| * Copyright 2004-2005 Andrea Arcangeli <andrea@cpushare.com> |
| * This defines a simple but solid secure-computing mode. |
| #include <linux/seccomp.h> |
| /* #define SECCOMP_DEBUG 1 */ |
| * Secure computing mode 1 allows only read/write/exit/sigreturn. |
| * To be fully secure this must be combined with rlimit |
| * to limit the stack allocations too. |
| static int mode1_syscalls[] = { |
| __NR_seccomp_read, __NR_seccomp_write, __NR_seccomp_exit, __NR_seccomp_sigreturn, |
| static int mode1_syscalls_32[] = { |
| __NR_seccomp_read_32, __NR_seccomp_write_32, __NR_seccomp_exit_32, __NR_seccomp_sigreturn_32, |
| void __secure_computing(int this_syscall) |
| int mode = current->seccomp.mode; |
| syscall = mode1_syscalls; |
| if (test_thread_flag(TIF_32BIT)) |
| syscall = mode1_syscalls_32; |
| if (*syscall == this_syscall) |