linux/kernel/seccomp.c
<<
valuopt/spa opt/form opta valuop href="../linux+v3.9.1/kernel/seccomp.c">valuoptimg src="../.static/gfx/right.png" alt=">>">vat/spa vatspa class="lxr_search">valu ="+search" method="post" onsubmit="return do_search(this);">valuoptinput typ.17hidden" nam.17navtarget" ue=0.17">valuoptinput typ.17text" nam.17search" id17search">valuoptbuttvaltyp.17submit">SearchvaluopPrefs opt/a>vat/spa luop pt/div luop ptform acn> ="ajax+*" method="post" onsubmit="return false;">vatinput typ.17hidden" nam.17ajax_lookup" id17ajax_lookup" ue=0.17">vluop pt/form vluop ptdiv class="headingbottvm">
tdiv id17file_contents"
p p1t/a>tspa  class="comment">/*t/spa  
p p2t/a>tspa  class="comment"> * linux/kernel/seccomp.ct/spa  
p p3t/a>tspa  class="comment"> *t/spa  
p p4t/a>tspa  class="comment"> * Copyright 2004-2005  Andrea Arcangeli <andrea@cpushare.com>t/spa  
p p5t/a>tspa  class="comment"> *t/spa  
p p6t/a>tspa  class="comment"> * Copyright (C) 2012 Google, Inc.t/spa  
p p7t/a>tspa  class="comment"> * Will Drewry <wad@chromium.org>t/spa  
p p8t/a>tspa  class="comment"> *t/spa  
p p9t/a>tspa  class="comment"> * This defines a simple but solid secure-computing facility.t/spa  
p /opta>tspa  class="comment"> *t/spa  
p 11t/a>tspa  class="comment"> * Mode 1 uses a fixed list of allowed system calls.t/spa  
p 12t/a>tspa  class="comment"> * Mode 2 allows user-defined system call filters ialthe formt/spa  
p 13t/a>tspa  class="comment"> *        of Berkeley Packet Filters/Linux Socket Filters.t/spa  
p 14t/a>tspa  class="comment"> */t/spa  
p 15t/a>
p 16t/a>#include <linux/atvmic.ht/a>>
p 17t/a>#include <linux/audit.ht/a>>
p 18t/a>#include <linux/compat.ht/a>>
p 19t/a>#include <linux/sched.ht/a>>
p 20t/a>#include <linux/seccomp.ht/a>>
p 21t/a>
p 22t/a>tspa  class="comment">/* #define SECCOMP_DEBUG 1 */t/spa  
p 23t/a>
p 24t/a>#ifdefpta href="+code=CONFIG_SECCOMP_FILTER" class="sref">CONFIG_SECCOMP_FILTERt/a>
p 25t/a>#include <asm/syscall.ht/a>>
p 26t/a>#include <linux/filter.ht/a>>
p 27t/a>#include <linux/ptrace.ht/a>>
p 28t/a>#include <linux/security.ht/a>>
p 29t/a>#include <linux/slab.ht/a>>
p 30t/a>#include <linux/tracehook.ht/a>>
p 31t/a>#include <linux/uaccess.ht/a>>
p 32t/a>
p 33t/a>tspa  class="comment">/**t/spa  
p 34t/a>tspa  class="comment"> * struct seccomp_filter - container for seccomp BPF programst/spa  
p 35t/a>tspa  class="comment"> *t/spa  
p 36t/a>tspa  class="comment"> * @usage: reference count to managelthe object lifetime.t/spa  
p 37t/a>tspa  class="comment"> *         get/put helpers should be used when accessing a  instancet/spa  
p 38t/a>tspa  class="comment"> *         outside of a lifetime-guarded secn>
 .  In general, thist/spa  
p 39t/a>tspa  class="comment"> *         is only needed for handling filters shared across tasks.t/spa  
p 4opta>tspa  class="comment"> * @prev: points to a previously installed, or inherited, filtert/spa  
p 41t/a>tspa  class="comment"> * @len:lthe number of instruct>
 s ialthe programt/spa  
p 42t/a>tspa  class="comment"> * @insns:lthe BPF program instruct>
 s to eue=0atet/spa  
p 43t/a>tspa  class="comment"> *t/spa  
p 44t/a>tspa  class="comment"> * seccomp_filter objects are organized iala tree linked vialthe @prevt/spa  
p 45t/a>tspa  class="comment"> * pointer.  For any task, it appears to be a singly-linked list startingt/spa  
p 46t/a>tspa  class="comment"> * with current->seccomp.filter,lthe most recently attached or inherited filter.t/spa  
p 47t/a>tspa  class="comment"> * However,lmultiple filters may share a @prev node, by way of fork(), whichp 48t/a>tspa  class="comment"> * results iala unidirecn>
 al tree existing ialmemory.  This is similar top 49t/a>tspa  class="comment"> * how nam.spaces work.t/spa  
p 5opta>tspa  class="comment"> *t/spa  
p 51t/a>tspa  class="comment"> * seccomp_filter objects should never be modified after being attachedt/spa  
p 52t/a>tspa  class="comment"> * to a task_struct (other than @usage).t/spa  
p 53t/a>tspa  class="comment"> */t/spa  
p 54t/a>struct ta href="+code=seccomp_filter" class="sref">seccomp_filtert/a> {
p 55t/a>        ta href="+code=atvmic_t" class="sref">atvmic_tt/a> ta href="+code=usage" class="sref">usaget/a>;
p 56t/a>        struct ta href="+code=seccomp_filter" class="sref">seccomp_filtert/a> *ta href="+code=prev" class="sref">prevt/a>;
p 57t/a>        unsigned short ta href="+code=len" class="sref">lent/a>;  tspa  class="comment">/* Instruct>
  count */t/spa  
p 58t/a>        struct ta href="+code=sock_filter" class="sref">sock_filtert/a> ta href="+code=insns" class="sref">insnst/a>[];
p 59t/a>};
p 60t/a>
p 61t/a>tspa  class="comment">/* Limit any path throughlthe tree to 256KB worth of instruct>
 s. */t/spa  
p 62t/a>#define ta href="+code=MAX_INSNS_PER_PATH" class="sref">MAX_INSNS_PER_PATHt/a> ((1 << 18) / sizeof(struct ta href="+code=sock_filter" class="sref">sock_filtert/a>))
p 63t/a>
p 64t/a>tspa  class="comment">/**t/spa  
p 65t/a>tspa  class="comment"> * get_u32 - returns a u32 offset into datat/spa  
p 66t/a>tspa  class="comment"> * @data:la unsigned 64 bit ue=0.t/spa  
p 67t/a>tspa  class="comment"> * @index: 0 or 1 to return the first or second 32-bitst/spa  
p 68t/a>tspa  class="comment"> *t/spa  
p 69t/a>tspa  class="comment"> * This inline exists to hide the length of unsigned long.  If a 32-bitt/spa  
p 7opta>tspa  class="comment"> * unsigned long is passed ia, it will be extended and the top 32-bits will bet/spa  
p 71t/a>tspa  class="comment"> * 0. If it is a 64-bit unsigned long,lthen whatever data is resident will bet/spa  
p 72t/a>tspa  class="comment"> * properly returned.t/spa  
p 73t/a>tspa  class="comment"> *t/spa  
p 74t/a>tspa  class="comment"> * Endianness is explicitly ignored and left for BPF program authors to managet/spa  
p 75t/a>tspa  class="comment"> * as per the specific architecture.t/spa  
p 76t/a>tspa  class="comment"> */t/spa  
p 77t/a>static ta href="+code=inline" class="sref">inlinet/a> ta href="+code=u32" class="sref">u32t/a> ta href="+code=get_u32" class="sref">get_u32t/a>(ta href="+code=u64" class="sref">u64t/a> ta href="+code=data" class="sref">datat/a>, int ta href="+code=index" class="sref">indext/a>)
p 78t/a>{
p 79t/a>        return ((ta href="+code=u32" class="sref">u32t/a> *)&ta href="+code=data" class="sref">datat/a>)[ta href="+code=index" class="sref">indext/a>];
p 8opta>}
p 81t/a>
p 82t/a>tspa  class="comment">/* Helper for bpf_load below. */t/spa  
p 83t/a>#define ta href="+code=BPF_DATA" class="sref">BPF_DATAt/a>(ta href="+code=_nam." class="sref">_nam.t/a>) ta href="+code=offsetof" class="sref">offsetoft/a>(struct ta href="+code=seccomp_data" class="sref">seccomp_datat/a>, ta href="+code=_nam." class="sref">_nam.t/a>)
p 84t/a>tspa  class="comment">/**t/spa  
p 85t/a>tspa  class="comment"> * bpf_load: checks and returns a pointer to the requested offsett/spa  
p 86t/a>tspa  class="comment"> * @off: offset into struct seccomp_data to load fromt/spa  
p 87t/a>tspa  class="comment"> *t/spa  
p 88t/a>tspa  class="comment"> * Returns the requested 32-bits of data.t/spa  
p 89t/a>tspa  class="comment"> * seccomp_check_filter() should assure that @off is 32-bit alignedt/spa  
p 9opta>tspa  class="comment"> * and not out of bounds.  Failure to do so is a BUG.t/spa  
p 91t/a>tspa  class="comment"> */t/spa  
p 92t/a>ta href="+code=u32" class="sref">u32t/a> ta href="+code=seccomp_bpf_load" class="sref">seccomp_bpf_loadt/a>(int ta href="+code=off" class="sref">offt/a>)
p 93t/a>{
p 94t/a>        struct ta href="+code=pt_regs" class="sref">pt_regst/a> *ta href="+code=regs" class="sref">regst/a> = ta href="+code=task_pt_regs" class="sref">task_pt_regst/a>(ta href="+code=current" class="sref">currentt/a>);
p 95t/a>        if (ta href="+code=off" class="sref">offt/a> == ta href="+code=BPF_DATA" class="sref">BPF_DATAt/a>(ta href="+code=nr" class="sref">nrt/a>))
p 96t/a>                return ta href="+code=syscall_get_nr" class="sref">syscall_get_nrt/a>(ta href="+code=current" class="sref">currentt/a>, ta href="+code=regs" class="sref">regst/a>);
p 97t/a>        if (ta href="+code=off" class="sref">offt/a> == ta href="+code=BPF_DATA" class="sref">BPF_DATAt/a>(ta href="+code=arch" class="sref">arch))
p 98t/a>                return ta href="+code=syscall_get_arch" class="sref">syscall_get_archt/a>(ta href="+code=current" class="sref">currentt/a>, ta href="+code=regs" class="sref">regst/a>);
p 99t/a>        if (ta href="+code=off" class="sref">offt/a> >= ta href="+code=BPF_DATA" class="sref">BPF_DATAt/a>(ta href="+code=args" class="sref">argst/a>[0]) && ta href="+code=off" class="sref">offt/a> < ta href="+code=BPF_DATA" class="sref">BPF_DATAt/a>(ta href="+code=args" class="sref">argst/a>[6])) {
p100t/a>                unsigned long ta href="+code=ue=0." class="sref">ue=0.t/a>;
p101t/a>                int ta href="+code=arg" class="sref">argt/a> = (ta href="+code=off" class="sref">offt/a> - ta href="+code=BPF_DATA" class="sref">BPF_DATAt/a>(ta href="+code=args" class="sref">argst/a>[0])) / sizeof(ta href="+code=u64" class="sref">u64t/a>);
p102t/a>                int ta href="+code=index" class="sref">indext/a> = !!(ta href="+code=off" class="sref">offt/a> % sizeof(ta href="+code=u64" class="sref">u64t/a>));
p103t/a>                ta href="+code=syscall_get_arguments" class="sref">syscall_get_argumentsss="sref">currentt/a>, ta href="+code=regs" class="sref">regst/a>);
regst/a>);
argt/a>i2402">p13#L97" i3u23.321321ption>
  
  p 15t/a>
p 99t/a>        if (ta href="+code=off" class="sref">offt/a> == ta href="nt">/* Limi_>tspa  filter" class="sre>/* Limi_>tspa  sref">BPF_DATAt/a>(ta href="+code=10fref">lin0ux/atvmic.ht/a>>
u32t/a> ta hrefKSTK_EIPf="+code=u32" cKSTK_EIP = ta href="+code=task_pt_regs" class="sref">task_pt_r, 0aa>i2402">p13#L97" i3u23.321321p"fref">li0nux/audit.ht/a>>
p 99t/a>        if (ta href="+code=off" class="sref">offt/a> == ta href="nt">/* Limi_>tspa  filter" class="sre>/* Limi_>tspa  sref" +xt/a> = !!(ta href="+codid17L92" class="line" na">BPF_DATAt/a>(ta href="+code=10fref">lin0ux/compat.ht/a>>
u32t/a> ta hrefKSTK_EIPf="+code=u32" cKSTK_EIP = ta href="+code=task_pt_regs" class="sref">task_pt_r, 1aa>i2402">p13#L97" i3u23.321321re-computiing facility.t/spa  
p 89t/make      impossible 82t/a>tspa  class="comment">/* Helper 1pa  class=""comment"> *t/spa  
i2402">p13#L97" i3u23.321321ru64" classystem calls.t/spa  
p 84t/a>tsp1a  class=""comment"> */t/spa  
p 84t/a>tsp1as="line"  nam.17L15">p 15t/a>
p 84t/a>tsp1afref">linnux/atvmic.ht/a>>
tspa  cla* @prev: points to a previously installed1="fref">liinux/audit.ht/a>>
p 68t/a>ts1"fref">linnux/compat.ht/a>>
p 4optine" >secco (by cklin nam.17L) cla class="line" nam.17L68">p 68t/a>ts1="fref">l1inux/sched.ht/a>>
p k_buffa  class="comment"> * get_u32 - returns 1fref">lin1ux/seccomp.ht/a>>
u32t/a> ta hr * T* sesnidirecn>
 al tree existing ialmemor1ss="line"1 nam.17L21">p 21t/a>
tspa  17L8seccoid17tine"  secclathosesa hrsment"> * Mode 1 uses a fixed list of al filtersMP_DEBUG 1 */t/spa  
p 73t/a>ts1ss="line"1 nam.17L23">p 23t/a>
tgalpa  -EINVALp.c#notment"> * Mode 1 uses a fixed list of a  class="G_SECCOMP_FILTERt/a>
tspa  class="comment">/* Helper 1="falt">a1sm/syscall.ht/a>>
u32t/ine" nam.17L_nam.t/a>) ta href="+code=of"line" nam.17L58">p 58t/a>        struct  struct ta href=e" nam.17L58">p 58t/a    struct,d17L100" c17L102" class="linefnam.17L57">p 57t/af>      >BPF_DATAt/a>(ta href="+code=1"fref">li1nux/filter.ht/a>>
(ta href="+code=args" "fref">li1nux/ptrace.ht/a>>
p 94c   unsigned long ta href="+code=ueref">linu1x/security.ht/a>>
p 94c   u = 0) && ta hpc nam.17L94">p 94c   u [0]) && ta hfnam.17L57">p 57t/af>      ) && ta hpc nam.17L94">p 94c   u++F_DATAt/a>(ta href="+code=args" s="fref">1linux/slab.ht/a>>
) ta href="+code=of"line" nam.17L58">p 58t/a>        struct  struct ta href=etesregs" class="sreetesr   u = comp.c#L99ef">regst/e" nam.17L58">p 58t/a    struct32t/a> *)&tapc nam.17L94">p 94c   uf">datat/a>)[ta href="+code=in1ef">linux1/tracehook.ht/a>>
pt_regst/a> *ta etesregs" class="sreetesr   u nam.!!(ta href="+co="+cegs" class="sref (tclef">datat/a>)[ta href="+code=in1es="line"1ux/uaccess.ht/a>>
p 92t/ak17L92" class="lkclef">pt_regst/a> *ta etesregs" class="sreetesr   u nam.!!(ta href="+cok17L92" class="lkclef">datat/a>)[ta href="+code=in1el filters  ialthe formt/spa  
/**t/spa  
a1="comment"> *t/spa  
pt_regst/a> *ta ="srS_ANCta href="LD_Wcode=off" class="srS_ANCta href="LD_Wclef">datat/a>)[ta href="+code=in1efref">li1ect lifetime.t/spa  
 * seccomp class="line" nam.17L90""t/a>tspa  class="comment">/* Helper 1 accessin1g a  instancet/spa  
  " class="sref">MAX_INSNS_PER_Pfsetof" class="sref">offsetoft/a>(struct t) ||m.17L92">p 92t/ak17L92" class="lkclef"t/a>(t3>BPF_DATAt/a>(ta href="+code=1>
 .  In 1general, thist/spa  
p 92t/aEINVAL17L92" class="lEINVALclef">datat/a>)[ta href="+code=in1s shared 1across tasks.t/spa  
datat/a>)[ta href="+code=in1sf">linux1rited, filtert/spa  

 s i1althe programt/spa  
pt_regst/a> *ta ="srS_LD_IMMcode=off" class="srS_LD_IMMclef">datat/a>)[ta href="+code=in1sl filterss to eue=0atet/spa  
p" class="sref">MAX_INSNS_PER_Pfsetof" class="sref">offsetoft/a>(struct t)">datat/a>)[ta href="+code=in1sLinux Sockket Filters.t/spa  
datat/a>)[ta href="+code=in1s  class="vialthe @prevt/spa  
a1list startingt/spa  
pt_regst/a> *ta ="srS_LDX_IMMcode=off" class="srS_LDX_IMMclef">datat/a>)[ta href="+code=in1sfref">li1rited filter.t/spa  
p" class="sref">MAX_INSNS_PER_Pfsetof" class="sref">offsetoft/a>(struct t)">datat/a>)[ta href="+code=in1saccessin1fork(), whichdatat/a>)[ta href="+code=in1s
 .  In 1is similar top eccomp.t/a>tspa="comm4" class="line" nam.17L14">p 14t/a>tspa  shared 1.spaces work.t/spa  
 *t/spa  

 s i1eing attachedt/spa  
 */t/spa  
a1ss="sref">usaget/a>;
li1ass="sref">prevt/a>;

  count */t/spa  
insnst/a>[];
p 59t/a>};
p 60t/a>

 s i1truct>
 s. */t/spa  
sock_filtert/a>))
p 63t/a>
/**t/spa  
p 15t/a>
li1 64 bit ue=0.t/spa  
(ta href="+code=args" saccessin1econd 32-bitst/spa  
 *t/spa  

 s i1ident will bet/spa  
 *t/spa  
linuux/atvmic.ht/a>>
indext/a>)
p 78t/a>{
indext/a>];
p 8opta>}

 s i1 nam.17L81">p 81t/a>
_nam.t/a>)
/**t/spa  
datat/a>)[ta href="+code=in1comp_data1 to load fromt/spa  
(ta href="+code=args" d"fref">linnux/audit.ht/a>>
p 92t/aEINVAL17L92" class="lEINVALclef">datat/a>)[ta href="+code=in1ested 32-1bits of data.t/spa  
 */t/spa  
offt/a>)
p 93t/a>{
p 84t/a>tsp1t" class=1"sref">currentt/a>);
(run_7L47">p -lass="coms a  cclass="cam.17Ls agasre> @      tclass="line" nam.17L84">p 84t/a>tsp1ts="line" lass="sref">nrt/a>))
task12t/a>tspa  class="line" nam.17L84">p 84t/a>tsp1tomp_data1ss="sref">regst/a>);
p 87t/a>ts1arch" cla1ss="sref">arch))
 * Mode 1 uses a fixed list of regs" cla1ss="sref">regst/a>);
tspa  class="comment">/* #deficlass="sr2f">argst/a>[6])) {
p 92t/a>ta hrefrun_7L47">pss="sref">offsetoft/a>(run_7L47">p" na+code=seccomp_bpf_lo      tss="sref">offset     tcl  >BPF_DATAt/a>(ta href="+code=2=0." clas2="sref">ue=0.t/a>;
u64t/a>);
p 56t/a>        struct ta href="+code=seccomps="line" nam.17Lfclef">datat/a>)[ta href="+code=in2u64" clas2="sref">u64t/a>));
p 92t/aid117L92" class="lrer   u = .17L92">p 92t/aa href="RET_+LLOWcode=off" classa href="RET_+LLOWclef">datat/a>)[ta href="+code=in2us="line"   p 14t/a>tsp20s="line"20nam.17L15">p 15t/a>
task_pt_ nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccomps" nam.17L58">p 58t/a    struct9t/a>        if (taNULL17L92" class="lNULLcl  >>BPF_DATAt/a>(ta href="+code=2=fref">lin0ux/atvmic.ht/a>>
datat/a>)[ta href="+code=in2ufref">lin0nux/audit.ht/a>>
datat/a>)[ta href="+code=in2uef">linux0ux/compat.ht/a>>
p 14t/a>tsp2re-comput2ing facility.t/spa  
 *a>tsintommere17L9class="line" nam.17L14">p 14t/a>tsp2rref">linuxx/seccomp.ht/a>>
 a way    kes.priority ( 74t/ sec"> *ef">a  class="comment"> * to a task_struc2ru64" cla2system calls.t/spa  
p 14t/a>tsp2ll filter2s ialthe formt/spa  
p 92t/a=k_pt_regs" class="sref">task_pt_ nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccomps" nam.17L58">p 58t/a    struct) && ta hf="line" nam.17Lfclef" && ta hf="line" nam.17Lfclef">pt_regst/a> *ta e="line" nam.17Lfclef nam.!!(ta href="+co_filter" class="sref">seccoF_DATAt/a>(ta href="+code=args"2/Linux So2cket Filters.t/spa  
p 92t/af">_id117L92" class="lf">_id1clef">pt_regst/a> *ta sk(run_7L47">L56">p 56t/a>   k(run_7L47">" na+!!(ta href="+coNULL17L92" class="lNULLcl  gs" class="sref">e="line" nam.17Lfclef nam.!!(ta href="+cosock_filter" class="sref">soc)">datat/a>)[ta href="+code=in2a  class=2"comment"> */t/spa  
_id1clef"t/a>(ta href="+code=aa href="RET_+CTIONcode=off" classa href="RET_+CTIONeccoF_[0]) +!!(ta href="+coid117L92" class="lrer   u t/a>(ta href="+code=aa href="RET_+CTIONcode=off" classa href="RET_+CTIONeccoF>BPF_DATAt/a>(ta href="+code=2as="line"2 nam.17L15">p 15t/a>
p 92t/a=k__id117L92" class="lf">_id1clef">datat/a>)[ta href="+code=in2afref">linnux/atvmic.ht/a>>
l2inux/audit.ht/a>>
datat/a>)[ta href="+code=in2aef">linuxnux/compat.ht/a>>
l2inux/sched.ht/a>>
lin2ux/seccomp.ht/a>>
p 84t/a>tsp2ss="line"2 nam.17L21">p 21t/a>
task  class="comment"> * to a task_struc2al filter2MP_DEBUG 1 */t/spa  
:comment"> * Eto a>tspa  class="comment"> * to a task_struc2aLinux So2 nam.17L23">p 23t/a>
 * to a task_struc2a  class=2G_SECCOMP_FILTERt/a>
 * to a task_struc2as="line"2sm/syscall.ht/a>>
p 76t/a>tsp2"fref">li2nux/filter.ht/a>>
p 56t/a>        stcomp_f_am.17L" na+t/a>) ta href="+code=of"linent">L56">p 56t/a>   "linent">a href="+code=seccompsnt">L56">p 56t/a>  ent">a hr>BPF_DATAt/a>(ta href="+code=2"fref">li2nux/ptrace.ht/a>>
linu2x/security.ht/a>>
p 56t/a>        struct ta href="+code=seccomps" nam.17L58">p 58t/a    struct)seccomp.c#L78" id17L78" clas2s="fref">2linux/slab.ht/a>>
p 56t/a>  en_" clclef">pt_regst/a> *ta ent">L56">p 56t/a>  ent">a hr nam.!!(ta href="+conam.17L57">p 57t/a>      1"   class="sref">MAX_INSNS_PER_PATHt/a> ((1 << 18) / sizeof(struct )seccomp.c#L78" id17L78" clas2sref">lin2/tracehook.ht/a>>
pt_regst/a> *ta ent">L56">p 56t/a>  ent">a hr nam.!!(ta href="+conam.17L57">p 57t/a>      )seccomp.c#L78" id17L78" clas2ss="line"2ux/uaccess.ht/a>>
datat/a>)[ta href="+code=in2el filter2  ialthe formt/spa  
/**t/spa  
L56">p 56t/a>  ent">a hr nam.!!(ta href="+conam.17L57">p 57t/a>      1==l0p||m.17L92">p 92t/aent">L56">p 56t/a>  ent">a hr nam.!!(ta href="+conam.17L57">p 57t/a>      1nam.p.c#L83" id17L83" clMAXfine code=off" class="srMAXfine a hr>BPF_DATAt/a>(ta href="+code=2s  class=2 BPF programst/spa  
p 92t/aEINVAL17L92" class="lEINVALclef">datat/a>)[ta href="+code=in2s"falt">a2="comment"> *t/spa  
datat/a>)[ta href="+code=in2sfref">li2ect lifetime.t/spa  
p 58t/a    struct9t .17L92">p 92t/a=k_pt_regs" class="sref">task_pt_ nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccomps" nam.17L58">p 58t/a    struct) && ta hf" nam.17L58">p 58t/a    struct) && ta hf" nam.17L58">p 58t/a    struct">pt_regst/a> *ta e" nam.17L58">p 58t/a    struct nam.!!(ta href="+co_filter" class="sref">seccoF>datat/a>)[ta href="+code=in2sfref">li2g a  instancet/spa  
pt_regst/a> *ta e" nam.17L58">p 58t/a    struct nam.!!(ta href="+conam.17L57">p 57t/a>      1+ 4  unsigned short ta href="+c eccomp.t 4ent">/ penalty6" class="line" nam.17L76">p 76t/a>tsp2>
 .  In 2general, thist/spa  
p 62t/a>#define ta href="+codF>datat/a>)[ta href="+code=in2s shared 2across tasks.t/spa  
p 92t/aENOMEMcode=off" classENOMEMclef">datat/a>)[ta href="+code=in2sf">linux2rited, filtert/spa  

 s i2althe programt/spa  
p 14t/a>tsp2sl filter2s to eue=0atet/spa  
 * ask havtclass="line" nam.17L84">p 84t/a>tsp2sLinux So2kket Filters.t/spa  
 * Mode 1 uses a fixed list of2s  class=2vialthe @prevt/spa  
 ent"> * Mode 1 uses a fixed list of2s"falt">a2list startingt/spa  
 * Mode 1 uses a fixed list of2sfref">li2rited filter.t/spa  
p 76t/a>tsp2saccessin2fork(), whichp 92t/a=k_pt_regs" class="sref">task_pt_ nam.!!(ta href="+cono_new_privsegs" class="sreno_new_privs   u t/a>(t/a>(line" nam.17L76">p 76t/a>tsp2s
 .  In 2is similar to=k_pt_r_user_k_filter" class="=k_pt_r_user_k_" na+)gline" nam.17L76">p 76t/a>tsp2  shared 2.spaces work.t/spa  
CAP_SYS_ADMINfilter" class="CAP_SYS_ADMINeccoF_!=l0F>datat/a>)[ta href="+code=in2pa  class2="comment"> *t/spa  
p 92t/aEACCE code=off" classEACCE clef">datat/a>)[ta href="+code=in2pct>
 s i2eing attachedt/spa  
datat/a>)[ta href="+code=in2pl filter2than @usage).t/spa  
p 76t/a>tsp2pLinux So2"comment"> */t/spa  
p 58t/a    struct">pt_regst/a> *ta kzt/a>c nam.17L94">p 9kzt/a>c" na+t class="sref">MAX_INSNS_PER_Pfsetof"nam.17L56">p 56t/a>        struct ta hr" +x"line" nam.17L1fp_" clL56">p 56t/a>  en_" clclefgline" nam.17L76">p 76t/a>tsp2   class=2seccomp_filtert/a> {
GFP_KERNEL17L92" class="lGFP_KERNELrnel|" class="sref">__GFP_NOWARN17L92" class="l__GFP_NOWARNruct )seccomp.c#L78" id17L78" clas2p"falt">a2ss="sref">usaget/a>;
p 92t/af" nam.17L58">p 58t/a    structF>datat/a>)[ta href="+code=in2pfref">li2ass="sref">prevt/a>;
p 92t/aENOMEMcode=off" classENOMEMclef">datat/a>)[ta href="+code=in2paccessin2t>
  count */t/spa  
p 92t/aatomic_sd117L92" class="latomic_sd1" na+comp.c#L99ef">regst/e" nam.17L58">p 58t/a    struct nam.!!(ta href="+cousaglL56">p 56t/a>  usaglcl  gs1aa>i2402">p13#L97" i3u23.321322p
 .  In 2="sref">insnst/a>[];
 *ta e" nam.17L58">p 58t/a    struct nam.!!(ta href="+conam.17L57">p 57t/a>      1>pt_regst/a> *ta ent">L56">p 56t/a>  ent">a hr nam.!!(ta href="+conam.17L57">p 57t/a>      )seccomp.c#L78" id17L78" clas2="line" n2am.17L59">p 59t/a>};
p 60t/a>
 *sre>/* Limiscomme ent">m4" class="line" nam.17L14">p 14t/a>tsp2sct>
 s i2truct>
 s. */t/spa  
p 92t/aEFAULTcode=off" classEFAULT    )seccomp.c#L78" id17L78" clas2=l filter2f">sock_filtert/a>))
p 58t/a    struct nam.!!(ta href="+cosock_filter" class="sref">socgs" class="sref">ent">L56">p 56t/a>  ent">a hr nam.!!(ta href="+coe" nam.17L58">p 58t/a    struct,d"line" nam.17L1fp_" clL56">p 56t/a>  en_" clclefF>BPF_DATAt/a>(ta href="+code=2sLinux So2 nam.17L63">p 63t/a>
offsefait    )seccomp.c#L78" id17L78" clas2=  class=2"comment">/**t/spa  
a2nnam.17L15">p 15t/a>
 *ent"> vias"> *skbtine" &t3+ class="line" nam.17L76">p 76t/a>tsp2sfref">li2 64 bit ue=0.t/spa  
p 92t/acklin nam.17LL56">p 56t/a>   klin nam.17L" na+!!(ta href="+coe" nam.17L58">p 58t/a    struct nam.!!(ta href="+cosock_filter" class="sref">socgs" class="sref">e" nam.17L58">p 58t/a    struct nam.!!(ta href="+conam.17L57">p 57t/a>      aa>i2402">p13#L97" i3u23.321322saccessin2econd 32-bitst/spa  
 *t/spa  
offsefait    )seccomp.c#L78" id17L78" clas2ned long.2  If a 32-bitt/spa  
 *ent"> lineclass="cuse3+ class="line" nam.17L76">p 76t/a>tsp2nct>
 s i2ident will bet/spa  
u32t/ine" nam.17L_nam.!!(ta href="+coe" nam.17L58">p 58t/a    struct nam.!!(ta href="+cosock_filter" class="sref">socgs" class="sref">e" nam.17L58">p 58t/a    struct nam.!!(ta href="+conam.17L57">p 57t/a>      aa>i2402">p13#L97" i3u23.321322nl filter2rly returned.t/spa  
 *t/spa  
offsefait    )seccomp.c#L78" id17L78" clas2n  class=2ors to managet/spa  
p 76t/a>tsp2nfref">li2uux/atvmic.ht/a>>
 *f">s 17L8don't dropa88tclass="line" nam.17L76">p 76t/a>tsp2naccessin2ss="sref">indext/a>)
 * to a task_struc2n
 .  In 2nam.17L78">p 78t/a>{
p 76t/a>tsp2dex" clas2s="sref">indext/a>];
 *ta e" nam.17L58">p 58t/a    struct nam.!!(ta href="+co_filter" class="sref">secco9t .17L92">p 92t/a=k_pt_regs" class="sref">task_pt_ nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccomps" nam.17L58">p 58t/a    struct)line" nam.17L76">p 76t/a>tsp2ds="line"2nam.17L80">p 8opta>}
        if (ta=k_pt_regs" class="sref">task_pt_ nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccomps" nam.17L58">p 58t/a    struct">pt_regst/a> *ta e" nam.17L58">p 58t/a    struct)line" nam.17L76">p 76t/a>tsp2dct>
 s i2 nam.17L81">p 81t/a>
offsefait    :ATAt/a>(ta href="+code=args"2dLinux So2ss="sref">_nam.t/a>)
p 56t/a>  kfrel_nam.!!(ta href="+coe" nam.17L58">p 58t/a    structaa>i2402">p13#L97" i3u23.321322d  class=2"comment">/**t/spa  
datat/a>)[ta href="+code=in2ds="line"2uested offsett/spa  
>
p 84t/a>tsp2ested 32-2bits of data.t/spa  
a ass="line" nam.17L84">p 84t/a>tsp2@off is 322-bit alignedt/spa  
tspa  Eto "> *user8spa  contain sec17c"linent">  class="comment"> * to a task_struc2@s="line"2 so is a BUG.t/spa  
 * to a task_struc2@ct>
 s i2"comment"> */t/spa  
 * to a task_struc2de=off" c2lass="sref">offt/a>)
p 76t/a>tsp2s="line" 2nam.17L93">p 93t/a>{
u32t/comp_f_user_am.17L_nam.char="line" nam.17L1__userfilter" class="__user" naef="+code=seccompuser_am.17Lu32" class="sreuser_am.17L_nam>BPF_DATAt/a>(ta href="+code=2t" class=2"sref">currentt/a>);
nrt/a>))
) ta href="+code=of"linent">L56">p 56t/a>   "linent">a hre" class="sref">ent">L56">p 56t/a>  ent">a hr">datat/a>)[ta href="+code=in2tomp_data2ss="sref">regst/a>);
p 92t/aEFAULTcode=off" classEFAULT    )seccomp.c#L78" id17L78" clas2arch" cla2ss="sref">arch))
datat/a>)[ta href="+code=in2regs" cla2ss="sref">regst/a>);
CONFIG_ref=ATcode=off" classCONFIG_ref=ATrnel>datat/a>)[ta href="+code=in3class="sr3f">argst/a>[6])) {
(ta href="+code=args"3=0." clas3="sref">ue=0.t/a>;
) ta href="+code=o+codat_f"linent">L56">p 56t/a>  +codat_f"linent">a hre" class="sref">ent">id17L92" class="lent">id    )seccomp.c#L78" id17L78" clas3=u64" cla3s="sref">u64t/a>);
regst/ent">id17L92" class="lent">id    gs" class="sref">user_am.17Lu32" class="sreuser_am.17L_nam,   classc#L99ef">regst/ent">id17L92" class="lent">id    )F>BPF_DATAt/a>(ta href="+code=3u64" clas3="sref">u64t/a>));
p 93t/a>{
L56">p 56t/a>  ent">a hr.="+code=seccompnam.17L57">p 57t/a>      1>pt_regst/a> *ta ent">id17L92" class="lent">id    .="+code=seccompnam.17L57">p 57t/a>      )seccomp.c#L78" id17L78" clas3=54" clas3=sref">currentt/a>);
L56">p 56t/a>  ent">a hr.="+code=seccomps" nam.17L58">p 58t/a    struct9t .17L92">p 92t/a=codat_ptrfilter" class="=oodat_ptr_nam.!!(ta href="+coent">id17L92" class="lent">id    .="+code=seccompe" nam.17L58">p 58t/a    structaa>i2402">p13#L97" i3u23.3213230s="line"30nam.17L15">p 15t/a>
 *.c#belowm4" class="line" nam.17L14">p 14t/a>tsp3=fref">li30ux/atvmic.ht/a>>
p 14t/a>tsp3=8ref">li30s="sref">arch))
regst/ent">L56">p 56t/a>  ent">a hrgs" class="sref">user_am.17Lu32" class="sreuser_am.17L_nam,   classc#L99ef">regst/ent">L56">p 56t/a>  ent">a hr)F>BPF_DATAt/a>(ta href="+code=3u9ref">li30s="sref">regst/a>);
 *ta id117L92" class="lrer   u = >MAX_INSNS_PER_Pfsetof"comp_f_am.17LL56">p 56t/a>        stcomp_f_am.17L" na+comp.c#L99ef">regst/ent">L56">p 56t/a>  ent">a hraa>i2402">p13#L97" i3u23.321323rref">lin3xx/seccomp.ht/a>>
datat/a>)[ta href="+code=in3ll filter3s ialthe formt/spa  
datat/a>)[ta href="+code=in3a  class=3"comment"> */t/spa  
 *rnaerenca count.17Line"ruct t3on @tsk4" class="line" nam.17L14">p 14t/a>tsp3as="line"3 nam.17L15">p 15t/a>
) ta href="+code=o ask_t/a>) 17L92" class="l ask_t/a>) " naef="+code=seccomptskfilter" class="tsk" na>BPF_DATAt/a>(ta href="+code=3afref">li3nux/atvmic.ht/a>>
(ta href="+code=args"3="fref">l3inux/audit.ht/a>>
p 56t/a>        struct ta href="+code=seccompori>L56">p 56t/a>  ori>   u = >MAX_INSNS_PER_tskfilter" class="tsk" na nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccomps" nam.17L58">p 58t/a    struct)line" nam.17L76">p 76t/a>tsp3aef">linu3nux/compat.ht/a>>
p 92t/aori>L56">p 56t/a>  ori>   u>BPF_DATAt/a>(ta href="+code=3="fref">l3inux/sched.ht/a>>
p 76t/a>tsp3fref">lin3ux/seccomp.ht/a>>
 *e" nam.17Liospaent"ommeemm4" class="line" nam.17L14">p 14t/a>tsp3ss="line"3 nam.17L21">p 21t/a>
p 56t/a>  atomic_ ec" na+comp.c#L99ef">regst/ori>L56">p 56t/a>  ori>   u nam.!!(ta href="+cousaglL56">p 56t/a>  usaglcl  aa>i2402">p13#L97" i3u23.321323al filter3MP_DEBUG 1 */t/spa  
p 23t/a>
datat/a>)[ta href="+code=in3a  class=3G_SECCOMP_FILTERt/a>
 *rna count.17Lisk nam.f="+coderuct t3+ class="line" nam.17L76">p 76t/a>tsp3as="line"3sm/syscall.ht/a>>
) ta href="+code=o ask_t/a>) 17L92" class="l ask_t/a>) " naef="+code=seccomptskfilter" class="tsk" na>BPF_DATAt/a>(ta href="+code=3"fref">li3nux/filter.ht/a>>
(ta href="+code=args"3"fref">li3nux/ptrace.ht/a>>
p 56t/a>        struct ta href="+code=seccompori>L56">p 56t/a>  ori>   u = >MAX_INSNS_PER_tskfilter" class="tsk" na nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccomps" nam.17L58">p 58t/a    struct)line" nam.17L76">p 76t/a>tsp3ref">linu3x/security.ht/a>>
p 14t/a>tsp3s="fref">3linux/slab.ht/a>>
L56">p 56t/a>  ori>   u t/a>(t/a>(#/seccomp.c#L92"atomic_dec_and_tesregs" class="sreatomic_dec_and_tesr" na+comp.c#L99ef">regst/ori>L56">p 56t/a>  ori>   u nam.!!(ta href="+cousaglL56">p 56t/a>  usaglcl  aF_DATAt/a>(ta href="+code=args"3sref">lin3/tracehook.ht/a>>
) ta href="+code=o="line" nam.17L56">p 56t/a>        struct ta href="+code=seccompfrelmlL56">p 56t/a>  erelml   u = >MAX_INSNS_PER_ori>L56">p 56t/a>  ori>   u)line" nam.17L76">p 76t/a>tsp3ss="line"3ux/uaccess.ht/a>>
L56">p 56t/a>  ori>   u = >MAX_INSNS_PER_ori>L56">p 56t/a>  ori>   u nam.!!(ta href="+co_filter" class="sref">secco)line" nam.17L76">p 76t/a>tsp3sl filter3  ialthe formt/spa  
p 56t/a>  kfrel_nam.!!(ta href="+coerelmlL56">p 56t/a>  erelml   uaa>i2402">p13#L97" i3u23.321323a  class=3"comment">/**t/spa  
 *t/spa  
datat/a>)[ta href="+code=in3sfref">li3ect lifetime.t/spa  
p 84t/a>tsp3sfref">li3g a  instancet/spa  
 * ask to.t/a>tc e-nt"omme t     t emulaLimiclass="line" nam.17L84">p 84t/a>tsp3sef">linu3general, thist/spa  
p 84t/a>tsp3s shared 3across tasks.t/spa  
p 84t/a>tsp3sref">lin3rited, filtert/spa  
 * to a task_struc3uct>
 s i3althe programt/spa  
 * to a task_struc3sl filter3s to eue=0atet/spa  
p 14t/a>tsp3sLinux So3kket Filters.t/spa  
p 56t/a>        stsend_sigsyp_nam.code=seccomp_bpf_lo      tss="sref">offset     tcl  , code=seccomp_bpf_loreason17L92" class="lreason" na>BPF_DATAt/a>(ta href="+code=3s  class=3vialthe @prevt/spa  
a3list startingt/spa  
) ta href="+code=ofiginfoss="sref">offsetiginfoa hre" class="sref">infoss="sref">offseinfoa hra>i2402">p13#L97" i3u23.321323sfref">li3rited filter.t/spa  
regst/infoss="sref">offseinfoa hr, 0,   classc#L99ef">regst/infoss="sref">offseinfoa hr)aa>i2402">p13#L97" i3u23.321323saccessin3fork(), whichp 92t/ainfoss="sref">offseinfoa hr.="+code=seccompsi_L100oss="sref">offseti_L100o   u = >MAX_INSNS_PER_SIGSYSss="sref">offseSIGSYSa hra>i2402">p13#L97" i3u23.321323sef">linu3is similar to *ta infoss="sref">offseinfoa hr.="+code=seccompsi_ccomss="sref">offseti_ccom   u = >MAX_INSNS_PER_SYS_a href=ss="sref">offseSYS_a href=a hra>i2402">p13#L97" i3u23.321323  shared 3.spaces work.t/spa  
 *ta infoss="sref">offseinfoa hr.="+code=seccompsi_c  t_add7L56">p 56t/a>   i_c  t_add7   u = (voir8" class="line" __userfilter" class="__user" naef)" class="line" KSTK_EI=ss="sref">offseKSTK_EI=_nam.!!(ta href="+co=k_pt_regs" class="sref">task_pt_aa>i2402">p13#L97" i3u23.321323pa  class3="comment"> *t/spa  
        if (tainfoss="sref">offseinfoa hr.="+code=seccompsi_errnoL56">p 56t/a>   i_errno   u = >MAX_INSNS_PER_reason17L92" class="lreason" naa>i2402">p13#L97" i3u23.321323pct>
 s i3eing attachedt/spa  
offseinfoa hr.="+code=seccompsi_archL56">p 56t/a>   i_arch   u = >MAX_INSNS_PER_P     t_get_archL56">p 56t/a>        t_get_arch_nam.!!(ta href="+co=k_pt_regs" class="sref">task_pt_gs" class="sref"> ask_pt_reg_filter" class="task_pt_reg__nam.!!(ta href="+co=k_pt_regs" class="sref">task_pt_aaa>i2402">p13#L97" i3u23.321323pl filter3than @usage).t/spa  
offseinfoa hr.="+code=seccompsi_L     tss="sref">offseti_L     t   u = >MAX_INSNS_PER_P     tss="sref">offset     tcl  a>i2402">p13#L97" i3u23.321323pLinux So3"comment"> */t/spa  
offseforci_L10_info_nam.!!(ta href="+coSIGSYSss="sref">offseSIGSYSa hr, comp.c#L99ef">regst/infoss="sref">offseinfoa hr, !!(ta href="+co=k_pt_regs" class="sref">task_pt_aa>i2402">p13#L97" i3u23.321323p  class=3seccomp_filtert/a> {
a3ss="sref">usaget/a>;
p 14t/a>tsp3pfref">li3ass="sref">prevt/a>;

  count */t/spa  
p 14t/a>tsp3pef">linu3="sref">insnst/a>[];
ts only read/write/exit/L10id17L9  class="comment"> * to a task_struc3="line" n3am.17L59">p 59t/a>};
 * to a task_struc3=a  class3 nam.17L60">p 60t/a>
 *sta"  1llocatimisctoo  class="comment"> * to a task_struc3sct>
 s i3truct>
 s. */t/spa  
p 14t/a>tsp3=l filter3f">sock_filtert/a>))
p 63t/a>
/**t/spa  
p 14t/a>tsp3="falt">a3nnam.17L15">p 15t/a>
i2402">p13#L97" i3u23.321323sfref">li3 64 bit ue=0.t/spa  
CONFIG_ref=ATcode=off" classCONFIG_ref=ATrnel>datat/a>)[ta href="+code=in3s
 .  In 3="comment"> *t/spa  
 *ta __NR_f     stread_id17L92" class="l__NR_f     stread_ida hr, !!(ta href="+co__NR_f     stwrite_id17L92" class="l__NR_f     stwrite_ida hr, !!(ta href="+co__NR_f     stexit_id17L92" class="l__NR_f     stexit_ida hr, !!(ta href="+co__NR_f     stL10id17L9_id17L92" class="l__NR_f     stL10id17L9_ida hr,seccomp.c#L78" id17L78" clas3ns="line"3-bits will bet/spa  
p 14t/a>tsp3nct>
 s i3ident will bet/spa  
i2402">p13#L97" i3u23.321323nl filter3rly returned.t/spa  
p 14t/a>tsp3nLinux So3="comment"> *t/spa  
datat/a>)[ta href="+code=in3n  class=3ors to managet/spa  
offsetlas_L     t" na>BPF_DATAt/a>(ta href="+code=3ns="line"3architecture.t/spa  
li3uux/atvmic.ht/a>>
task_pt_ nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccompm (t17L92" class="lm (t   ua>i2402">p13#L97" i3u23.321323naccessin3ss="sref">indext/a>)
L56">p 56t/a>  exit_si>   u = 0nclude/linux/compat.h" class=3n
 .  In 3nam.17L78">p 78t/a>{
offset     tcl  a>i2402">p13#L97" i3u23.321323dex" clas3s="sref">indext/a>];
 *ta  id17L92" class="line" nam.17L92">p 92t/aid117L92" class="lrer   ua>i2402">p13#L97" i3u23.321323ds="line"3nam.17L80">p 8opta>}

 s i3 nam.17L81">p 81t/a>
_nam.t/a>)
offset     tcl   = >MAX_INSNS_PER_m (t1_L     t_filter" class="m (t1_L     t_l/sea>i2402">p13#L97" i3u23.321323d  class=3"comment">/**t/spa  
CONFIG_ref=ATcode=off" classCONFIG_ref=ATrnel>datat/a>)[ta href="+code=in3ds="line"3uested offsett/spa  
datat/a>)[ta href="+code=in3dfref">li3 to load fromt/spa  
offset     tcl   = >MAX_INSNS_PER_m (t1_L     t__id17L92" class="lm (t1_L     t__idl/sea>i2402">p13#L97" i3u23.321323daccessin3nnux/audit.ht/a>>
p 14t/a>tsp3ested 32-3bits of data.t/spa  
(ta href="+code=args"3@off is 332-bit alignedt/spa  
offset     tcl  9t/a>        if (tatlas_L     tss="sref">offsetlas_L     t" na>BPF_DATAt/a>(ta href="+code=3@s="line"3 so is a BUG.t/spa  

 s i3"comment"> */t/spa  
offset     tcl  aa>i2402">p13#L97" i3u23.321323de=off" c3lass="sref">offt/a>)
L56">p 56t/a>  exit_si>   u = !!(ta href="+coSIGKILL17L92" class="laIGKILLl/sea>i2402">p13#L97" i3u23.321323s="line" 3nam.17L93">p 93t/a>{
datat/a>)[ta href="+code=in3t" class=3"sref">currentt/a>);
datat/a>)[ta href="+code=in3ts="line"3lass="sref">nrt/a>))
CONFIG_a href="FILTERcode=off" classCONFIG_a href="FILTERrnel>datat/a>)[ta href="+code=in3tomp_data3ss="sref">regst/a>);
arch))
datat/a>)[ta href="+code=in3tsted 32-3ss="sref">regst/a>);
) ta href="+code=opt_reg_filter" class="pt_reg__namef="+code=seccompreg_filter" class="reg__name/a>        if (tatask_pt_reg_filter" class="task_pt_reg__nam.!!(ta href="+co=k_pt_regs" class="sref">task_pt_a">datat/a>)[ta href="+code=in4class="sr4f">argst/a>[6])) {
pL56">p 56t/a>        strun_7L47">p_nam.!!(ta href="+cotlas_L     tss="sref">offsetlas_L     t" na>">datat/a>)[ta href="+code=in4c1ass="sr4fso is a BUG.t/spa  
MAX_INSNS_PER_re117L92" class="lrer   u t/a>(ta href="+code=aa href="RET_DATA17L92" class="la href="RET_DATAclef">datat/a>)[ta href="+code=in4=u64" cla4s="sref">u64t/a>);
datat/a>)[ta href="+code=in4=364" cla4sass="sref">offt/a>)
p 93t/a>{
currentt/a>);
seccomp.c#L82" id17L82" Sers"> *low-order 16-b88t/as.17errnom4" class="line" nam.17L14">p 14t/a>tsp40s="line"40nam.17L15">p 15t/a>
MAX_INSNS_PER_      t_set_re17L9_valumss="sref">offset     t_set_re17L9_valum_nam.!!(ta href="+co=k_pt_regs" class="sref">task_pt_gs" class="sref">reg_filter" class="reg__nam,seccomp.c#L78" id17L78" clas4=fref">li40ux/atvmic.ht/a>>
p 92t/aspa code=off" classspa clef, 0>">datat/a>)[ta href="+code=in4c8ref">li40s="sref">arch))
p 56t/a>   kiaecco">datat/a>)[ta href="+code=in4=9ref">li40s="sref">regst/a>);
offseS href="RET_TRA=l/se:ATAt/a>(ta href="+code=args"4re-comput4ing facility.t/spa  
seccomp.c#L82" id17L82" Shows"> *handlam.the " iginaldidgis7">pm4" class="line" nam.17L14">p 14t/a>tsp4rref">lin4xx/seccomp.ht/a>>
MAX_INSNS_PER_      t_rollbackfilter" class="      t_rollback_nam.!!(ta href="+co=k_pt_regs" class="sref">task_pt_gs" class="sref">reg_filter" class="reg__nam>">datat/a>)[ta href="+code=in4ru64" cla4system calls.t/spa  
seccomp.c#L82" id17L82" Lers"> *ruct t3p.c# back 16 b88t/of8spa m4" class="line" nam.17L14">p 14t/a>tsp4r364" cla4s ialthe formt/spa  
MAX_INSNS_PER_f     stsend_sigsypL56">p 56t/a>        stsend_sigsyp_nam.!!(ta href="+cotlas_L     tss="sref">offsetlas_L     t" nags" class="sref">spa code=off" classspa clef>">datat/a>)[ta href="+code=in4r44" clas4cket Filters.t/spa  
p 56t/a>   kiaecco">datat/a>)[ta href="+code=in4a  class=4"comment"> */t/spa  
offseS href="RET_TRACEl/se:ATAt/a>(ta href="+code=args"4rs="line"4 nam.17L15">p 15t/a>
seccomp.c#L82" id17L82" Skias"> smp   t_d.c#inere nnano tracerm4" class="line" nam.17L14">p 14t/a>tsp4rfref">li4nux/atvmic.ht/a>>
p 92t/aptrace_evt_r_enabledfilter" class="ptrace_evt_r_enabled_nam.!!(ta href="+co=k_pt_regs" class="sref">task_pt_gs" class="sref">PTRACE_EVENT_a href=ss="sref">offsePTRACE_EVENT_a href=clef>>_DATAt/a>(ta href="+code=args"4="fref">l4inux/audit.ht/a>>
MAX_INSNS_PER_f     t_set_re17L9_valumss="sref">offset     t_set_re17L9_valum_nam.!!(ta href="+co=k_pt_regs" class="sref">task_pt_gs" class="sref">reg_filter" class="reg__nam,seccomp.c#L78" id17L78" clas4aef">linu4nux/compat.ht/a>>
p 92t/aENOSYSss="sref">offseENOSYSclef, 0>">datat/a>)[ta href="+code=in4="fref">l4inux/sched.ht/a>>
p 56t/a>   kiaecco">datat/a>)[ta href="+code=in4fref">lin4ux/seccomp.ht/a>>
p 21t/a>
seccomp.c#L82" id17L82" A/a>tc"> *BPF.to.provides"> *evt_r messagl4" class="line" nam.17L14">p 14t/a>tsp4al filter4MP_DEBUG 1 */t/spa  
MAX_INSNS_PER_ptrace_evt_rfilter" class="ptrace_evt_r_nam.!!(ta href="+coPTRACE_EVENT_a href=ss="sref">offsePTRACE_EVENT_a href=clefgs" class="sref">spa code=off" classspa clef>">datat/a>)[ta href="+code=in4aLinux So4 nam.17L23">p 23t/a>
p 14t/a>tsp4a  class=4G_SECCOMP_FILTERt/a>
p 14t/a>tsp4as="line"4sm/syscall.ht/a>>
 * to a task_struc4"fref">li4nux/filter.ht/a>>
 * ask n>tcavoirs1execut secant  tem class="comment"> * to a task_struc4""fref">l4nux/ptrace.ht/a>>
 * to a task_struc4"ef">linu4x/security.ht/a>>
p 14t/a>tsp4s="fref">4linux/slab.ht/a>>
faspa_L100al_pendise17L92" class="lfaspa_L100al_pendise_nam.!!(ta href="+co=k_pt_regs" class="sref">task_pt_a>BPF_DATAt/a>(ta href="+code=4sref">lin4/tracehook.ht/a>>
datat/a>)[ta href="+code=in4ss="line"4ux/uaccess.ht/a>>
      t_get_n7L56">p 56t/a>        t_get_n7_nam.!!(ta href="+co=k_pt_regs" class="sref">task_pt_gs" class="sref">reg_filter" class="reg__nam> <l0F>datat/a>)[ta href="+code=in4sl filter4  ialthe formt/spa  
p 56t/a>   kiaecco"dd>seccomp.c#L82" id17L82" Explicit request.to.skiam4" class="line" nam.17L14">p 14t/a>tsp4a  class=4"comment">/**t/spa  
datat/a>)[ta href="+code=in4s  class=4 BPF programst/spa  
 *t/spa  
li4ect lifetime.t/spa  
l4g a  instancet/spa  
(ta href="+code=args"4sef">linu4general, thist/spa  
(ta href="+code=args"4s shared 4across tasks.t/spa  
datat/a>)[ta href="+code=in4sref">lin4rited, filtert/spa  

 s i4althe programt/spa  
MAX_INSNS_PER_exit_si>L56">p 56t/a>  exit_si>   u = !!(ta href="+coSIGSYSss="sref">offseSIGSYSa hra>i2402">p13#L97" i3u23.321324sl filter4s to eue=0atet/spa  
datat/a>)[ta href="+code=in4s  class=4kket Filters.t/spa  
p 14t/a>tsp4s"falt">a4list startingt/spa  
(ta href="+code=args"4sfref">li4rited filter.t/spa  
offseBUG" na+)">datat/a>)[ta href="+code=in4s"fref">l4fork(), whichlinu4is similar toa href="DEBUGss="sref">offsea href="DEBUGrnelseccomp.c#L80" id17L80" clas4 ref">lin4="comment"> *t/spa  
        if (tadu ststackfilter" class="du ststack" na+)">datat/a>)[ta href="+code=in4pct>
 s i4eing attachedt/spa  
p 14t/a>tsp4pl filter4than @usage).t/spa  
offsetlas_L     t" nags" class="sref">exit_si>L56">p 56t/a>  exit_si>   ugs" class="sref">re117L92" class="lrer   u>">datat/a>)[ta href="+code=in4p  class=4"comment"> */t/spa  
L56">p 56t/a>  exit_si>   u>">datat/a>)[ta href="+code=in4p  class=4seccomp_filtert/a> {
CONFIG_a href="FILTERcode=off" classCONFIG_a href="FILTERrnel>datat/a>)[ta href="+code=in4p"falt">a4ss="sref">usaget/a>;
p 56t/a>   kiaecco:ATAt/a>(ta href="+code=args"4pfref">li4ass="sref">prevt/a>;
offsetlas_L     t" nags" class="sref">exit_si>L56">p 56t/a>  exit_si>   ugs" class="sref">re117L92" class="lrer   u>">datat/a>)[ta href="+code=in4p"fref">l4t>
  count */t/spa  
p 14t/a>tsp4pef">linu4="sref">insnst/a>[];
datat/a>)[ta href="+code=in4="line" n4am.17L59">p 59t/a>};
p 60t/a>

 s i4truct>
 s. */t/spa  
sock_filtert/a>))
(ta href="+code=args"4sLinux So4 nam.17L63">p 63t/a>
task_pt_ nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccompm (t17L92" class="lm (t   ua>i2402">p13#L97" i3u23.321324s  class=4"comment">/**t/spa  
a4nnam.17L15">p 15t/a>
datat/a>)[ta href="+code=in4sfref">li4 64 bit ue=0.t/spa  
p 84t/a>tsp4saccessin4econd 32-bitst/spa  
task nam.f="+codem (t  ass="line" nam.17L84">p 84t/a>tsp4sef">linu4="comment"> *t/spa  
p 84t/a>tsp4ned long.4  If a 32-bitt/spa  
) tf"linent"> for.usecwith S href="MODE_FILTERl/ass="line" nam.17L84">p 84t/a>tsp4na  class4-bits will bet/spa  
 * to a task_struc4nct>
 s i4ident will bet/spa  
 * to a task_struc4nl filter4rly returned.t/spa  
p.  Every/ruct ta lass="comment"> * to a task_struc4nLinux So4="comment"> *t/spa  
 * to a task_struc4n  class=4ors to managet/spa  
 * to a task_struc4ns="line"4architecture.t/spa  
 * to a task_struc4nfref">li4uux/atvmic.ht/a>>
task nam.f="+codem (t nnanon-zero, iasmayenotnbe"changL8  class="comment"> * to a task_struc4naccessin4ss="sref">indext/a>)
 * to a task_struc4nef">linu4nam.17L78">p 78t/a>{
 * to a task_struc4dex" clas4s="sref">indext/a>];
p 14t/a>tsp4ds="line"4nam.17L80">p 8opta>}
p 58t/a    structaline" nam.17L14">p 14t/a>tsp4dct>
 s i4 nam.17L81">p 81t/a>
(ta href="+code=args"4dl filter4oad below. */t/spa  
p 92t/aEINVALss="sref">offseEINVAL   ua>i2402">p13#L97" i3u23.321324dLinux So4ss="sref">_nam.t/a>)
datat/a>)[ta href="+code=in4d  class=4"comment">/**t/spa  
task_pt_ nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccompm (t17L92" class="lm (t   u t/a>(t/a>(>datat/a>)[ta href="+code=in4ds="line"4uested offsett/spa  
task_pt_ nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccompm (t17L92" class="lm (t   u != >MAX_INSNS_PER_f     stm (t17L92" class="l      stm (t   ualine" nam.17L14">p 14t/a>tsp4dfref">li4 to load fromt/spa  
>
datat/a>)[ta href="+code=in4ested 32-4bits of data.t/spa  

 s i4"comment"> */t/spa  
TIF_NOTSC17L92" class="lTIF_NOTSCrnel>datat/a>)[ta href="+code=in4de=off" c4lass="sref">offt/a>)
datat/a>)[ta href="+code=in4s="line" 4nam.17L93">p 93t/a>{
p 14t/a>tsp4t" class=4"sref">currentt/a>);
datat/a>)[ta href="+code=in4ts="line"4lass="sref">nrt/a>))
CONFIG_a href="FILTERcode=off" classCONFIG_a href="FILTERrnel>datat/a>)[ta href="+code=in4tomp_data4ss="sref">regst/a>);
arch))
p 58t/a    structaa>i2402">p13#L97" i3u23.321324tsted 32-4ss="sref">regst/a>);
p13#L97" i3u23.321325class="sr5f">argst/a>[6])) {
datat/a>)[ta href="+code=in5=u64" cla5s="sref">u64t/a>);
p 14t/a>tsp5=364" cla5sass="sref">offt/a>)
p 93t/a>{
currentt/a>);
p 15t/a>
datat/a>)[ta href="+code=in5=fref">li50ux/atvmic.ht/a>>
task_pt_ nam.!!(ta href="+cop 14t/aL56">p 56t/a>        s_pt_.="+code=seccompm (t17L92" class="lm (t   u = >MAX_INSNS_PER_f     stm (t17L92" class="l      stm (t   u)seccomp.c#L78" id17L78" clas5c8ref">li50s="sref">arch))
p 92t/aset_thread_fla>L56">p 56t/a>  set_thread_fla>_nam.!!(ta href="+coTIF_a href=ss="sref">offseTIF_a href=ructaa>i2402">p13#L97" i3u23.321325=9ref">li50s="sref">regst/a>);
datat/a>)[ta href="+code=in5rref">lin5xx/seccomp.ht/a>>



The " iginaldLXR software8bys"> *eccomp.c#http://sourceforge.net/projects/lxm.>LXR 0" iunity ugstlassexperiid17aldversimi byseccomp.c#ma o:lxm@s.tux.no">lxm@s.tux.no_pt_. lxm.s.tux.no kinolychostedcbyseccomp.c#http://www.redpill-s.tpro.no">Redpill L.tpro ASclef, providem.17LL.tux consult secand opstatimiscservicis.sinca 1995.