long prctl_set_seccomp(unsigned long seccomp_mode)
{
long ret;
/* can set it only once to be even more secure */
ret = -EPERM;
if (unlikely(current->seccomp.mode))
goto out;
ret = 0;
switch (seccomp_mode) {
case 1:
#ifdef TIF_NOTSC
disable_TSC();
#endif
#ifdef CONFIG_SECCOMP_FILTER
case 13:
#endif
current->seccomp.mode = seccomp_mode;
set_thread_flag(TIF_SECCOMP);
break;
default:
ret = -EINVAL;
}
out:
return ret;
}
/**
* prctl_set_seccomp: configures current->seccomp.mode
* @seccomp_mode: requested mode to use
* @filter: optional struct sock_fprog for use with SECCOMP_MODE_FILTER
*
* This function may be called repeatedly with a @seccomp_mode of
* SECCOMP_MODE_FILTER to install additional filters. Every filter
* successfully installed will be evaluated (in reverse order) for each system
* call the task makes.
*
* Once current->seccomp.mode is non-zero, it may not be changed.
*
* Returns 0 on success or -EINVAL on failure.
*/
long prctl_set_seccomp(unsigned long seccomp_mode, char __user *filter)
{
long ret = -EINVAL;
if (current->seccomp.mode &&
current->seccomp.mode != seccomp_mode)
goto out;
switch (seccomp_mode) {
case SECCOMP_MODE_STRICT:
ret = 0;
#ifdef TIF_NOTSC
disable_TSC();
#endif
break;
#ifdef CONFIG_SECCOMP_FILTER
case SECCOMP_MODE_FILTER:
ret = seccomp_attach_user_filter(filter);
if (ret)
goto out;
break;
#endif
default:
goto out;
}
current->seccomp.mode = seccomp_mode;
set_thread_flag(TIF_SECCOMP);
out:
return ret;
}
int set_tsc_mode(unsigned int val)
{
if (val == PR_TSC_SIGSEGV)
disable_TSC();
else if (val == PR_TSC_ENABLE)
enable_TSC();
else
return -EINVAL;
return 0;
}
long prctl_set_seccomp(unsigned long seccomp_mode)
{
long ret;
/* can set it only once to be even more secure */
ret = -EPERM;
if (unlikely(current->seccomp.mode))
goto out;
ret = -EINVAL;
if (seccomp_mode && seccomp_mode <= NR_SECCOMP_MODES) {
current->seccomp.mode = seccomp_mode;
set_thread_flag(TIF_SECCOMP);
#ifdef TIF_NOTSC
disable_TSC();
#endif
ret = 0;
}
out:
return ret;
}
