Permission message rules: Each rule must have >= 1 required permissions
[chromium-blink-merge.git] / sandbox / linux / bpf_dsl / seccomp_macros.h
blobaf70f21cd77c661e6fb62f2a3080040a43302eba
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #ifndef SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_
6 #define SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_
8 #include <sys/types.h> // For __BIONIC__.
9 // Old Bionic versions do not have sys/user.h. The if can be removed once we no
10 // longer need to support these old Bionic versions.
11 // All x86_64 builds use a new enough bionic to have sys/user.h.
12 #if !defined(__BIONIC__) || defined(__x86_64__)
13 #if !defined(__native_client_nonsfi__)
14 #include <sys/user.h>
15 #endif
16 #if defined(__mips__)
17 // sys/user.h in eglibc misses size_t definition
18 #include <stddef.h>
19 #endif
20 #endif
22 #include "sandbox/linux/system_headers/linux_seccomp.h" // For AUDIT_ARCH_*
24 // Impose some reasonable maximum BPF program size. Realistically, the
25 // kernel probably has much lower limits. But by limiting to less than
26 // 30 bits, we can ease requirements on some of our data types.
27 #define SECCOMP_MAX_PROGRAM_SIZE (1<<30)
29 #if defined(__i386__)
30 #define SECCOMP_ARCH AUDIT_ARCH_I386
32 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
33 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_EAX)
34 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_EAX)
35 #define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_EIP)
36 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_EBX)
37 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_ECX)
38 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_EDX)
39 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_ESI)
40 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_EDI)
41 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_EBP)
42 #define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
43 #define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
44 #define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
45 instruction_pointer) + 4)
46 #define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
47 instruction_pointer) + 0)
48 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
49 8*(nr) + 4)
50 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
51 8*(nr) + 0)
54 #if defined(__BIONIC__) || defined(__native_client_nonsfi__)
55 // Old Bionic versions and PNaCl toolchain don't have sys/user.h, so we just
56 // define regs_struct directly. This can be removed once we no longer need to
57 // support these old Bionic versions and PNaCl toolchain.
58 struct regs_struct {
59 long int ebx;
60 long int ecx;
61 long int edx;
62 long int esi;
63 long int edi;
64 long int ebp;
65 long int eax;
66 long int xds;
67 long int xes;
68 long int xfs;
69 long int xgs;
70 long int orig_eax;
71 long int eip;
72 long int xcs;
73 long int eflags;
74 long int esp;
75 long int xss;
77 #else
78 typedef user_regs_struct regs_struct;
79 #endif
81 #define SECCOMP_PT_RESULT(_regs) (_regs).eax
82 #define SECCOMP_PT_SYSCALL(_regs) (_regs).orig_eax
83 #define SECCOMP_PT_IP(_regs) (_regs).eip
84 #define SECCOMP_PT_PARM1(_regs) (_regs).ebx
85 #define SECCOMP_PT_PARM2(_regs) (_regs).ecx
86 #define SECCOMP_PT_PARM3(_regs) (_regs).edx
87 #define SECCOMP_PT_PARM4(_regs) (_regs).esi
88 #define SECCOMP_PT_PARM5(_regs) (_regs).edi
89 #define SECCOMP_PT_PARM6(_regs) (_regs).ebp
91 #elif defined(__x86_64__)
92 #define SECCOMP_ARCH AUDIT_ARCH_X86_64
94 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[(_reg)])
95 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, REG_RAX)
96 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, REG_RAX)
97 #define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, REG_RIP)
98 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, REG_RDI)
99 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, REG_RSI)
100 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, REG_RDX)
101 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, REG_R10)
102 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, REG_R8)
103 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, REG_R9)
104 #define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
105 #define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
106 #define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
107 instruction_pointer) + 4)
108 #define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
109 instruction_pointer) + 0)
110 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
111 8*(nr) + 4)
112 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
113 8*(nr) + 0)
115 typedef user_regs_struct regs_struct;
116 #define SECCOMP_PT_RESULT(_regs) (_regs).rax
117 #define SECCOMP_PT_SYSCALL(_regs) (_regs).orig_rax
118 #define SECCOMP_PT_IP(_regs) (_regs).rip
119 #define SECCOMP_PT_PARM1(_regs) (_regs).rdi
120 #define SECCOMP_PT_PARM2(_regs) (_regs).rsi
121 #define SECCOMP_PT_PARM3(_regs) (_regs).rdx
122 #define SECCOMP_PT_PARM4(_regs) (_regs).r10
123 #define SECCOMP_PT_PARM5(_regs) (_regs).r8
124 #define SECCOMP_PT_PARM6(_regs) (_regs).r9
126 #elif defined(__arm__) && (defined(__thumb__) || defined(__ARM_EABI__))
127 #define SECCOMP_ARCH AUDIT_ARCH_ARM
129 // ARM sigcontext_t is different from i386/x86_64.
130 // See </arch/arm/include/asm/sigcontext.h> in the Linux kernel.
131 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.arm_##_reg)
132 // ARM EABI syscall convention.
133 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, r0)
134 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, r7)
135 #define SECCOMP_IP(_ctx) SECCOMP_REG(_ctx, pc)
136 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, r0)
137 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, r1)
138 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, r2)
139 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, r3)
140 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, r4)
141 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, r5)
142 #define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
143 #define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
144 #define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
145 instruction_pointer) + 4)
146 #define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
147 instruction_pointer) + 0)
148 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
149 8*(nr) + 4)
150 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
151 8*(nr) + 0)
153 #if defined(__BIONIC__) || defined(__native_client_nonsfi__)
154 // Old Bionic versions and PNaCl toolchain don't have sys/user.h, so we just
155 // define regs_struct directly. This can be removed once we no longer need to
156 // support these old Bionic versions and PNaCl toolchain.
157 struct regs_struct {
158 unsigned long uregs[18];
160 #else
161 typedef user_regs regs_struct;
162 #endif
164 #define REG_cpsr uregs[16]
165 #define REG_pc uregs[15]
166 #define REG_lr uregs[14]
167 #define REG_sp uregs[13]
168 #define REG_ip uregs[12]
169 #define REG_fp uregs[11]
170 #define REG_r10 uregs[10]
171 #define REG_r9 uregs[9]
172 #define REG_r8 uregs[8]
173 #define REG_r7 uregs[7]
174 #define REG_r6 uregs[6]
175 #define REG_r5 uregs[5]
176 #define REG_r4 uregs[4]
177 #define REG_r3 uregs[3]
178 #define REG_r2 uregs[2]
179 #define REG_r1 uregs[1]
180 #define REG_r0 uregs[0]
181 #define REG_ORIG_r0 uregs[17]
183 #define SECCOMP_PT_RESULT(_regs) (_regs).REG_r0
184 #define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_r7
185 #define SECCOMP_PT_IP(_regs) (_regs).REG_pc
186 #define SECCOMP_PT_PARM1(_regs) (_regs).REG_r0
187 #define SECCOMP_PT_PARM2(_regs) (_regs).REG_r1
188 #define SECCOMP_PT_PARM3(_regs) (_regs).REG_r2
189 #define SECCOMP_PT_PARM4(_regs) (_regs).REG_r3
190 #define SECCOMP_PT_PARM5(_regs) (_regs).REG_r4
191 #define SECCOMP_PT_PARM6(_regs) (_regs).REG_r5
193 #elif defined(__mips__) && (_MIPS_SIM == _MIPS_SIM_ABI32)
194 #define SECCOMP_ARCH AUDIT_ARCH_MIPSEL
195 #define SYSCALL_EIGHT_ARGS
196 // MIPS sigcontext_t is different from i386/x86_64 and ARM.
197 // See </arch/mips/include/uapi/asm/sigcontext.h> in the Linux kernel.
198 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.gregs[_reg])
199 // Based on MIPS o32 ABI syscall convention.
200 // On MIPS, when indirect syscall is being made (syscall(__NR_foo)),
201 // real identificator (__NR_foo) is not in v0, but in a0
202 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, 2)
203 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, 2)
204 #define SECCOMP_IP(_ctx) (_ctx)->uc_mcontext.pc
205 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, 4)
206 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, 5)
207 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, 6)
208 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, 7)
209 // Only the first 4 arguments of syscall are in registers.
210 // The rest are on the stack.
211 #define SECCOMP_STACKPARM(_ctx, n) (((long *)SECCOMP_REG(_ctx, 29))[(n)])
212 #define SECCOMP_PARM5(_ctx) SECCOMP_STACKPARM(_ctx, 4)
213 #define SECCOMP_PARM6(_ctx) SECCOMP_STACKPARM(_ctx, 5)
214 #define SECCOMP_PARM7(_ctx) SECCOMP_STACKPARM(_ctx, 6)
215 #define SECCOMP_PARM8(_ctx) SECCOMP_STACKPARM(_ctx, 7)
216 #define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
217 #define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
218 #define SECCOMP_IP_MSB_IDX (offsetof(struct arch_seccomp_data, \
219 instruction_pointer) + 4)
220 #define SECCOMP_IP_LSB_IDX (offsetof(struct arch_seccomp_data, \
221 instruction_pointer) + 0)
222 #define SECCOMP_ARG_MSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
223 8*(nr) + 4)
224 #define SECCOMP_ARG_LSB_IDX(nr) (offsetof(struct arch_seccomp_data, args) + \
225 8*(nr) + 0)
227 // On Mips we don't have structures like user_regs or user_regs_struct in
228 // sys/user.h that we could use, so we just define regs_struct directly.
229 struct regs_struct {
230 unsigned long long regs[32];
233 #define REG_a3 regs[7]
234 #define REG_a2 regs[6]
235 #define REG_a1 regs[5]
236 #define REG_a0 regs[4]
237 #define REG_v1 regs[3]
238 #define REG_v0 regs[2]
240 #define SECCOMP_PT_RESULT(_regs) (_regs).REG_v0
241 #define SECCOMP_PT_SYSCALL(_regs) (_regs).REG_v0
242 #define SECCOMP_PT_PARM1(_regs) (_regs).REG_a0
243 #define SECCOMP_PT_PARM2(_regs) (_regs).REG_a1
244 #define SECCOMP_PT_PARM3(_regs) (_regs).REG_a2
245 #define SECCOMP_PT_PARM4(_regs) (_regs).REG_a3
247 #elif defined(__aarch64__)
248 struct regs_struct {
249 unsigned long long regs[31];
250 unsigned long long sp;
251 unsigned long long pc;
252 unsigned long long pstate;
255 #define SECCOMP_ARCH AUDIT_ARCH_AARCH64
257 #define SECCOMP_REG(_ctx, _reg) ((_ctx)->uc_mcontext.regs[_reg])
259 #define SECCOMP_RESULT(_ctx) SECCOMP_REG(_ctx, 0)
260 #define SECCOMP_SYSCALL(_ctx) SECCOMP_REG(_ctx, 8)
261 #define SECCOMP_IP(_ctx) (_ctx)->uc_mcontext.pc
262 #define SECCOMP_PARM1(_ctx) SECCOMP_REG(_ctx, 0)
263 #define SECCOMP_PARM2(_ctx) SECCOMP_REG(_ctx, 1)
264 #define SECCOMP_PARM3(_ctx) SECCOMP_REG(_ctx, 2)
265 #define SECCOMP_PARM4(_ctx) SECCOMP_REG(_ctx, 3)
266 #define SECCOMP_PARM5(_ctx) SECCOMP_REG(_ctx, 4)
267 #define SECCOMP_PARM6(_ctx) SECCOMP_REG(_ctx, 5)
269 #define SECCOMP_NR_IDX (offsetof(struct arch_seccomp_data, nr))
270 #define SECCOMP_ARCH_IDX (offsetof(struct arch_seccomp_data, arch))
271 #define SECCOMP_IP_MSB_IDX \
272 (offsetof(struct arch_seccomp_data, instruction_pointer) + 4)
273 #define SECCOMP_IP_LSB_IDX \
274 (offsetof(struct arch_seccomp_data, instruction_pointer) + 0)
275 #define SECCOMP_ARG_MSB_IDX(nr) \
276 (offsetof(struct arch_seccomp_data, args) + 8 * (nr) + 4)
277 #define SECCOMP_ARG_LSB_IDX(nr) \
278 (offsetof(struct arch_seccomp_data, args) + 8 * (nr) + 0)
280 #define SECCOMP_PT_RESULT(_regs) (_regs).regs[0]
281 #define SECCOMP_PT_SYSCALL(_regs) (_regs).regs[8]
282 #define SECCOMP_PT_IP(_regs) (_regs).pc
283 #define SECCOMP_PT_PARM1(_regs) (_regs).regs[0]
284 #define SECCOMP_PT_PARM2(_regs) (_regs).regs[1]
285 #define SECCOMP_PT_PARM3(_regs) (_regs).regs[2]
286 #define SECCOMP_PT_PARM4(_regs) (_regs).regs[3]
287 #define SECCOMP_PT_PARM5(_regs) (_regs).regs[4]
288 #define SECCOMP_PT_PARM6(_regs) (_regs).regs[5]
289 #else
290 #error Unsupported target platform
292 #endif
294 #endif // SANDBOX_LINUX_BPF_DSL_SECCOMP_MACROS_H_