do {
if (*syscall == this_syscall)
return;
} while (*++syscall);
break;
default:
BUG();
}

#ifdef SECCOMP_DEBUG
dump_stack();
#endif
do_exit(SIGKILL);
}
Something went wrong with that request. Please try again.