├── .gitignore ├── seccomp.nimble ├── tests ├── basic_test.nim ├── trigger_seccomp.nim └── syscall_num.nim ├── README.adoc ├── seccomp.nim ├── LICENSE └── seccomp └── seccomp_lowlevel.nim /.gitignore: -------------------------------------------------------------------------------- 1 | nimcache/ 2 | *.swo 3 | *.swp 4 | -------------------------------------------------------------------------------- /seccomp.nimble: -------------------------------------------------------------------------------- 1 | # Package 2 | 3 | version = "0.2.1" 4 | author = "Federico Ceratto" 5 | description = "Seccomp (Linux sandboxing) adapter" 6 | license = "LGPLv2.1" 7 | 8 | # Dependencies 9 | 10 | requires "nim >= 0.13.0" 11 | 12 | task release, "Build a release": 13 | exec "nim c -d:release seccomp.nim" 14 | 15 | task test, "Basic test": 16 | exec "nim c -p:. -r tests/basic_test.nim" 17 | exec "nim c -p:. -r tests/syscall_num.nim" 18 | 19 | task test_trigger_seccomp, "Test triggering seccomp": 20 | exec "nim c -p:. -r tests/trigger_seccomp.nim" 21 | -------------------------------------------------------------------------------- /tests/basic_test.nim: -------------------------------------------------------------------------------- 1 | 2 | import os, unittest 3 | 4 | import seccomp 5 | 6 | suite "seccomp": 7 | 8 | test "version": 9 | echo "version ", get_version() 10 | doAssert get_version()[0] == 2 11 | 12 | test "reset": 13 | let ctx1 = seccomp_ctx() 14 | ctx1.reset() 15 | 16 | test "real ctx": 17 | let ctx = seccomp_ctx() 18 | ctx.add_rule(Allow, "read") 19 | ctx.add_rule(Allow, "write") 20 | ctx.add_rule(Allow, "exit_group") 21 | ctx.load() 22 | 23 | test "reset": 24 | let ctx = seccomp_ctx() 25 | ctx.reset() 26 | 27 | test "release": 28 | let ctx = seccomp_ctx() 29 | ctx.release() 30 | -------------------------------------------------------------------------------- /README.adoc: -------------------------------------------------------------------------------- 1 | ## nim-seccomp 2 | 3 | Nim adapter for the https://en.wikipedia.org/wiki/Seccomp[Seccomp sandbox] facility 4 | 5 | image:https://img.shields.io/badge/status-beta-orange.svg[badge] 6 | image:https://img.shields.io/github/tag/FedericoCeratto/nim-seccomp.svg[tags] 7 | image:https://img.shields.io/badge/License-LGPL%20v3-blue.svg[License] 8 | 9 | 10 | ### Features 11 | 12 | * Provides a high-level adaptor in seccomp.nim 13 | * Low-level wrapper in seccomp_lowlevel.nim 14 | * Tested on Linux 15 | * Basic tests 16 | 17 | ### Installation 18 | 19 | [source,bash] 20 | ---- 21 | sudo apt-get install libseccomp2 22 | nimble install seccomp 23 | ---- 24 | 25 | ### Usage 26 | 27 | Refer to the generated documentation for the 28 | link:https://federicoceratto.github.io/nim-seccomp/docs/0.1.0/seccomp.html[seccomp] 29 | and 30 | link:https://federicoceratto.github.io/nim-seccomp/docs/0.1.0/seccomp_lowlevel.html[seccomp_lowlevel] 31 | modules 32 | 33 | [source,nim] 34 | ---- 35 | import seccomp 36 | 37 | setSeccomp("write exit_group") 38 | 39 | echo """Seccomp is now enabled. Future attempts to change the Seccomp configuration 40 | or to call forbidden system calls will cause the process to be terminated""" 41 | 42 | # e.g. createDir("/tmp/foo") 43 | ---- 44 | 45 | or: 46 | [source,nim] 47 | ---- 48 | import seccomp 49 | 50 | let ctx = seccomp_ctx() 51 | ctx.add_rule(Allow, "write") 52 | ctx.add_rule(Allow, "exit_group") 53 | ctx.load() 54 | 55 | ---- 56 | 57 | https://github.com/FedericoCeratto/nim-seccomp/blob/master/tests/trigger_seccomp.nim[tests/trigger_seccomp.nim] contains running examples of syscalls that will be blocked 58 | 59 | ### Contributing 60 | 61 | Testing and PRs are welcome. 62 | 63 | Running tests: 64 | 65 | [source,bash] 66 | ---- 67 | nimble test 68 | nimble test_trigger_seccomp 69 | ---- 70 | -------------------------------------------------------------------------------- /seccomp.nim: -------------------------------------------------------------------------------- 1 | # 2 | # Seccomp high-level adaptor for Nim 3 | # 4 | # 2016 Federico Ceratto 5 | # Released under LGPLv2.1, see LICENSE file 6 | 7 | import strutils 8 | 9 | import seccomp/seccomp_lowlevel 10 | 11 | 12 | proc get_version*(): (int, int, int) = 13 | ## Get seccomp version 14 | let v = seccompVersion() 15 | return (v.major.int, v.minor.int, v.micro.int) 16 | 17 | 18 | type 19 | ScmpAction* = enum 20 | Kill = 0x00000000 # SECCOMP_RET_KILL 21 | Trap = 0x00030000, # SECCOMP_RET_TRAP 22 | Errno = 0x00050000, # SECCOMP_RET_ERRNO 23 | Log = 0x00070000, # SECCOMP_RET_LOG 24 | Allow = 0x7FFF0000, # SECCOMP_RET_ALLOW 25 | 26 | proc seccomp_ctx*(defaultAction = ScmpAction.Kill): ScmpFilterCtx = 27 | ## Create seccomp context 28 | return seccompInit(defaultAction.uint32) 29 | 30 | 31 | proc reset*(ctx: ScmpFilterCtx, defAction = ScmpAction.Kill) = 32 | ## Destroy the filter state and releases any resources 33 | doAssert seccompReset(ctx, defAction.uint32) == 0 34 | 35 | 36 | proc release*(ctx: ScmpFilterCtx) = 37 | ## Destroy the given seccomp filter state and releases any 38 | ## resources, including memory, associated with the filter state. This 39 | ## function does not reset any seccomp filters already loaded into the kernel. 40 | ## The filter context can no longer be used after calling this function. 41 | seccompRelease(ctx) 42 | 43 | 44 | proc load*(ctx: ScmpFilterCtx) = 45 | ## Apply seccomp context 46 | doAssert seccompLoad(ctx) == 0 47 | 48 | 49 | proc add_rule*(ctx: ScmpFilterCtx, action: ScmpAction, syscall_name: string, argCnt = 0) = 50 | ## Add rule 51 | let num = seccompSyscallResolveName(syscall_name) 52 | assert num >= 0, "Unable to resolve syscall $#" % syscall_name 53 | discard ctx.seccompRuleAdd(action.uint32, num, 0) 54 | 55 | 56 | proc setSeccomp*(allow: seq[string], defaultAction = ScmpAction.Kill) = 57 | ## Helper to configure seccomp. Whitelist syscalls in `allow` 58 | let ctx = seccomp_ctx(defaultAction) 59 | for syscall_name in allow: 60 | ctx.add_rule(Allow, syscall_name) 61 | ctx.load() 62 | 63 | proc setSeccomp*(allow: string, defaultAction = ScmpAction.Kill) = 64 | ## Helper to configure seccomp. Whitelist whitespace-separated syscalls in `allow` 65 | let ctx = seccomp_ctx(defaultAction) 66 | for syscall_name in allow.split(' '): 67 | ctx.add_rule(Allow, syscall_name) 68 | ctx.load() 69 | -------------------------------------------------------------------------------- /tests/trigger_seccomp.nim: -------------------------------------------------------------------------------- 1 | # 2 | # Test application: trigger seccomp to terminate the process 3 | # 4 | # 2016 Federico Ceratto 5 | # Released under LGPLv2.1, see LICENSE file 6 | # 7 | 8 | import os, net 9 | 10 | import seccomp 11 | 12 | if paramCount() < 1: 13 | # When run without any parameter, act as a wrapper for the tests 14 | const test_names = @["mkdir", "mkdir_helper", "rmdir", 15 | "walkdir", "nothing", "open", "stat", "sleep", "update_seccomp", 16 | "socket", "sendto", "bind", "listen", "connect", "execShellCmd"] 17 | var failed_tests_cnt = 0 18 | for tname in test_names: 19 | let a = execShellCmd("./tests/trigger_seccomp " & tname) 20 | case a: 21 | of 159: 22 | echo "OK" 23 | of 0: 24 | if tname == "nothing" or tname == "execShellCmd": 25 | echo "OK" 26 | else: 27 | echo "Unexpected success" 28 | failed_tests_cnt.inc 29 | else: 30 | echo "Unexpected " & $a 31 | failed_tests_cnt.inc 32 | 33 | echo $failed_tests_cnt & " failed tests" 34 | quit(-1 * failed_tests_cnt) 35 | 36 | echo "" 37 | echo "Testing ", paramStr(1) 38 | 39 | template setup() = 40 | let ctx = seccomp_ctx() 41 | # Required to print progress 42 | ctx.add_rule(Allow, "write") 43 | # Required to let failed tests exit without triggering seccomp 44 | ctx.add_rule(Allow, "exit_group") 45 | ctx.load() 46 | 47 | case paramStr(1) 48 | of "mkdir": 49 | setup 50 | createDir("/tmp/seccomp_test") 51 | of "mkdir_helper": 52 | setSeccomp("write exit_group") 53 | createDir("/tmp/seccomp_test") 54 | of "rmdir": 55 | setup 56 | removeDir("/tmp/seccomp_test") 57 | of "walkdir": 58 | setup 59 | for kind, path in walkDir("/tmp"): 60 | echo(path) 61 | of "nothing": 62 | setup 63 | of "open": 64 | setup 65 | discard open("/dev/zero", fmRead) 66 | of "stat": 67 | setup 68 | discard getFilePermissions("/tmp/foo") 69 | of "sleep": 70 | setup 71 | sleep(1) 72 | of "update_seccomp": 73 | setup 74 | # Try to load a new seccomp ctx 75 | let ctx = seccomp_ctx() 76 | ctx.add_rule(Allow, "write") 77 | ctx.add_rule(Allow, "exit_group") 78 | ctx.load() 79 | of "socket": 80 | setup 81 | discard newSocket() 82 | of "sendto": 83 | setup 84 | var s = newSocket(AF_INET, SOCK_DGRAM, IPPROTO_UDP) 85 | s.sendTo("127.0.0.1", Port(12345), "hi") 86 | of "bind": 87 | var s = newSocket() 88 | setup 89 | s.bindAddr(Port(12345)) 90 | of "listen": 91 | var s = newSocket() 92 | s.bindAddr(Port(12345)) 93 | setup 94 | s.listen() 95 | of "connect": 96 | var s = newSocket() 97 | setup 98 | s.connect("localhost", Port(80)) 99 | of "execShellCmd": 100 | setSeccomp("read write execve shmctl rt_sigaction rt_sigprocmask clone brk access openat fstat close mmap mprotect arch_prctl munmap getuid getgid getpid geteuid getppid stat getegid set_tid_address set_robust_list prlimit64 lseek alarm fcntl wait4 rt_sigreturn exit_group prctl statfs") 101 | doAssert execShellCmd("true") == 0 102 | else: 103 | echo "Unknown test name" 104 | -------------------------------------------------------------------------------- /tests/syscall_num.nim: -------------------------------------------------------------------------------- 1 | import unittest, strutils 2 | 3 | import seccomp/seccomp_lowlevel 4 | 5 | const syscall_list = splitLines """0 read 6 | 1 write 7 | 2 open 8 | 3 close 9 | 4 stat 10 | 5 fstat 11 | 6 lstat 12 | 7 poll 13 | 8 lseek 14 | 9 mmap 15 | 10 mprotect 16 | 11 munmap 17 | 12 brk 18 | 13 rt_sigaction 19 | 14 rt_sigprocmask 20 | 15 rt_sigreturn 21 | 16 ioctl 22 | 17 pread64 23 | 18 pwrite64 24 | 19 readv 25 | 20 writev 26 | 21 access 27 | 22 pipe 28 | 23 select 29 | 24 sched_yield 30 | 25 mremap 31 | 26 msync 32 | 27 mincore 33 | 28 madvise 34 | 29 shmget 35 | 30 shmat 36 | 31 shmctl 37 | 32 dup 38 | 33 dup2 39 | 34 pause 40 | 35 nanosleep 41 | 36 getitimer 42 | 37 alarm 43 | 38 setitimer 44 | 39 getpid 45 | 40 sendfile 46 | 41 socket 47 | 42 connect 48 | 43 accept 49 | 44 sendto 50 | 45 recvfrom 51 | 46 sendmsg 52 | 47 recvmsg 53 | 48 shutdown 54 | 49 bind 55 | 50 listen 56 | 51 getsockname 57 | 52 getpeername 58 | 53 socketpair 59 | 54 setsockopt 60 | 55 getsockopt 61 | 56 clone 62 | 57 fork 63 | 58 vfork 64 | 59 execve 65 | 60 exit 66 | 61 wait4 67 | 62 kill 68 | 63 uname 69 | 64 semget 70 | 65 semop 71 | 66 semctl 72 | 67 shmdt 73 | 68 msgget 74 | 69 msgsnd 75 | 70 msgrcv 76 | 71 msgctl 77 | 72 fcntl 78 | 73 flock 79 | 74 fsync 80 | 75 fdatasync 81 | 76 truncate 82 | 77 ftruncate 83 | 78 getdents 84 | 79 getcwd 85 | 80 chdir 86 | 81 fchdir 87 | 82 rename 88 | 83 mkdir 89 | 84 rmdir 90 | 85 creat 91 | 86 link 92 | 87 unlink 93 | 88 symlink 94 | 89 readlink 95 | 90 chmod 96 | 91 fchmod 97 | 92 chown 98 | 93 fchown 99 | 94 lchown 100 | 95 umask 101 | 96 gettimeofday 102 | 97 getrlimit 103 | 98 getrusage 104 | 99 sysinfo 105 | 100 times 106 | 101 ptrace 107 | 102 getuid 108 | 103 syslog 109 | 104 getgid 110 | 105 setuid 111 | 106 setgid 112 | 107 geteuid 113 | 108 getegid 114 | 109 setpgid 115 | 110 getppid 116 | 111 getpgrp 117 | 112 setsid 118 | 113 setreuid 119 | 114 setregid 120 | 115 getgroups 121 | 116 setgroups 122 | 117 setresuid 123 | 118 getresuid 124 | 119 setresgid 125 | 120 getresgid 126 | 121 getpgid 127 | 122 setfsuid 128 | 123 setfsgid 129 | 124 getsid 130 | 125 capget 131 | 126 capset 132 | 127 rt_sigpending 133 | 128 rt_sigtimedwait 134 | 129 rt_sigqueueinfo 135 | 130 rt_sigsuspend 136 | 131 sigaltstack 137 | 132 utime 138 | 133 mknod 139 | 134 uselib 140 | 135 personality 141 | 136 ustat 142 | 137 statfs 143 | 138 fstatfs 144 | 139 sysfs 145 | 140 getpriority 146 | 141 setpriority 147 | 142 sched_setparam 148 | 143 sched_getparam 149 | 144 sched_setscheduler 150 | 145 sched_getscheduler 151 | 146 sched_get_priority_max 152 | 147 sched_get_priority_min 153 | 148 sched_rr_get_interval 154 | 149 mlock 155 | 150 munlock 156 | 151 mlockall 157 | 152 munlockall 158 | 153 vhangup 159 | 154 modify_ldt 160 | 155 pivot_root 161 | 156 _sysctl 162 | 157 prctl 163 | 158 arch_prctl 164 | 159 adjtimex 165 | 160 setrlimit 166 | 161 chroot 167 | 162 sync 168 | 163 acct 169 | 164 settimeofday 170 | 165 mount 171 | 166 umount2 172 | 167 swapon 173 | 168 swapoff 174 | 169 reboot 175 | 170 sethostname 176 | 171 setdomainname 177 | 172 iopl 178 | 173 ioperm 179 | 174 create_module 180 | 175 init_module 181 | 176 delete_module 182 | 177 get_kernel_syms 183 | 178 query_module 184 | 179 quotactl 185 | 180 nfsservctl 186 | 181 getpmsg 187 | 182 putpmsg 188 | 183 afs_syscall 189 | 184 tuxcall 190 | 185 security 191 | 186 gettid 192 | 187 readahead 193 | 188 setxattr 194 | 189 lsetxattr 195 | 190 fsetxattr 196 | 191 getxattr 197 | 192 lgetxattr 198 | 193 fgetxattr 199 | 194 listxattr 200 | 195 llistxattr 201 | 196 flistxattr 202 | 197 removexattr 203 | 198 lremovexattr 204 | 199 fremovexattr 205 | 200 tkill 206 | 201 time 207 | 202 futex 208 | 203 sched_setaffinity 209 | 204 sched_getaffinity 210 | 205 set_thread_area 211 | 206 io_setup 212 | 207 io_destroy 213 | 208 io_getevents 214 | 209 io_submit 215 | 210 io_cancel 216 | 211 get_thread_area 217 | 212 lookup_dcookie 218 | 213 epoll_create 219 | 214 epoll_ctl_old 220 | 215 epoll_wait_old 221 | 216 remap_file_pages 222 | 217 getdents64 223 | 218 set_tid_address 224 | 219 restart_syscall 225 | 220 semtimedop 226 | 221 fadvise64 227 | 222 timer_create 228 | 223 timer_settime 229 | 224 timer_gettime 230 | 225 timer_getoverrun 231 | 226 timer_delete 232 | 227 clock_settime 233 | 228 clock_gettime 234 | 229 clock_getres 235 | 230 clock_nanosleep 236 | 231 exit_group 237 | 232 epoll_wait 238 | 233 epoll_ctl 239 | 234 tgkill 240 | 235 utimes 241 | 236 vserver 242 | 237 mbind 243 | 238 set_mempolicy 244 | 239 get_mempolicy 245 | 240 mq_open 246 | 241 mq_unlink 247 | 242 mq_timedsend 248 | 243 mq_timedreceive 249 | 244 mq_notify 250 | 245 mq_getsetattr 251 | 246 kexec_load 252 | 247 waitid 253 | 248 add_key 254 | 249 request_key 255 | 250 keyctl 256 | 251 ioprio_set 257 | 252 ioprio_get 258 | 253 inotify_init 259 | 254 inotify_add_watch 260 | 255 inotify_rm_watch 261 | 256 migrate_pages 262 | 257 openat 263 | 258 mkdirat 264 | 259 mknodat 265 | 260 fchownat 266 | 261 futimesat 267 | 262 newfstatat 268 | 263 unlinkat 269 | 264 renameat 270 | 265 linkat 271 | 266 symlinkat 272 | 267 readlinkat 273 | 268 fchmodat 274 | 269 faccessat 275 | 270 pselect6 276 | 271 ppoll 277 | 272 unshare 278 | 273 set_robust_list 279 | 274 get_robust_list 280 | 275 splice 281 | 276 tee 282 | 277 sync_file_range 283 | 278 vmsplice 284 | 279 move_pages 285 | 280 utimensat 286 | 281 epoll_pwait 287 | 282 signalfd 288 | 283 timerfd_create 289 | 284 eventfd 290 | 285 fallocate 291 | 286 timerfd_settime 292 | 287 timerfd_gettime 293 | 288 accept4 294 | 289 signalfd4 295 | 290 eventfd2 296 | 291 epoll_create1 297 | 292 dup3 298 | 293 pipe2 299 | 294 inotify_init1 300 | 295 preadv 301 | 296 pwritev 302 | 297 rt_tgsigqueueinfo 303 | 298 perf_event_open 304 | 299 recvmmsg 305 | 300 fanotify_init 306 | 301 fanotify_mark 307 | 302 prlimit64 308 | 303 name_to_handle_at 309 | 304 open_by_handle_at 310 | 305 clock_adjtime 311 | 306 syncfs 312 | 307 sendmmsg 313 | 308 setns 314 | 309 getcpu 315 | 310 process_vm_readv 316 | 311 process_vm_writev 317 | 312 kcmp 318 | 313 finit_module""" 319 | 320 | suite "syscalls": 321 | test "resolve syscall by name": 322 | for line in syscall_list: 323 | let 324 | li = line.split(" ") 325 | num = li[0].parseInt 326 | name = li[1] 327 | 328 | doAssert seccompSyscallResolveName(name) == num 329 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU LESSER GENERAL PUBLIC LICENSE 2 | Version 2.1, February 1999 3 | 4 | Copyright (C) 1991, 1999 Free Software Foundation, Inc. 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | [This is the first released version of the Lesser GPL. It also counts 10 | as the successor of the GNU Library Public License, version 2, hence 11 | the version number 2.1.] 12 | 13 | Preamble 14 | 15 | The licenses for most software are designed to take away your 16 | freedom to share and change it. By contrast, the GNU General Public 17 | Licenses are intended to guarantee your freedom to share and change 18 | free software--to make sure the software is free for all its users. 19 | 20 | This license, the Lesser General Public License, applies to some 21 | specially designated software packages--typically libraries--of the 22 | Free Software Foundation and other authors who decide to use it. You 23 | can use it too, but we suggest you first think carefully about whether 24 | this license or the ordinary General Public License is the better 25 | strategy to use in any particular case, based on the explanations below. 26 | 27 | When we speak of free software, we are referring to freedom of use, 28 | not price. Our General Public Licenses are designed to make sure that 29 | you have the freedom to distribute copies of free software (and charge 30 | for this service if you wish); that you receive source code or can get 31 | it if you want it; that you can change the software and use pieces of 32 | it in new free programs; and that you are informed that you can do 33 | these things. 34 | 35 | To protect your rights, we need to make restrictions that forbid 36 | distributors to deny you these rights or to ask you to surrender these 37 | rights. These restrictions translate to certain responsibilities for 38 | you if you distribute copies of the library or if you modify it. 39 | 40 | For example, if you distribute copies of the library, whether gratis 41 | or for a fee, you must give the recipients all the rights that we gave 42 | you. You must make sure that they, too, receive or can get the source 43 | code. If you link other code with the library, you must provide 44 | complete object files to the recipients, so that they can relink them 45 | with the library after making changes to the library and recompiling 46 | it. And you must show them these terms so they know their rights. 47 | 48 | We protect your rights with a two-step method: (1) we copyright the 49 | library, and (2) we offer you this license, which gives you legal 50 | permission to copy, distribute and/or modify the library. 51 | 52 | To protect each distributor, we want to make it very clear that 53 | there is no warranty for the free library. Also, if the library is 54 | modified by someone else and passed on, the recipients should know 55 | that what they have is not the original version, so that the original 56 | author's reputation will not be affected by problems that might be 57 | introduced by others. 58 | 59 | Finally, software patents pose a constant threat to the existence of 60 | any free program. We wish to make sure that a company cannot 61 | effectively restrict the users of a free program by obtaining a 62 | restrictive license from a patent holder. Therefore, we insist that 63 | any patent license obtained for a version of the library must be 64 | consistent with the full freedom of use specified in this license. 65 | 66 | Most GNU software, including some libraries, is covered by the 67 | ordinary GNU General Public License. This license, the GNU Lesser 68 | General Public License, applies to certain designated libraries, and 69 | is quite different from the ordinary General Public License. We use 70 | this license for certain libraries in order to permit linking those 71 | libraries into non-free programs. 72 | 73 | When a program is linked with a library, whether statically or using 74 | a shared library, the combination of the two is legally speaking a 75 | combined work, a derivative of the original library. The ordinary 76 | General Public License therefore permits such linking only if the 77 | entire combination fits its criteria of freedom. The Lesser General 78 | Public License permits more lax criteria for linking other code with 79 | the library. 80 | 81 | We call this license the "Lesser" General Public License because it 82 | does Less to protect the user's freedom than the ordinary General 83 | Public License. It also provides other free software developers Less 84 | of an advantage over competing non-free programs. These disadvantages 85 | are the reason we use the ordinary General Public License for many 86 | libraries. However, the Lesser license provides advantages in certain 87 | special circumstances. 88 | 89 | For example, on rare occasions, there may be a special need to 90 | encourage the widest possible use of a certain library, so that it becomes 91 | a de-facto standard. To achieve this, non-free programs must be 92 | allowed to use the library. A more frequent case is that a free 93 | library does the same job as widely used non-free libraries. In this 94 | case, there is little to gain by limiting the free library to free 95 | software only, so we use the Lesser General Public License. 96 | 97 | In other cases, permission to use a particular library in non-free 98 | programs enables a greater number of people to use a large body of 99 | free software. For example, permission to use the GNU C Library in 100 | non-free programs enables many more people to use the whole GNU 101 | operating system, as well as its variant, the GNU/Linux operating 102 | system. 103 | 104 | Although the Lesser General Public License is Less protective of the 105 | users' freedom, it does ensure that the user of a program that is 106 | linked with the Library has the freedom and the wherewithal to run 107 | that program using a modified version of the Library. 108 | 109 | The precise terms and conditions for copying, distribution and 110 | modification follow. Pay close attention to the difference between a 111 | "work based on the library" and a "work that uses the library". The 112 | former contains code derived from the library, whereas the latter must 113 | be combined with the library in order to run. 114 | 115 | GNU LESSER GENERAL PUBLIC LICENSE 116 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 117 | 118 | 0. This License Agreement applies to any software library or other 119 | program which contains a notice placed by the copyright holder or 120 | other authorized party saying it may be distributed under the terms of 121 | this Lesser General Public License (also called "this License"). 122 | Each licensee is addressed as "you". 123 | 124 | A "library" means a collection of software functions and/or data 125 | prepared so as to be conveniently linked with application programs 126 | (which use some of those functions and data) to form executables. 127 | 128 | The "Library", below, refers to any such software library or work 129 | which has been distributed under these terms. A "work based on the 130 | Library" means either the Library or any derivative work under 131 | copyright law: that is to say, a work containing the Library or a 132 | portion of it, either verbatim or with modifications and/or translated 133 | straightforwardly into another language. (Hereinafter, translation is 134 | included without limitation in the term "modification".) 135 | 136 | "Source code" for a work means the preferred form of the work for 137 | making modifications to it. For a library, complete source code means 138 | all the source code for all modules it contains, plus any associated 139 | interface definition files, plus the scripts used to control compilation 140 | and installation of the library. 141 | 142 | Activities other than copying, distribution and modification are not 143 | covered by this License; they are outside its scope. The act of 144 | running a program using the Library is not restricted, and output from 145 | such a program is covered only if its contents constitute a work based 146 | on the Library (independent of the use of the Library in a tool for 147 | writing it). Whether that is true depends on what the Library does 148 | and what the program that uses the Library does. 149 | 150 | 1. You may copy and distribute verbatim copies of the Library's 151 | complete source code as you receive it, in any medium, provided that 152 | you conspicuously and appropriately publish on each copy an 153 | appropriate copyright notice and disclaimer of warranty; keep intact 154 | all the notices that refer to this License and to the absence of any 155 | warranty; and distribute a copy of this License along with the 156 | Library. 157 | 158 | You may charge a fee for the physical act of transferring a copy, 159 | and you may at your option offer warranty protection in exchange for a 160 | fee. 161 | 162 | 2. You may modify your copy or copies of the Library or any portion 163 | of it, thus forming a work based on the Library, and copy and 164 | distribute such modifications or work under the terms of Section 1 165 | above, provided that you also meet all of these conditions: 166 | 167 | a) The modified work must itself be a software library. 168 | 169 | b) You must cause the files modified to carry prominent notices 170 | stating that you changed the files and the date of any change. 171 | 172 | c) You must cause the whole of the work to be licensed at no 173 | charge to all third parties under the terms of this License. 174 | 175 | d) If a facility in the modified Library refers to a function or a 176 | table of data to be supplied by an application program that uses 177 | the facility, other than as an argument passed when the facility 178 | is invoked, then you must make a good faith effort to ensure that, 179 | in the event an application does not supply such function or 180 | table, the facility still operates, and performs whatever part of 181 | its purpose remains meaningful. 182 | 183 | (For example, a function in a library to compute square roots has 184 | a purpose that is entirely well-defined independent of the 185 | application. Therefore, Subsection 2d requires that any 186 | application-supplied function or table used by this function must 187 | be optional: if the application does not supply it, the square 188 | root function must still compute square roots.) 189 | 190 | These requirements apply to the modified work as a whole. If 191 | identifiable sections of that work are not derived from the Library, 192 | and can be reasonably considered independent and separate works in 193 | themselves, then this License, and its terms, do not apply to those 194 | sections when you distribute them as separate works. But when you 195 | distribute the same sections as part of a whole which is a work based 196 | on the Library, the distribution of the whole must be on the terms of 197 | this License, whose permissions for other licensees extend to the 198 | entire whole, and thus to each and every part regardless of who wrote 199 | it. 200 | 201 | Thus, it is not the intent of this section to claim rights or contest 202 | your rights to work written entirely by you; rather, the intent is to 203 | exercise the right to control the distribution of derivative or 204 | collective works based on the Library. 205 | 206 | In addition, mere aggregation of another work not based on the Library 207 | with the Library (or with a work based on the Library) on a volume of 208 | a storage or distribution medium does not bring the other work under 209 | the scope of this License. 210 | 211 | 3. You may opt to apply the terms of the ordinary GNU General Public 212 | License instead of this License to a given copy of the Library. To do 213 | this, you must alter all the notices that refer to this License, so 214 | that they refer to the ordinary GNU General Public License, version 2, 215 | instead of to this License. (If a newer version than version 2 of the 216 | ordinary GNU General Public License has appeared, then you can specify 217 | that version instead if you wish.) Do not make any other change in 218 | these notices. 219 | 220 | Once this change is made in a given copy, it is irreversible for 221 | that copy, so the ordinary GNU General Public License applies to all 222 | subsequent copies and derivative works made from that copy. 223 | 224 | This option is useful when you wish to copy part of the code of 225 | the Library into a program that is not a library. 226 | 227 | 4. You may copy and distribute the Library (or a portion or 228 | derivative of it, under Section 2) in object code or executable form 229 | under the terms of Sections 1 and 2 above provided that you accompany 230 | it with the complete corresponding machine-readable source code, which 231 | must be distributed under the terms of Sections 1 and 2 above on a 232 | medium customarily used for software interchange. 233 | 234 | If distribution of object code is made by offering access to copy 235 | from a designated place, then offering equivalent access to copy the 236 | source code from the same place satisfies the requirement to 237 | distribute the source code, even though third parties are not 238 | compelled to copy the source along with the object code. 239 | 240 | 5. A program that contains no derivative of any portion of the 241 | Library, but is designed to work with the Library by being compiled or 242 | linked with it, is called a "work that uses the Library". Such a 243 | work, in isolation, is not a derivative work of the Library, and 244 | therefore falls outside the scope of this License. 245 | 246 | However, linking a "work that uses the Library" with the Library 247 | creates an executable that is a derivative of the Library (because it 248 | contains portions of the Library), rather than a "work that uses the 249 | library". The executable is therefore covered by this License. 250 | Section 6 states terms for distribution of such executables. 251 | 252 | When a "work that uses the Library" uses material from a header file 253 | that is part of the Library, the object code for the work may be a 254 | derivative work of the Library even though the source code is not. 255 | Whether this is true is especially significant if the work can be 256 | linked without the Library, or if the work is itself a library. The 257 | threshold for this to be true is not precisely defined by law. 258 | 259 | If such an object file uses only numerical parameters, data 260 | structure layouts and accessors, and small macros and small inline 261 | functions (ten lines or less in length), then the use of the object 262 | file is unrestricted, regardless of whether it is legally a derivative 263 | work. (Executables containing this object code plus portions of the 264 | Library will still fall under Section 6.) 265 | 266 | Otherwise, if the work is a derivative of the Library, you may 267 | distribute the object code for the work under the terms of Section 6. 268 | Any executables containing that work also fall under Section 6, 269 | whether or not they are linked directly with the Library itself. 270 | 271 | 6. As an exception to the Sections above, you may also combine or 272 | link a "work that uses the Library" with the Library to produce a 273 | work containing portions of the Library, and distribute that work 274 | under terms of your choice, provided that the terms permit 275 | modification of the work for the customer's own use and reverse 276 | engineering for debugging such modifications. 277 | 278 | You must give prominent notice with each copy of the work that the 279 | Library is used in it and that the Library and its use are covered by 280 | this License. You must supply a copy of this License. If the work 281 | during execution displays copyright notices, you must include the 282 | copyright notice for the Library among them, as well as a reference 283 | directing the user to the copy of this License. Also, you must do one 284 | of these things: 285 | 286 | a) Accompany the work with the complete corresponding 287 | machine-readable source code for the Library including whatever 288 | changes were used in the work (which must be distributed under 289 | Sections 1 and 2 above); and, if the work is an executable linked 290 | with the Library, with the complete machine-readable "work that 291 | uses the Library", as object code and/or source code, so that the 292 | user can modify the Library and then relink to produce a modified 293 | executable containing the modified Library. (It is understood 294 | that the user who changes the contents of definitions files in the 295 | Library will not necessarily be able to recompile the application 296 | to use the modified definitions.) 297 | 298 | b) Use a suitable shared library mechanism for linking with the 299 | Library. A suitable mechanism is one that (1) uses at run time a 300 | copy of the library already present on the user's computer system, 301 | rather than copying library functions into the executable, and (2) 302 | will operate properly with a modified version of the library, if 303 | the user installs one, as long as the modified version is 304 | interface-compatible with the version that the work was made with. 305 | 306 | c) Accompany the work with a written offer, valid for at 307 | least three years, to give the same user the materials 308 | specified in Subsection 6a, above, for a charge no more 309 | than the cost of performing this distribution. 310 | 311 | d) If distribution of the work is made by offering access to copy 312 | from a designated place, offer equivalent access to copy the above 313 | specified materials from the same place. 314 | 315 | e) Verify that the user has already received a copy of these 316 | materials or that you have already sent this user a copy. 317 | 318 | For an executable, the required form of the "work that uses the 319 | Library" must include any data and utility programs needed for 320 | reproducing the executable from it. However, as a special exception, 321 | the materials to be distributed need not include anything that is 322 | normally distributed (in either source or binary form) with the major 323 | components (compiler, kernel, and so on) of the operating system on 324 | which the executable runs, unless that component itself accompanies 325 | the executable. 326 | 327 | It may happen that this requirement contradicts the license 328 | restrictions of other proprietary libraries that do not normally 329 | accompany the operating system. Such a contradiction means you cannot 330 | use both them and the Library together in an executable that you 331 | distribute. 332 | 333 | 7. You may place library facilities that are a work based on the 334 | Library side-by-side in a single library together with other library 335 | facilities not covered by this License, and distribute such a combined 336 | library, provided that the separate distribution of the work based on 337 | the Library and of the other library facilities is otherwise 338 | permitted, and provided that you do these two things: 339 | 340 | a) Accompany the combined library with a copy of the same work 341 | based on the Library, uncombined with any other library 342 | facilities. This must be distributed under the terms of the 343 | Sections above. 344 | 345 | b) Give prominent notice with the combined library of the fact 346 | that part of it is a work based on the Library, and explaining 347 | where to find the accompanying uncombined form of the same work. 348 | 349 | 8. You may not copy, modify, sublicense, link with, or distribute 350 | the Library except as expressly provided under this License. Any 351 | attempt otherwise to copy, modify, sublicense, link with, or 352 | distribute the Library is void, and will automatically terminate your 353 | rights under this License. However, parties who have received copies, 354 | or rights, from you under this License will not have their licenses 355 | terminated so long as such parties remain in full compliance. 356 | 357 | 9. You are not required to accept this License, since you have not 358 | signed it. However, nothing else grants you permission to modify or 359 | distribute the Library or its derivative works. These actions are 360 | prohibited by law if you do not accept this License. Therefore, by 361 | modifying or distributing the Library (or any work based on the 362 | Library), you indicate your acceptance of this License to do so, and 363 | all its terms and conditions for copying, distributing or modifying 364 | the Library or works based on it. 365 | 366 | 10. Each time you redistribute the Library (or any work based on the 367 | Library), the recipient automatically receives a license from the 368 | original licensor to copy, distribute, link with or modify the Library 369 | subject to these terms and conditions. You may not impose any further 370 | restrictions on the recipients' exercise of the rights granted herein. 371 | You are not responsible for enforcing compliance by third parties with 372 | this License. 373 | 374 | 11. If, as a consequence of a court judgment or allegation of patent 375 | infringement or for any other reason (not limited to patent issues), 376 | conditions are imposed on you (whether by court order, agreement or 377 | otherwise) that contradict the conditions of this License, they do not 378 | excuse you from the conditions of this License. If you cannot 379 | distribute so as to satisfy simultaneously your obligations under this 380 | License and any other pertinent obligations, then as a consequence you 381 | may not distribute the Library at all. For example, if a patent 382 | license would not permit royalty-free redistribution of the Library by 383 | all those who receive copies directly or indirectly through you, then 384 | the only way you could satisfy both it and this License would be to 385 | refrain entirely from distribution of the Library. 386 | 387 | If any portion of this section is held invalid or unenforceable under any 388 | particular circumstance, the balance of the section is intended to apply, 389 | and the section as a whole is intended to apply in other circumstances. 390 | 391 | It is not the purpose of this section to induce you to infringe any 392 | patents or other property right claims or to contest validity of any 393 | such claims; this section has the sole purpose of protecting the 394 | integrity of the free software distribution system which is 395 | implemented by public license practices. Many people have made 396 | generous contributions to the wide range of software distributed 397 | through that system in reliance on consistent application of that 398 | system; it is up to the author/donor to decide if he or she is willing 399 | to distribute software through any other system and a licensee cannot 400 | impose that choice. 401 | 402 | This section is intended to make thoroughly clear what is believed to 403 | be a consequence of the rest of this License. 404 | 405 | 12. If the distribution and/or use of the Library is restricted in 406 | certain countries either by patents or by copyrighted interfaces, the 407 | original copyright holder who places the Library under this License may add 408 | an explicit geographical distribution limitation excluding those countries, 409 | so that distribution is permitted only in or among countries not thus 410 | excluded. In such case, this License incorporates the limitation as if 411 | written in the body of this License. 412 | 413 | 13. The Free Software Foundation may publish revised and/or new 414 | versions of the Lesser General Public License from time to time. 415 | Such new versions will be similar in spirit to the present version, 416 | but may differ in detail to address new problems or concerns. 417 | 418 | Each version is given a distinguishing version number. If the Library 419 | specifies a version number of this License which applies to it and 420 | "any later version", you have the option of following the terms and 421 | conditions either of that version or of any later version published by 422 | the Free Software Foundation. If the Library does not specify a 423 | license version number, you may choose any version ever published by 424 | the Free Software Foundation. 425 | 426 | 14. If you wish to incorporate parts of the Library into other free 427 | programs whose distribution conditions are incompatible with these, 428 | write to the author to ask for permission. For software which is 429 | copyrighted by the Free Software Foundation, write to the Free 430 | Software Foundation; we sometimes make exceptions for this. Our 431 | decision will be guided by the two goals of preserving the free status 432 | of all derivatives of our free software and of promoting the sharing 433 | and reuse of software generally. 434 | 435 | NO WARRANTY 436 | 437 | 15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO 438 | WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. 439 | EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR 440 | OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY 441 | KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE 442 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 443 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE 444 | LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME 445 | THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 446 | 447 | 16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN 448 | WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY 449 | AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU 450 | FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR 451 | CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE 452 | LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING 453 | RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A 454 | FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF 455 | SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH 456 | DAMAGES. 457 | 458 | END OF TERMS AND CONDITIONS 459 | 460 | How to Apply These Terms to Your New Libraries 461 | 462 | If you develop a new library, and you want it to be of the greatest 463 | possible use to the public, we recommend making it free software that 464 | everyone can redistribute and change. You can do so by permitting 465 | redistribution under these terms (or, alternatively, under the terms of the 466 | ordinary General Public License). 467 | 468 | To apply these terms, attach the following notices to the library. It is 469 | safest to attach them to the start of each source file to most effectively 470 | convey the exclusion of warranty; and each file should have at least the 471 | "copyright" line and a pointer to where the full notice is found. 472 | 473 | 474 | Copyright (C) 475 | 476 | This library is free software; you can redistribute it and/or 477 | modify it under the terms of the GNU Lesser General Public 478 | License as published by the Free Software Foundation; either 479 | version 2.1 of the License, or (at your option) any later version. 480 | 481 | This library is distributed in the hope that it will be useful, 482 | but WITHOUT ANY WARRANTY; without even the implied warranty of 483 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 484 | Lesser General Public License for more details. 485 | 486 | You should have received a copy of the GNU Lesser General Public 487 | License along with this library; if not, write to the Free Software 488 | Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 489 | 490 | Also add information on how to contact you by electronic and paper mail. 491 | 492 | You should also get your employer (if you work as a programmer) or your 493 | school, if any, to sign a "copyright disclaimer" for the library, if 494 | necessary. Here is a sample; alter the names: 495 | 496 | Yoyodyne, Inc., hereby disclaims all copyright interest in the 497 | library `Frob' (a library for tweaking knobs) written by James Random Hacker. 498 | 499 | , 1 April 1990 500 | Ty Coon, President of Vice 501 | 502 | That's all there is to it! 503 | -------------------------------------------------------------------------------- /seccomp/seccomp_lowlevel.nim: -------------------------------------------------------------------------------- 1 | # 2 | # Seccomp Library wrapper 3 | # 4 | # Copyright (c) 2012,2013 Red Hat 5 | # Author: Paul Moore 6 | # 7 | # 8 | # This library is free software; you can redistribute it and/or modify it 9 | # under the terms of version 2.1 of the GNU Lesser General Public License as 10 | # published by the Free Software Foundation. 11 | # 12 | # This library is distributed in the hope that it will be useful, but WITHOUT 13 | # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or 14 | # FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public License 15 | # for more details. 16 | # 17 | # You should have received a copy of the GNU Lesser General Public License 18 | # along with this library; if not, see . 19 | # 20 | 21 | 22 | const libname = "libseccomp.so.2" 23 | 24 | type 25 | ScmpVersion* = object 26 | major*: cuint 27 | minor*: cuint 28 | micro*: cuint 29 | 30 | # 31 | # types 32 | # 33 | 34 | 35 | 36 | #* 37 | # Filter context/handle 38 | # 39 | 40 | type ScmpFilterCtx* = pointer 41 | 42 | 43 | #* 44 | # Filter attributes 45 | # 46 | 47 | type ScmpFilterAttr* {.size: sizeof(cint).} = enum 48 | SCMP_FLTATR_MIN = 0, SCMP_FLTATR_ACT_DEFAULT = 1, #*< default filter action 49 | SCMP_FLTATR_ACT_BADARCH = 2, #*< bad architecture action 50 | SCMP_FLTATR_CTL_NNP = 3, #*< set NO_NEW_PRIVS on filter load 51 | SCMP_FLTATR_CTL_TSYNC = 4, #*< sync threads on filter load 52 | SCMP_FLTATR_MAX 53 | 54 | 55 | #* 56 | # Comparison operators 57 | # 58 | 59 | type 60 | ScmpCompare* {.size: sizeof(cint).} = enum 61 | SCMP_CMP_MIN = 0, SCMP_CMP_NE = 1, #*< not equal 62 | SCMP_CMP_LT = 2, #*< less than 63 | SCMP_CMP_LE = 3, #*< less than or equal 64 | SCMP_CMP_EQ = 4, #*< equal 65 | SCMP_CMP_GE = 5, #*< greater than or equal 66 | SCMP_CMP_GT = 6, #*< greater than 67 | SCMP_CMP_MASKED_EQ = 7, #*< masked equality 68 | SCMP_CMP_MAX 69 | 70 | 71 | 72 | #* 73 | # Argument datum 74 | # 75 | 76 | type 77 | ScmpDatumT* = uint64 78 | 79 | 80 | #* 81 | # Argument / Value comparison definition 82 | # 83 | 84 | type 85 | ScmpArgCmp* = object 86 | arg*: cuint #*< argument number, starting at 0 87 | op*: ScmpCompare #*< the comparison op, e.g. SCMP_CMP_* 88 | datumA*: ScmpDatumT 89 | datumB*: ScmpDatumT 90 | 91 | 92 | # 93 | # macros/defines 94 | # 95 | 96 | 97 | 98 | #* 99 | # The native architecture token 100 | # 101 | 102 | const 103 | SCMP_ARCH_NATIVE* = 0 104 | 105 | 106 | 107 | 108 | #* 109 | # The x86 (32-bit) architecture token 110 | # 111 | 112 | #const SCMP_ARCH_X86* = audit_Arch_I386 113 | 114 | 115 | 116 | 117 | #* 118 | # The x86-64 (64-bit) architecture token 119 | # 120 | 121 | #const SCMP_ARCH_X86_64* = audit_Arch_X8664 122 | 123 | 124 | 125 | 126 | #* 127 | # The x32 (32-bit x86_64) architecture token 128 | # 129 | # NOTE: this is different from the value used by the kernel because we need to 130 | # be able to distinguish between x32 and x86_64 131 | # 132 | 133 | #const SCMP_ARCH_X32* = (em_X8664 or audit_Arch_Le) 134 | 135 | 136 | 137 | 138 | #* 139 | # The ARM architecture tokens 140 | # 141 | 142 | #const SCMP_ARCH_ARM* = audit_Arch_Arm 143 | 144 | # AArch64 support for audit was merged in 3.17-rc1 145 | 146 | #when not defined(AUDIT_ARCH_AARCH64): 147 | # const 148 | # AUDIT_ARCH_AARCH64* = (em_Aarch64 or audit_Arch_64bit or audit_Arch_Le) 149 | #const 150 | # SCMP_ARCH_AARCH64* = audit_Arch_Aarch64 151 | 152 | 153 | 154 | 155 | #* 156 | # The MIPS architecture tokens 157 | # 158 | 159 | # MIPS64N32 support was merged in 3.15 160 | 161 | # MIPSEL64N32 support was merged in 3.15 162 | 163 | #const 164 | # SCMP_ARCH_MIPS* = audit_Arch_Mips 165 | # SCMP_ARCH_MIPS64* = audit_Arch_Mips64 166 | # SCMP_ARCH_MIPS64N32* = audit_Arch_Mips64n32 167 | # SCMP_ARCH_MIPSEL* = audit_Arch_Mipsel 168 | # SCMP_ARCH_MIPSEL64* = audit_Arch_Mipsel64 169 | # SCMP_ARCH_MIPSEL64N32* = audit_Arch_Mipsel64n32 170 | 171 | 172 | 173 | 174 | #* 175 | # The PowerPC architecture tokens 176 | # 177 | 178 | #const 179 | # SCMP_ARCH_PPC* = audit_Arch_Ppc 180 | # SCMP_ARCH_PPC64* = audit_Arch_Ppc64 181 | # 182 | #const 183 | # SCMP_ARCH_PPC64LE* = audit_Arch_Ppc64le 184 | # 185 | ##* 186 | ## The S390 architecture tokens 187 | ## 188 | # 189 | #const 190 | # SCMP_ARCH_S390* = audit_Arch_S390 191 | # SCMP_ARCH_S390X* = audit_Arch_S390x 192 | # 193 | ##* 194 | ## The PA-RISC hppa architecture tokens 195 | ## 196 | # 197 | #const 198 | # SCMP_ARCH_PARISC* = audit_Arch_Parisc 199 | # SCMP_ARCH_PARISC64* = audit_Arch_Parisc64 200 | 201 | 202 | 203 | 204 | #* 205 | # Convert a syscall name into the associated syscall number 206 | # @param x the syscall name 207 | # 208 | # #define SCMP_SYS(x) (__NR_##x) 209 | 210 | 211 | 212 | #* 213 | # Specify an argument comparison struct for use in declaring rules 214 | # @param arg the argument number, starting at 0 215 | # @param op the comparison operator, e.g. SCMP_CMP_* 216 | # @param datum_a dependent on comparison 217 | # @param datum_b dependent on comparison, optional 218 | # 219 | # #define SCMP_CMP(...) ((struct scmp_arg_cmp){__VA_ARGS__}) 220 | 221 | 222 | 223 | #* 224 | # Specify an argument comparison struct for argument 0 225 | # 226 | # #define SCMP_A0(...) SCMP_CMP(0, __VA_ARGS__) 227 | 228 | 229 | 230 | #* 231 | # Specify an argument comparison struct for argument 1 232 | # 233 | # #define SCMP_A1(...) SCMP_CMP(1, __VA_ARGS__) 234 | 235 | 236 | 237 | #* 238 | # Specify an argument comparison struct for argument 2 239 | # 240 | # #define SCMP_A2(...) SCMP_CMP(2, __VA_ARGS__) 241 | 242 | 243 | 244 | #* 245 | # Specify an argument comparison struct for argument 3 246 | # 247 | # #define SCMP_A3(...) SCMP_CMP(3, __VA_ARGS__) 248 | 249 | 250 | 251 | #* 252 | # Specify an argument comparison struct for argument 4 253 | # 254 | # #define SCMP_A4(...) SCMP_CMP(4, __VA_ARGS__) 255 | 256 | 257 | 258 | #* 259 | # Specify an argument comparison struct for argument 5 260 | # 261 | # #define SCMP_A5(...) SCMP_CMP(5, __VA_ARGS__) 262 | # 263 | # seccomp actions 264 | # 265 | 266 | 267 | 268 | #* 269 | # Kill the process 270 | # 271 | 272 | const SCMP_ACT_KILL* = 0x00000000 273 | 274 | 275 | 276 | 277 | #* 278 | # Throw a SIGSYS signal 279 | # 280 | 281 | const SCMP_ACT_TRAP* = 0x00030000 282 | 283 | 284 | 285 | 286 | #* 287 | # Return the specified error code 288 | # 289 | 290 | template scmp_Act_Errno*(x: untyped): untyped = 291 | (0x00050000 or ((x) and 0x0000FFFF)) 292 | 293 | 294 | 295 | 296 | #* 297 | # Notify a tracing process with the specified value 298 | # 299 | 300 | template scmp_Act_Trace*(x: untyped): untyped = 301 | (0x7FF00000 or ((x) and 0x0000FFFF)) 302 | 303 | 304 | #* 305 | # Allow the syscall to be executed 306 | # 307 | 308 | const SCMP_ACT_ALLOW* = 0x7FFF0000 309 | 310 | # 311 | # functions 312 | # 313 | 314 | 315 | #* 316 | # Query the library version information 317 | # 318 | # This function returns a pointer to a populated scmp_version struct, the 319 | # caller does not need to free the structure when finished. 320 | # 321 | # 322 | proc seccompVersion*(): ptr ScmpVersion {.cdecl, importc: "seccomp_version", 323 | dynlib: libname.} 324 | 325 | 326 | 327 | #* 328 | # Initialize the filter state 329 | # @param def_action the default filter action 330 | # 331 | # This function initializes the internal seccomp filter state and should 332 | # be called before any other functions in this library to ensure the filter 333 | # state is initialized. Returns a filter context on success, NULL on failure. 334 | # 335 | # 336 | proc seccompInit*(defAction: uint32): ScmpFilterCtx {.cdecl, 337 | importc: "seccomp_init", dynlib: libname.} 338 | 339 | 340 | 341 | #* 342 | # Reset the filter state 343 | # @param ctx the filter context 344 | # @param def_action the default filter action 345 | # 346 | # This function resets the given seccomp filter state and ensures the 347 | # filter state is reinitialized. This function does not reset any seccomp 348 | # filters already loaded into the kernel. Returns zero on success, negative 349 | # values on failure. 350 | # 351 | # 352 | proc seccompReset*(ctx: ScmpFilterCtx; defAction: uint32): cint {.cdecl, 353 | importc: "seccomp_reset", dynlib: libname.} 354 | 355 | 356 | 357 | #* 358 | # Destroys the filter state and releases any resources 359 | # @param ctx the filter context 360 | # 361 | # This functions destroys the given seccomp filter state and releases any 362 | # resources, including memory, associated with the filter state. This 363 | # function does not reset any seccomp filters already loaded into the kernel. 364 | # The filter context can no longer be used after calling this function. 365 | # 366 | # 367 | proc seccompRelease*(ctx: ScmpFilterCtx) {.cdecl, importc: "seccomp_release", 368 | dynlib: libname.} 369 | 370 | 371 | 372 | #* 373 | # Merge two filters 374 | # @param ctx_dst the destination filter context 375 | # @param ctx_src the source filter context 376 | # 377 | # This function merges two filter contexts into a single filter context and 378 | # destroys the second filter context. The two filter contexts must have the 379 | # same attribute values and not contain any of the same architectures; if they 380 | # do, the merge operation will fail. On success, the source filter context 381 | # will be destroyed and should no longer be used; it is not necessary to 382 | # call seccomp_release() on the source filter context. Returns zero on 383 | # success, negative values on failure. 384 | # 385 | # 386 | proc seccompMerge*(ctxDst: ScmpFilterCtx; ctxSrc: ScmpFilterCtx): cint {.cdecl, 387 | importc: "seccomp_merge", dynlib: libname.} 388 | 389 | 390 | 391 | #* 392 | # Resolve the architecture name to a architecture token 393 | # @param arch_name the architecture name 394 | # 395 | # This function resolves the given architecture name to a token suitable for 396 | # use with libseccomp, returns zero on failure. 397 | # 398 | # 399 | proc seccompArchResolveName*(archName: cstring): uint32 {.cdecl, 400 | importc: "seccomp_arch_resolve_name", dynlib: libname.} 401 | 402 | 403 | 404 | #* 405 | # Return the native architecture token 406 | # 407 | # This function returns the native architecture token value, e.g. SCMP_ARCH_*. 408 | # 409 | # 410 | proc seccompArchNative*(): uint32 {.cdecl, importc: "seccomp_arch_native", 411 | dynlib: libname.} 412 | 413 | 414 | 415 | #* 416 | # Check to see if an existing architecture is present in the filter 417 | # @param ctx the filter context 418 | # @param arch_token the architecture token, e.g. SCMP_ARCH_* 419 | # 420 | # This function tests to see if a given architecture is included in the filter 421 | # context. If the architecture token is SCMP_ARCH_NATIVE then the native 422 | # architecture will be assumed. Returns zero if the architecture exists in 423 | # the filter, -EEXIST if it is not present, and other negative values on 424 | # failure. 425 | # 426 | # 427 | proc seccompArchExist*(ctx: ScmpFilterCtx; archToken: uint32): cint {.cdecl, 428 | importc: "seccomp_arch_exist", dynlib: libname.} 429 | 430 | 431 | 432 | #* 433 | # Adds an architecture to the filter 434 | # @param ctx the filter context 435 | # @param arch_token the architecture token, e.g. SCMP_ARCH_* 436 | # 437 | # This function adds a new architecture to the given seccomp filter context. 438 | # Any new rules added after this function successfully returns will be added 439 | # to this architecture but existing rules will not be added to this 440 | # architecture. If the architecture token is SCMP_ARCH_NATIVE then the native 441 | # architecture will be assumed. Returns zero on success, negative values on 442 | # failure. 443 | # 444 | # 445 | proc seccompArchAdd*(ctx: ScmpFilterCtx; archToken: uint32): cint {.cdecl, 446 | importc: "seccomp_arch_add", dynlib: libname.} 447 | 448 | 449 | 450 | #* 451 | # Removes an architecture from the filter 452 | # @param ctx the filter context 453 | # @param arch_token the architecture token, e.g. SCMP_ARCH_* 454 | # 455 | # This function removes an architecture from the given seccomp filter context. 456 | # If the architecture token is SCMP_ARCH_NATIVE then the native architecture 457 | # will be assumed. Returns zero on success, negative values on failure. 458 | # 459 | # 460 | proc seccompArchRemove*(ctx: ScmpFilterCtx; archToken: uint32): cint {.cdecl, 461 | importc: "seccomp_arch_remove", dynlib: libname.} 462 | 463 | 464 | 465 | #* 466 | # Loads the filter into the kernel 467 | # @param ctx the filter context 468 | # 469 | # This function loads the given seccomp filter context into the kernel. If 470 | # the filter was loaded correctly, the kernel will be enforcing the filter 471 | # when this function returns. Returns zero on success, negative values on 472 | # error. 473 | # 474 | # 475 | proc seccompLoad*(ctx: ScmpFilterCtx): cint {.cdecl, importc: "seccomp_load", 476 | dynlib: libname.} 477 | 478 | 479 | 480 | #* 481 | # Get the value of a filter attribute 482 | # @param ctx the filter context 483 | # @param attr the filter attribute name 484 | # @param value the filter attribute value 485 | # 486 | # This function fetches the value of the given attribute name and returns it 487 | # via @value. Returns zero on success, negative values on failure. 488 | # 489 | # 490 | proc seccompAttrGet*(ctx: ScmpFilterCtx; attr: ScmpFilterAttr; 491 | value: ptr uint32): cint {.cdecl, 492 | importc: "seccomp_attr_get", dynlib: libname.} 493 | 494 | 495 | 496 | #* 497 | # Set the value of a filter attribute 498 | # @param ctx the filter context 499 | # @param attr the filter attribute name 500 | # @param value the filter attribute value 501 | # 502 | # This function sets the value of the given attribute. Returns zero on 503 | # success, negative values on failure. 504 | # 505 | # 506 | proc seccompAttrSet*(ctx: ScmpFilterCtx; attr: ScmpFilterAttr; value: uint32): cint {. 507 | cdecl, importc: "seccomp_attr_set", dynlib: libname.} 508 | 509 | 510 | 511 | #* 512 | # Resolve a syscall number to a name 513 | # @param arch_token the architecture token, e.g. SCMP_ARCH_* 514 | # @param num the syscall number 515 | # 516 | # Resolve the given syscall number to the syscall name for the given 517 | # architecture; it is up to the caller to free the returned string. Returns 518 | # the syscall name on success, NULL on failure. 519 | # 520 | # 521 | proc seccompSyscallResolveNumArch*(archToken: uint32; num: cint): cstring {. 522 | cdecl, importc: "seccomp_syscall_resolve_num_arch", dynlib: libname.} 523 | 524 | 525 | 526 | #* 527 | # Resolve a syscall name to a number 528 | # @param arch_token the architecture token, e.g. SCMP_ARCH_* 529 | # @param name the syscall name 530 | # 531 | # Resolve the given syscall name to the syscall number for the given 532 | # architecture. Returns the syscall number on success, including negative 533 | # pseudo syscall numbers (e.g. __PNR_*); returns __NR_SCMP_ERROR on failure. 534 | # 535 | # 536 | proc seccompSyscallResolveNameArch*(archToken: uint32; name: cstring): cint {. 537 | cdecl, importc: "seccomp_syscall_resolve_name_arch", dynlib: libname.} 538 | 539 | 540 | 541 | #* 542 | # Resolve a syscall name to a number and perform any rewriting necessary 543 | # @param arch_token the architecture token, e.g. SCMP_ARCH_* 544 | # @param name the syscall name 545 | # 546 | # Resolve the given syscall name to the syscall number for the given 547 | # architecture and do any necessary syscall rewriting needed by the 548 | # architecture. Returns the syscall number on success, including negative 549 | # pseudo syscall numbers (e.g. __PNR_*); returns __NR_SCMP_ERROR on failure. 550 | # 551 | # 552 | proc seccompSyscallResolveNameRewrite*(archToken: uint32; name: cstring): cint {. 553 | cdecl, importc: "seccomp_syscall_resolve_name_rewrite", dynlib: libname.} 554 | 555 | 556 | 557 | #* 558 | # Resolve a syscall name to a number 559 | # @param name the syscall name 560 | # 561 | # Resolve the given syscall name to the syscall number. Returns the syscall 562 | # number on success, including negative pseudo syscall numbers (e.g. __PNR_*); 563 | # returns __NR_SCMP_ERROR on failure. 564 | # 565 | # 566 | proc seccompSyscallResolveName*(name: cstring): cint {.cdecl, 567 | importc: "seccomp_syscall_resolve_name", dynlib: libname.} 568 | 569 | 570 | 571 | #* 572 | # Set the priority of a given syscall 573 | # @param ctx the filter context 574 | # @param syscall the syscall number 575 | # @param priority priority value, higher value == higher priority 576 | # 577 | # This function sets the priority of the given syscall; this value is used 578 | # when generating the seccomp filter code such that higher priority syscalls 579 | # will incur less filter code overhead than the lower priority syscalls in the 580 | # filter. Returns zero on success, negative values on failure. 581 | # 582 | # 583 | proc seccompSyscallPriority*(ctx: ScmpFilterCtx; syscall: cint; priority: uint8): cint {. 584 | cdecl, importc: "seccomp_syscall_priority", dynlib: libname.} 585 | 586 | 587 | 588 | #* 589 | # Add a new rule to the filter 590 | # @param ctx the filter context 591 | # @param action the filter action 592 | # @param syscall the syscall number 593 | # @param arg_cnt the number of argument filters in the argument filter chain 594 | # @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) 595 | # 596 | # This function adds a series of new argument/value checks to the seccomp 597 | # filter for the given syscall; multiple argument/value checks can be 598 | # specified and they will be chained together (AND'd together) in the filter. 599 | # If the specified rule needs to be adjusted due to architecture specifics it 600 | # will be adjusted without notification. Returns zero on success, negative 601 | # values on failure. 602 | # 603 | # 604 | proc seccompRuleAdd*(ctx: ScmpFilterCtx; action: uint32; syscall: cint; 605 | argCnt: cuint): cint {.varargs, cdecl, 606 | importc: "seccomp_rule_add", dynlib: libname.} 607 | 608 | 609 | 610 | #* 611 | # Add a new rule to the filter 612 | # @param ctx the filter context 613 | # @param action the filter action 614 | # @param syscall the syscall number 615 | # @param arg_cnt the number of elements in the arg_array parameter 616 | # @param arg_array array of scmp_arg_cmp structs 617 | # 618 | # This function adds a series of new argument/value checks to the seccomp 619 | # filter for the given syscall; multiple argument/value checks can be 620 | # specified and they will be chained together (AND'd together) in the filter. 621 | # If the specified rule needs to be adjusted due to architecture specifics it 622 | # will be adjusted without notification. Returns zero on success, negative 623 | # values on failure. 624 | # 625 | # 626 | 627 | 628 | proc seccompRuleAddArray*(ctx: ScmpFilterCtx; action: uint32; syscall: cint; 629 | argCnt: cuint; argArray: ptr ScmpArgCmp): cint {. 630 | cdecl, importc: "seccomp_rule_add_array", dynlib: libname.} 631 | 632 | 633 | 634 | #* 635 | # Add a new rule to the filter 636 | # @param ctx the filter context 637 | # @param action the filter action 638 | # @param syscall the syscall number 639 | # @param arg_cnt the number of argument filters in the argument filter chain 640 | # @param ... scmp_arg_cmp structs (use of SCMP_ARG_CMP() recommended) 641 | # 642 | # This function adds a series of new argument/value checks to the seccomp 643 | # filter for the given syscall; multiple argument/value checks can be 644 | # specified and they will be chained together (AND'd together) in the filter. 645 | # If the specified rule can not be represented on the architecture the 646 | # function will fail. Returns zero on success, negative values on failure. 647 | # 648 | # 649 | proc seccompRuleAddExact*(ctx: ScmpFilterCtx; action: uint32; syscall: cint; 650 | argCnt: cuint): cint {.varargs, cdecl, 651 | importc: "seccomp_rule_add_exact", dynlib: libname.} 652 | 653 | 654 | 655 | #* 656 | # Add a new rule to the filter 657 | # @param ctx the filter context 658 | # @param action the filter action 659 | # @param syscall the syscall number 660 | # @param arg_cnt the number of elements in the arg_array parameter 661 | # @param arg_array array of scmp_arg_cmp structs 662 | # 663 | # This function adds a series of new argument/value checks to the seccomp 664 | # filter for the given syscall; multiple argument/value checks can be 665 | # specified and they will be chained together (AND'd together) in the filter. 666 | # If the specified rule can not be represented on the architecture the 667 | # function will fail. Returns zero on success, negative values on failure. 668 | # 669 | # 670 | proc seccompRuleAddExactArray*(ctx: ScmpFilterCtx; action: uint32; 671 | syscall: cint; argCnt: cuint; 672 | argArray: ptr ScmpArgCmp): cint {.cdecl, 673 | importc: "seccomp_rule_add_exact_array", dynlib: libname.} 674 | 675 | 676 | 677 | #* 678 | # Generate seccomp Pseudo Filter Code (PFC) and export it to a file 679 | # @param ctx the filter context 680 | # @param fd the destination fd 681 | # 682 | # This function generates seccomp Pseudo Filter Code (PFC) and writes it to 683 | # the given fd. Returns zero on success, negative values on failure. 684 | # 685 | # 686 | proc seccompExportPfc*(ctx: ScmpFilterCtx; fd: cint): cint {.cdecl, 687 | importc: "seccomp_export_pfc", dynlib: libname.} 688 | 689 | 690 | 691 | #* 692 | # Generate seccomp Berkley Packet Filter (BPF) code and export it to a file 693 | # @param ctx the filter context 694 | # @param fd the destination fd 695 | # 696 | # This function generates seccomp Berkley Packer Filter (BPF) code and writes 697 | # it to the given fd. Returns zero on success, negative values on failure. 698 | # 699 | # 700 | proc seccompExportBpf*(ctx: ScmpFilterCtx; fd: cint): cint {.cdecl, 701 | importc: "seccomp_export_bpf", dynlib: libname.} 702 | # 703 | # pseudo syscall definitions 704 | # 705 | # NOTE - pseudo syscall values {-1..-99} are reserved 706 | 707 | const 708 | NR_SCMP_ERROR* = - 1 709 | NR_SCMP_UNDEF* = - 2 710 | 711 | # socket syscalls 712 | 713 | const 714 | PNR_socket* = - 101 715 | PNR_bind* = - 102 716 | PNR_connect* = - 103 717 | PNR_listen* = - 104 718 | PNR_accept* = - 105 719 | PNR_getsockname* = - 106 720 | PNR_getpeername* = - 107 721 | PNR_socketpair* = - 108 722 | PNR_send* = - 109 723 | PNR_recv* = - 110 724 | PNR_sendto* = - 111 725 | PNR_recvfrom* = - 112 726 | PNR_shutdown* = - 113 727 | PNR_setsockopt* = - 114 728 | PNR_getsockopt* = - 115 729 | PNR_sendmsg* = - 116 730 | PNR_recvmsg* = - 117 731 | PNR_accept4* = - 118 732 | PNR_recvmmsg* = - 119 733 | PNR_sendmmsg* = - 120 734 | 735 | # ipc syscalls 736 | 737 | const 738 | PNR_semop* = - 201 739 | PNR_semget* = - 202 740 | PNR_semctl* = - 203 741 | PNR_semtimedop* = - 204 742 | PNR_msgsnd* = - 211 743 | PNR_msgrcv* = - 212 744 | PNR_msgget* = - 213 745 | PNR_msgctl* = - 214 746 | PNR_shmat* = - 221 747 | PNR_shmdt* = - 222 748 | PNR_shmget* = - 223 749 | PNR_shmctl* = - 224 750 | 751 | # single syscalls 752 | 753 | const 754 | PNR_archPrctl* = - 10001 755 | 756 | const 757 | PNR_bdflush* = - 10002 758 | PNR_break* = - 10003 759 | PNR_chown32* = - 10004 760 | PNR_epollCtlOld* = - 10005 761 | PNR_epollWaitOld* = - 10006 762 | PNR_fadvise6464* = - 10007 763 | PNR_fchown32* = - 10008 764 | PNR_fcntl64* = - 10009 765 | PNR_fstat64* = - 10010 766 | PNR_fstatat64* = - 10011 767 | PNR_fstatfs64* = - 10012 768 | PNR_ftime* = - 10013 769 | PNR_ftruncate64* = - 10014 770 | PNR_getegid32* = - 10015 771 | PNR_geteuid32* = - 10016 772 | PNR_getgid32* = - 10017 773 | PNR_getgroups32* = - 10018 774 | PNR_getresgid32* = - 10019 775 | PNR_getresuid32* = - 10020 776 | PNR_getuid32* = - 10021 777 | PNR_gtty* = - 10022 778 | PNR_idle* = - 10023 779 | PNR_ipc* = - 10024 780 | PNR_lchown32* = - 10025 781 | PNR_llseek* = - 10026 782 | PNR_lock* = - 10027 783 | PNR_lstat64* = - 10028 784 | PNR_mmap2* = - 10029 785 | PNR_mpx* = - 10030 786 | PNR_newfstatat* = - 10031 787 | PNR_newselect* = - 10032 788 | PNR_nice* = - 10033 789 | PNR_oldfstat* = - 10034 790 | PNR_oldlstat* = - 10035 791 | PNR_oldolduname* = - 10036 792 | PNR_oldstat* = - 10037 793 | PNR_olduname* = - 10038 794 | PNR_prof* = - 10039 795 | PNR_profil* = - 10040 796 | PNR_readdir* = - 10041 797 | PNR_security* = - 10042 798 | PNR_sendfile64* = - 10043 799 | PNR_setfsgid32* = - 10044 800 | PNR_setfsuid32* = - 10045 801 | PNR_setgid32* = - 10046 802 | PNR_setgroups32* = - 10047 803 | PNR_setregid32* = - 10048 804 | PNR_setresgid32* = - 10049 805 | PNR_setresuid32* = - 10050 806 | PNR_setreuid32* = - 10051 807 | PNR_setuid32* = - 10052 808 | PNR_sgetmask* = - 10053 809 | PNR_sigaction* = - 10054 810 | PNR_signal* = - 10055 811 | PNR_sigpending* = - 10056 812 | PNR_sigprocmask* = - 10057 813 | PNR_sigreturn* = - 10058 814 | PNR_sigsuspend* = - 10059 815 | PNR_socketcall* = - 10060 816 | PNR_ssetmask* = - 10061 817 | PNR_stat64* = - 10062 818 | PNR_statfs64* = - 10063 819 | PNR_stime* = - 10064 820 | PNR_stty* = - 10065 821 | PNR_truncate64* = - 10066 822 | PNR_tuxcall* = - 10067 823 | PNR_ugetrlimit* = - 10068 824 | PNR_ulimit* = - 10069 825 | PNR_umount* = - 10070 826 | PNR_vm86* = - 10071 827 | PNR_vm86old* = - 10072 828 | PNR_waitpid* = - 10073 829 | PNR_createModule* = - 10074 830 | PNR_getKernelSyms* = - 10075 831 | PNR_getThreadArea* = - 10076 832 | PNR_nfsservctl* = - 10077 833 | PNR_queryModule* = - 10078 834 | PNR_setThreadArea* = - 10079 835 | PNR_sysctl* = - 10080 836 | PNR_uselib* = - 10081 837 | PNR_vserver* = - 10082 838 | PNR_armFadvise6464* = - 10083 839 | PNR_armSyncFileRange* = - 10084 840 | PNR_pciconfigIobase* = - 10086 841 | PNR_pciconfigRead* = - 10087 842 | PNR_pciconfigWrite* = - 10088 843 | PNR_syncFileRange2* = - 10089 844 | PNR_syscall* = - 10090 845 | PNR_afsSyscall* = - 10091 846 | PNR_fadvise64* = - 10092 847 | PNR_getpmsg* = - 10093 848 | PNR_ioperm* = - 10094 849 | PNR_iopl* = - 10095 850 | PNR_migratePages* = - 10097 851 | PNR_modifyLdt* = - 10098 852 | PNR_putpmsg* = - 10099 853 | PNR_syncFileRange* = - 10100 854 | PNR_select* = - 10101 855 | PNR_vfork* = - 10102 856 | PNR_cachectl* = - 10103 857 | PNR_cacheflush* = - 10104 858 | 859 | when not defined(NR_cacheflush): 860 | when defined(ARM_NR_cacheflush): 861 | const 862 | NR_cacheflush* = aRM_NR_cacheflush 863 | else: 864 | const 865 | NR_cacheflush* = PNR_cacheflush 866 | const 867 | PNR_sysmips* = - 10106 868 | PNR_timerfd* = - 10107 869 | PNR_time* = - 10108 870 | PNR_getrandom* = - 10109 871 | PNR_memfdCreate* = - 10110 872 | PNR_kexecFileLoad* = - 10111 873 | PNR_sysfs* = - 10145 874 | PNR_oldwait4* = - 10146 875 | PNR_access* = - 10147 876 | PNR_alarm* = - 10148 877 | PNR_chmod* = - 10149 878 | PNR_chown* = - 10150 879 | PNR_creat* = - 10151 880 | PNR_dup2* = - 10152 881 | PNR_epollCreate* = - 10153 882 | PNR_epollWait* = - 10154 883 | PNR_eventfd* = - 10155 884 | PNR_fork* = - 10156 885 | PNR_futimesat* = - 10157 886 | PNR_getdents* = - 10158 887 | PNR_getpgrp* = - 10159 888 | PNR_inotifyInit* = - 10160 889 | PNR_lchown* = - 10161 890 | PNR_link* = - 10162 891 | PNR_lstat* = - 10163 892 | PNR_mkdir* = - 10164 893 | PNR_mknod* = - 10165 894 | PNR_open* = - 10166 895 | PNR_pause* = - 10167 896 | PNR_pipe* = - 10168 897 | PNR_poll* = - 10169 898 | PNR_readlink* = - 10170 899 | PNR_rename* = - 10171 900 | PNR_rmdir* = - 10172 901 | PNR_signalfd* = - 10173 902 | PNR_stat* = - 10174 903 | PNR_symlink* = - 10175 904 | PNR_unlink* = - 10176 905 | PNR_ustat* = - 10177 906 | PNR_utime* = - 10178 907 | PNR_utimes* = - 10179 908 | PNR_getrlimit* = - 10180 909 | PNR_mmap* = - 10181 910 | PNR_breakpoint* = - 10182 911 | 912 | when not defined(NR_breakpoint): 913 | when defined(ARM_NR_breakpoint): 914 | const 915 | NR_breakpoint* = aRM_NR_breakpoint 916 | else: 917 | const 918 | NR_breakpoint* = PNR_breakpoint 919 | const 920 | PNR_setTls* = - 10183 921 | 922 | when not defined(NR_set_tls): 923 | when defined(ARM_NR_set_tls): 924 | const 925 | NR_setTls* = ARM_NR_setTls 926 | else: 927 | const 928 | NR_setTls* = PNR_setTls 929 | const 930 | PNR_usr26* = - 10184 931 | 932 | when not defined(NR_usr26): 933 | when defined(ARM_NR_usr26): 934 | const 935 | NR_usr26* = aRM_NR_usr26 936 | else: 937 | const 938 | NR_usr26* = PNR_usr26 939 | const 940 | PNR_usr32* = - 10185 941 | 942 | when not defined(NR_usr32): 943 | when defined(ARM_NR_usr32): 944 | const 945 | NR_usr32* = aRM_NR_usr32 946 | else: 947 | const 948 | NR_usr32* = PNR_usr32 949 | const 950 | PNR_multiplexer* = - 10186 951 | PNR_rtas* = - 10187 952 | PNR_spuCreate* = - 10188 953 | PNR_spuRun* = - 10189 954 | PNR_subpageProt* = - 10189 955 | PNR_swapcontext* = - 10190 956 | PNR_sysDebugSetcontext* = - 10191 957 | PNR_switchEndian* = - 10191 958 | PNR_getMempolicy* = - 10192 959 | PNR_movePages* = - 10193 960 | PNR_mbind* = - 10194 961 | PNR_setMempolicy* = - 10195 962 | PNR_s390RuntimeInstr* = - 10196 963 | PNR_s390PciMmioRead* = - 10197 964 | PNR_s390PciMmioWrite* = - 10198 965 | PNR_membarrier* = - 10199 966 | PNR_userfaultfd* = - 10200 967 | 968 | 969 | 970 | 971 | 972 | --------------------------------------------------------------------------------