seccomp/seccomp_functions.h

This is seccomp/seccomp_functions.h, an example to accompany the book, The Linux Programming Interface.

This file is not printed in the book; it demonstrates Linux features that are not described in the book (typically features that have appeared since the book was published).

The source code file is copyright 2022, Michael Kerrisk, and is licensed under the GNU General Public License, version 3.

In the listing below, the names of Linux system calls and C library functions are hyperlinked to manual pages from the Linux man-pages project, and the names of functions implemented in the book are hyperlinked to the implementations of those functions.

 

Download seccomp/seccomp_functions.h

  Cover of The Linux Programming Interface
/* seccomp_functions.h

   Header file for seccomp_functions.c
*/
#include <linux/seccomp.h>
#include <stdbool.h>
#include <stdint.h>
#include <sys/types.h>

int seccomp(unsigned int operation, unsigned int flags, void *args);

/* Check that the notification ID provided by a SECCOMP_IOCTL_NOTIF_RECV
   operation is still valid. It will no longer be valid if the target
   process has terminated or is no longer blocked in the system call that
   generated the notification (because it was interrupted by a signal).

   This operation can be used when doing such things as accessing
   /proc/PID files in the target process in order to avoid TOCTOU race
   conditions where the PID that is returned by SECCOMP_IOCTL_NOTIF_RECV
   terminates and is reused by another process. */

bool cookieIsValid(int notifyFd, uint64_t id);

/* Access the memory of the target process (req->pid) of a seccomp user-space
   notification in order to fetch the pathname referred to by the system call
   argument 'argNum' in 'req->data.args[]'. The pathname is returned in
   'path', a buffer of 'len' bytes allocated by the caller. (This buffer
   should be sized using PATH_MAX.)

   Returns 0 if the pathname is successfully fetched.
   On error, one of the negative values below is returned. */

#define GTP_BAD_READ        -1  /* Error opening/reading /proc/PID/mem */
#define GTP_ID_NOT_VALID    -2  /* Cookie check failed */
#define GTP_BAD_PATH        -3  /* Pathname read from target's memory
                                   is badly formed */

int getTargetPathname(struct seccomp_notif *req, int notifyFd,
        int argNum, char *path, size_t len);

/* Allocate buffers for the seccomp user-space notification request and
   response structures. It is the caller's responsibility to free the
   buffers returned via 'req' and 'resp'. */

void allocSeccompNotifBuffers(struct seccomp_notif **req,
        struct seccomp_notif_resp **resp, struct seccomp_notif_sizes *sizes);

 

Download seccomp/seccomp_functions.h

Note that, in most cases, the programs rendered in these web pages are not free standing: you'll typically also need a few other source files (mostly in the lib/ subdirectory) as well. Generally, it's easier to just download the entire source tarball and build the programs with make(1). By hovering your mouse over the various hyperlinked include files and function calls above, you can see which other source files this file depends on.

Valid XHTML 1.1