long prctl_set_seccomp(unsigned long seccomp_mode) { long ret; /* can set it only once to be even more secure */ ret = -EPERM; if (unlikely(current->seccomp.mode)) goto out; ret = 0; switch (seccomp_mode) { case 1: #ifdef TIF_NOTSC disable_TSC(); #endif #ifdef CONFIG_SECCOMP_FILTER case 13: #endif current->seccomp.mode = seccomp_mode; set_thread_flag(TIF_SECCOMP); break; default: ret = -EINVAL; } out: return ret; }
/** * prctl_set_seccomp: configures current->seccomp.mode * @seccomp_mode: requested mode to use * @filter: optional struct sock_fprog for use with SECCOMP_MODE_FILTER * * This function may be called repeatedly with a @seccomp_mode of * SECCOMP_MODE_FILTER to install additional filters. Every filter * successfully installed will be evaluated (in reverse order) for each system * call the task makes. * * Once current->seccomp.mode is non-zero, it may not be changed. * * Returns 0 on success or -EINVAL on failure. */ long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter) { long ret = -EINVAL; if (current->seccomp.mode && current->seccomp.mode != seccomp_mode) goto out; switch (seccomp_mode) { case SECCOMP_MODE_STRICT: ret = 0; #ifdef TIF_NOTSC disable_TSC(); #endif break; #ifdef CONFIG_SECCOMP_FILTER case SECCOMP_MODE_FILTER: ret = seccomp_attach_user_filter(filter); if (ret) goto out; break; #endif default: goto out; } current->seccomp.mode = seccomp_mode; set_thread_flag(TIF_SECCOMP); out: return ret; }
int set_tsc_mode(unsigned int val) { if (val == PR_TSC_SIGSEGV) disable_TSC(); else if (val == PR_TSC_ENABLE) enable_TSC(); else return -EINVAL; return 0; }
long prctl_set_seccomp(unsigned long seccomp_mode) { long ret; /* can set it only once to be even more secure */ ret = -EPERM; if (unlikely(current->seccomp.mode)) goto out; ret = -EINVAL; if (seccomp_mode && seccomp_mode <= NR_SECCOMP_MODES) { current->seccomp.mode = seccomp_mode; set_thread_flag(TIF_SECCOMP); #ifdef TIF_NOTSC disable_TSC(); #endif ret = 0; } out: return ret; }