about summary refs log tree commit diff stats
path: root/src/bindings/libseccomp.nim
blob: 81a6e96993131e7a73af79c95edf3cc7c9e03c55 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
import std/macros

const seccomp = (proc(): string =
  let res = staticExec("pkg-config --libs --silence-errors libseccomp")
  if res == "":
    error("Couldn't find libseccomp on your computer!  Please install " &
      "libseccomp (e.g. apt install libseccomp-dev), or build with " &
      "`make CHA_DANGER_DISABLE_SANDBOX=1'.")
  return res
)()

type
  scmp_filter_ctx* = distinct pointer

  scmp_datum_t* = uint64

  scmp_compare* {.size: sizeof(cint).} = enum
    N_SCMP_CMP_MIN = 0
    SCMP_CMP_NE = 1 # not equal
    SCMP_CMP_LT = 2 # less than
    SCMP_CMP_LE = 3 # less than or equal
    SCMP_CMP_EQ = 4 # equal
    SCMP_CMP_GE = 5 # greater than or equal
    SCMP_CMP_GT = 6 # greater than
    SCMP_CMP_MASKED_EQ = 7 # masked equality

  scmp_arg_cmp* = object
    arg*: cuint
    op*: scmp_compare
    datum_a*: scmp_datum_t
    datum_b*: scmp_datum_t

{.push importc.}
{.passl: seccomp.}

const SCMP_ACT_KILL_PROCESS* = 0x80000000u32
const SCMP_ACT_ALLOW* = 0x7FFF0000u32
const SCMP_ACT_TRAP* = 0x00030000u32

proc seccomp_init*(def_action: uint32): scmp_filter_ctx
proc seccomp_reset*(ctx: scmp_filter_ctx; def_action: uint32): cint
proc seccomp_syscall_resolve_name*(name: cstring): cint
proc seccomp_syscall_resolve_name_rewrite*(name: cstring): cint
proc seccomp_rule_add*(ctx: scmp_filter_ctx; action: uint32; syscall: cint;
  arg_cnt: cuint): cint {.varargs.}
proc seccomp_load*(ctx: scmp_filter_ctx): cint
proc seccomp_release*(ctx: scmp_filter_ctx)

{.pop.}