1/** Seccomp bindings
3 /usr/include/seccomp.h -> public APIs
4 /usr/include/asm/unistd_64.h -> Syscalls
6*/
8#assert(CPU == .X64 && OS == .LINUX) "Only x64 Linux support. Sorry!";
11Scmp_Action :: enum #specified {
12 KILL_PROCESS :: 0x80000000;
13 KILL_THREAD :: 0x00000000;
14 /** KILL omitted because only used for backward compatibility */
15 TRAP :: 0x00030000;
16 NOTIFY :: 0x7fc00000;
18 /** libseccomp has macros for providing own error codes.
19 But in an enum we can't do that, so we're outsourcing it to a
20 proc.
21 */
23 LOG :: 0x7ffc0000;
24 ALLOW :: 0x7fff0000;
25 USER_NOTIF :: 0x7fc00000;
26}
29// TODO: bindings generator for libseccomp
31/** from unistd_64.h
33 There's also the idea of translating the SCMP_SYS macro to Jai and
34 use a more generic approach with asm/unistd.h as presented in libseccomp.
36 But Jai only supports X64 OOTB anyway, so it makes
37 no sense to go the extra mile for a generic approach.
39 The syscall enum is extracted via a script from unistd_64.h directly.
40 I'll create a generate.jai for libseccomp, so we do not rely on a Python script
41 for that.
43 Note: It is very important to assert the exact arch, because otherwise we'll
44 filter the wrong syscalls! Comptime AND runtime assertion!
46*/
47Scmp_Syscall_x64 :: enum #specified {
48 READ :: 0;
49 WRITE :: 1;
50 OPEN :: 2;
51 CLOSE :: 3;
52 STAT :: 4;
53 FSTAT :: 5;
54 LSTAT :: 6;
55 POLL :: 7;
56 LSEEK :: 8;
57 MMAP :: 9;
58 MPROTECT :: 10;
59 MUNMAP :: 11;
60 BRK :: 12;
61 RT_SIGACTION :: 13;
62 RT_SIGPROCMASK :: 14;
63 RT_SIGRETURN :: 15;
64 IOCTL :: 16;
65 PREAD64 :: 17;
66 PWRITE64 :: 18;
67 READV :: 19;
68 WRITEV :: 20;
69 ACCESS :: 21;
70 PIPE :: 22;
71 SELECT :: 23;
72 SCHED_YIELD :: 24;
73 MREMAP :: 25;
74 MSYNC :: 26;
75 MINCORE :: 27;
76 MADVISE :: 28;
77 SHMGET :: 29;
78 SHMAT :: 30;
79 SHMCTL :: 31;
80 DUP :: 32;
81 DUP2 :: 33;
82 PAUSE :: 34;
83 NANOSLEEP :: 35;
84 GETITIMER :: 36;
85 ALARM :: 37;
86 SETITIMER :: 38;
87 GETPID :: 39;
88 SENDFILE :: 40;
89 SOCKET :: 41;
90 CONNECT :: 42;
91 ACCEPT :: 43;
92 SENDTO :: 44;
93 RECVFROM :: 45;
94 SENDMSG :: 46;
95 RECVMSG :: 47;
96 SHUTDOWN :: 48;
97 BIND :: 49;
98 LISTEN :: 50;
99 GETSOCKNAME :: 51;
100 GETPEERNAME :: 52;
101 SOCKETPAIR :: 53;
102 SETSOCKOPT :: 54;
103 GETSOCKOPT :: 55;
104 CLONE :: 56;
105 FORK :: 57;
106 VFORK :: 58;
107 EXECVE :: 59;
108 EXIT :: 60;
109 WAIT4 :: 61;
110 KILL :: 62;
111 UNAME :: 63;
112 SEMGET :: 64;
113 SEMOP :: 65;
114 SEMCTL :: 66;
115 SHMDT :: 67;
116 MSGGET :: 68;
117 MSGSND :: 69;
118 MSGRCV :: 70;
119 MSGCTL :: 71;
120 FCNTL :: 72;
121 FLOCK :: 73;
122 FSYNC :: 74;
123 FDATASYNC :: 75;
124 TRUNCATE :: 76;
125 FTRUNCATE :: 77;
126 GETDENTS :: 78;
127 GETCWD :: 79;
128 CHDIR :: 80;
129 FCHDIR :: 81;
130 RENAME :: 82;
131 MKDIR :: 83;
132 RMDIR :: 84;
133 CREAT :: 85;
134 LINK :: 86;
135 UNLINK :: 87;
136 SYMLINK :: 88;
137 READLINK :: 89;
138 CHMOD :: 90;
139 FCHMOD :: 91;
140 CHOWN :: 92;
141 FCHOWN :: 93;
142 LCHOWN :: 94;
143 UMASK :: 95;
144 GETTIMEOFDAY :: 96;
145 GETRLIMIT :: 97;
146 GETRUSAGE :: 98;
147 SYSINFO :: 99;
148 TIMES :: 100;
149 PTRACE :: 101;
150 GETUID :: 102;
151 SYSLOG :: 103;
152 GETGID :: 104;
153 SETUID :: 105;
154 SETGID :: 106;
155 GETEUID :: 107;
156 GETEGID :: 108;
157 SETPGID :: 109;
158 GETPPID :: 110;
159 GETPGRP :: 111;
160 SETSID :: 112;
161 SETREUID :: 113;
162 SETREGID :: 114;
163 GETGROUPS :: 115;
164 SETGROUPS :: 116;
165 SETRESUID :: 117;
166 GETRESUID :: 118;
167 SETRESGID :: 119;
168 GETRESGID :: 120;
169 GETPGID :: 121;
170 SETFSUID :: 122;
171 SETFSGID :: 123;
172 GETSID :: 124;
173 CAPGET :: 125;
174 CAPSET :: 126;
175 RT_SIGPENDING :: 127;
176 RT_SIGTIMEDWAIT :: 128;
177 RT_SIGQUEUEINFO :: 129;
178 RT_SIGSUSPEND :: 130;
179 SIGALTSTACK :: 131;
180 UTIME :: 132;
181 MKNOD :: 133;
182 USELIB :: 134;
183 PERSONALITY :: 135;
184 USTAT :: 136;
185 STATFS :: 137;
186 FSTATFS :: 138;
187 SYSFS :: 139;
188 GETPRIORITY :: 140;
189 SETPRIORITY :: 141;
190 SCHED_SETPARAM :: 142;
191 SCHED_GETPARAM :: 143;
192 SCHED_SETSCHEDULER :: 144;
193 SCHED_GETSCHEDULER :: 145;
194 SCHED_GET_PRIORITY_MAX :: 146;
195 SCHED_GET_PRIORITY_MIN :: 147;
196 SCHED_RR_GET_INTERVAL :: 148;
197 MLOCK :: 149;
198 MUNLOCK :: 150;
199 MLOCKALL :: 151;
200 MUNLOCKALL :: 152;
201 VHANGUP :: 153;
202 MODIFY_LDT :: 154;
203 PIVOT_ROOT :: 155;
204 _SYSCTL :: 156;
205 PRCTL :: 157;
206 ARCH_PRCTL :: 158;
207 ADJTIMEX :: 159;
208 SETRLIMIT :: 160;
209 CHROOT :: 161;
210 SYNC :: 162;
211 ACCT :: 163;
212 SETTIMEOFDAY :: 164;
213 MOUNT :: 165;
214 UMOUNT2 :: 166;
215 SWAPON :: 167;
216 SWAPOFF :: 168;
217 REBOOT :: 169;
218 SETHOSTNAME :: 170;
219 SETDOMAINNAME :: 171;
220 IOPL :: 172;
221 IOPERM :: 173;
222 CREATE_MODULE :: 174;
223 INIT_MODULE :: 175;
224 DELETE_MODULE :: 176;
225 GET_KERNEL_SYMS :: 177;
226 QUERY_MODULE :: 178;
227 QUOTACTL :: 179;
228 NFSSERVCTL :: 180;
229 GETPMSG :: 181;
230 PUTPMSG :: 182;
231 AFS_SYSCALL :: 183;
232 TUXCALL :: 184;
233 SECURITY :: 185;
234 GETTID :: 186;
235 READAHEAD :: 187;
236 SETXATTR :: 188;
237 LSETXATTR :: 189;
238 FSETXATTR :: 190;
239 GETXATTR :: 191;
240 LGETXATTR :: 192;
241 FGETXATTR :: 193;
242 LISTXATTR :: 194;
243 LLISTXATTR :: 195;
244 FLISTXATTR :: 196;
245 REMOVEXATTR :: 197;
246 LREMOVEXATTR :: 198;
247 FREMOVEXATTR :: 199;
248 TKILL :: 200;
249 TIME :: 201;
250 FUTEX :: 202;
251 SCHED_SETAFFINITY :: 203;
252 SCHED_GETAFFINITY :: 204;
253 SET_THREAD_AREA :: 205;
254 IO_SETUP :: 206;
255 IO_DESTROY :: 207;
256 IO_GETEVENTS :: 208;
257 IO_SUBMIT :: 209;
258 IO_CANCEL :: 210;
259 GET_THREAD_AREA :: 211;
260 LOOKUP_DCOOKIE :: 212;
261 EPOLL_CREATE :: 213;
262 EPOLL_CTL_OLD :: 214;
263 EPOLL_WAIT_OLD :: 215;
264 REMAP_FILE_PAGES :: 216;
265 GETDENTS64 :: 217;
266 SET_TID_ADDRESS :: 218;
267 RESTART_SYSCALL :: 219;
268 SEMTIMEDOP :: 220;
269 FADVISE64 :: 221;
270 TIMER_CREATE :: 222;
271 TIMER_SETTIME :: 223;
272 TIMER_GETTIME :: 224;
273 TIMER_GETOVERRUN :: 225;
274 TIMER_DELETE :: 226;
275 CLOCK_SETTIME :: 227;
276 CLOCK_GETTIME :: 228;
277 CLOCK_GETRES :: 229;
278 CLOCK_NANOSLEEP :: 230;
279 EXIT_GROUP :: 231;
280 EPOLL_WAIT :: 232;
281 EPOLL_CTL :: 233;
282 TGKILL :: 234;
283 UTIMES :: 235;
284 VSERVER :: 236;
285 MBIND :: 237;
286 SET_MEMPOLICY :: 238;
287 GET_MEMPOLICY :: 239;
288 MQ_OPEN :: 240;
289 MQ_UNLINK :: 241;
290 MQ_TIMEDSEND :: 242;
291 MQ_TIMEDRECEIVE :: 243;
292 MQ_NOTIFY :: 244;
293 MQ_GETSETATTR :: 245;
294 KEXEC_LOAD :: 246;
295 WAITID :: 247;
296 ADD_KEY :: 248;
297 REQUEST_KEY :: 249;
298 KEYCTL :: 250;
299 IOPRIO_SET :: 251;
300 IOPRIO_GET :: 252;
301 INOTIFY_INIT :: 253;
302 INOTIFY_ADD_WATCH :: 254;
303 INOTIFY_RM_WATCH :: 255;
304 MIGRATE_PAGES :: 256;
305 OPENAT :: 257;
306 MKDIRAT :: 258;
307 MKNODAT :: 259;
308 FCHOWNAT :: 260;
309 FUTIMESAT :: 261;
310 NEWFSTATAT :: 262;
311 UNLINKAT :: 263;
312 RENAMEAT :: 264;
313 LINKAT :: 265;
314 SYMLINKAT :: 266;
315 READLINKAT :: 267;
316 FCHMODAT :: 268;
317 FACCESSAT :: 269;
318 PSELECT6 :: 270;
319 PPOLL :: 271;
320 UNSHARE :: 272;
321 SET_ROBUST_LIST :: 273;
322 GET_ROBUST_LIST :: 274;
323 SPLICE :: 275;
324 TEE :: 276;
325 SYNC_FILE_RANGE :: 277;
326 VMSPLICE :: 278;
327 MOVE_PAGES :: 279;
328 UTIMENSAT :: 280;
329 EPOLL_PWAIT :: 281;
330 SIGNALFD :: 282;
331 TIMERFD_CREATE :: 283;
332 EVENTFD :: 284;
333 FALLOCATE :: 285;
334 TIMERFD_SETTIME :: 286;
335 TIMERFD_GETTIME :: 287;
336 ACCEPT4 :: 288;
337 SIGNALFD4 :: 289;
338 EVENTFD2 :: 290;
339 EPOLL_CREATE1 :: 291;
340 DUP3 :: 292;
341 PIPE2 :: 293;
342 INOTIFY_INIT1 :: 294;
343 PREADV :: 295;
344 PWRITEV :: 296;
345 RT_TGSIGQUEUEINFO :: 297;
346 PERF_EVENT_OPEN :: 298;
347 RECVMMSG :: 299;
348 FANOTIFY_INIT :: 300;
349 FANOTIFY_MARK :: 301;
350 PRLIMIT64 :: 302;
351 NAME_TO_HANDLE_AT :: 303;
352 OPEN_BY_HANDLE_AT :: 304;
353 CLOCK_ADJTIME :: 305;
354 SYNCFS :: 306;
355 SENDMMSG :: 307;
356 SETNS :: 308;
357 GETCPU :: 309;
358 PROCESS_VM_READV :: 310;
359 PROCESS_VM_WRITEV :: 311;
360 KCMP :: 312;
361 FINIT_MODULE :: 313;
362 SCHED_SETATTR :: 314;
363 SCHED_GETATTR :: 315;
364 RENAMEAT2 :: 316;
365 SECCOMP :: 317;
366 GETRANDOM :: 318;
367 MEMFD_CREATE :: 319;
368 KEXEC_FILE_LOAD :: 320;
369 BPF :: 321;
370 EXECVEAT :: 322;
371 USERFAULTFD :: 323;
372 MEMBARRIER :: 324;
373 MLOCK2 :: 325;
374 COPY_FILE_RANGE :: 326;
375 PREADV2 :: 327;
376 PWRITEV2 :: 328;
377 PKEY_MPROTECT :: 329;
378 PKEY_ALLOC :: 330;
379 PKEY_FREE :: 331;
380 STATX :: 332;
381 IO_PGETEVENTS :: 333;
382 RSEQ :: 334;
383 URETPROBE :: 335;
384 UPROBE :: 336;
385 PIDFD_SEND_SIGNAL :: 424;
386 IO_URING_SETUP :: 425;
387 IO_URING_ENTER :: 426;
388 IO_URING_REGISTER :: 427;
389 OPEN_TREE :: 428;
390 MOVE_MOUNT :: 429;
391 FSOPEN :: 430;
392 FSCONFIG :: 431;
393 FSMOUNT :: 432;
394 FSPICK :: 433;
395 PIDFD_OPEN :: 434;
396 CLONE3 :: 435;
397 CLOSE_RANGE :: 436;
398 OPENAT2 :: 437;
399 PIDFD_GETFD :: 438;
400 FACCESSAT2 :: 439;
401 PROCESS_MADVISE :: 440;
402 EPOLL_PWAIT2 :: 441;
403 MOUNT_SETATTR :: 442;
404 QUOTACTL_FD :: 443;
405 LANDLOCK_CREATE_RULESET :: 444;
406 LANDLOCK_ADD_RULE :: 445;
407 LANDLOCK_RESTRICT_SELF :: 446;
408 MEMFD_SECRET :: 447;
409 PROCESS_MRELEASE :: 448;
410 FUTEX_WAITV :: 449;
411 SET_MEMPOLICY_HOME_NODE :: 450;
412 CACHESTAT :: 451;
413 FCHMODAT2 :: 452;
414 MAP_SHADOW_STACK :: 453;
415 FUTEX_WAKE :: 454;
416 FUTEX_WAIT :: 455;
417 FUTEX_REQUEUE :: 456;
418 STATMOUNT :: 457;
419 LISTMOUNT :: 458;
420 LSM_GET_SELF_ATTR :: 459;
421 LSM_SET_SELF_ATTR :: 460;
422 LSM_LIST_MODULES :: 461;
423 MSEAL :: 462;
424 SETXATTRAT :: 463;
425 GETXATTRAT :: 464;
426 LISTXATTRAT :: 465;
427 REMOVEXATTRAT :: 466;
428 OPEN_TREE_ATTR :: 467;
429 FILE_GETATTR :: 468;
430 FILE_SETATTR :: 469;
431 LISTNS :: 470;
432}
435seccomp_init :: inline (action: Scmp_Action) -> ctx: *void {
436 assert(CPU == .X64 && OS == .LINUX, "System ist NOT x64 Linux!");
437 return init(action);
438}
440seccomp_rule_add :: inline (
441 ctx: *void,
442 action: Scmp_Action,
443 syscall: Scmp_Syscall_x64
444)
445 -> ok: bool
446{
447 return cast(bool)rule_add(ctx, action, syscall, 0, null);
448}
450seccomp_rule_add :: inline (
451 ctx: *void,
452 action: Scmp_Action,
453 syscall: Scmp_Syscall_x64,
454 args: ..*void
455)
456 -> ok: bool
457{
458 return cast(bool)rule_add(ctx, action, syscall, args.count, *args);
459}
461SCMP_ACT_ERRNO :: (error_code: int) -> int {
462 assert(false, "NOT TESTED YET");
463 return 0x00050000 | ((error_code) & 0x0000ffff);
464}
466SCMP_ACT_TRACE :: (process: int) -> int {
467 assert(false, "NOT TESTED YET");
468 return 0x7ff00000 | ((process) & 0x0000ffff);
469}
471seccomp_load :: (ctx: *void) -> int #foreign SCMP;
472seccomp_release :: (ctx: *void) -> void #foreign SCMP;
475#scope_file
478SCMP :: #library,system,no_dll "seccomp";
481init :: (action: Scmp_Action) -> ctx: *void #foreign SCMP "seccomp_init";
483rule_add :: (
484 ctx: *void, action: Scmp_Action, syscall: Scmp_Syscall_x64, arg_count: int, args: *void
485) -> int #foreign SCMP "seccomp_rule_add";