Auto merge of #3343 - boustrophedon:seccomp_uniform, r=JohnTitor

Move all seccomp consts and structs into top-level mod

Move all seccomp consts and structs into top-level mod

Seccomp constants and structs were partially defined in the top-level mod.rs for linux and partially outside. This commit moves everything into the top-level mod and adds missing entries as of linux 6.4.12.

Resolves #3342 and [rust-vmm/seccompiler#57](rust-vmm/seccompiler#57)

I couldn't get main to run libc-test cargo test (even without my changes) with either gcc 13.2.1 or clang 16.0.6. They failed with different errors/warnings.

libc-test/build.rs

@@ -3574,6 +3574,19 @@ fn test_linux(target: &str) {
         if musl && ty.starts_with("uinput_") {
             return true;
         }
+        if musl && ty == "seccomp_notif" {
+            return true;
+        }
+        if musl && ty == "seccomp_notif_addfd" {
+            return true;
+        }
+        if musl && ty == "seccomp_notif_resp" {
+            return true;
+        }
+        if musl && ty == "seccomp_notif_sizes" {
+            return true;
+        }
+
         // LFS64 types have been removed in musl 1.2.4+
         if musl && (ty.ends_with("64") || ty.ends_with("64_t")) {
             return true;
@@ -3726,6 +3739,17 @@ fn test_linux(target: &str) {
             }
         }
         if musl {
+            // FIXME: Requires >= 5.0 kernel headers
+            if name == "SECCOMP_GET_NOTIF_SIZES"
+               || name == "SECCOMP_FILTER_FLAG_NEW_LISTENER"
+               || name == "SECCOMP_FILTER_FLAG_TSYNC_ESRCH"
+               || name == "SECCOMP_USER_NOTIF_FLAG_CONTINUE"  // requires >= 5.5
+               || name == "SECCOMP_ADDFD_FLAG_SETFD"  // requires >= 5.9
+               || name == "SECCOMP_ADDFD_FLAG_SEND"   // requires >= 5.9
+               || name == "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV"  // requires >= 5.19
+            {
+                return true;
+            }
             // FIXME: Requires >= 5.4.1 kernel headers
             if name.starts_with("J1939")
                 || name.starts_with("RTEXT_FILTER_")

libc-test/semver/linux.txt

@@ -2383,23 +2383,33 @@ SCTP_STATUS
 SCTP_STREAM_RESET_INCOMING
 SCTP_STREAM_RESET_OUTGOING
 SCTP_UNORDERED
+SECCOMP_ADDFD_FLAG_SEND
+SECCOMP_ADDFD_FLAG_SETFD
 SECCOMP_FILTER_FLAG_LOG
+SECCOMP_FILTER_FLAG_NEW_LISTENER
 SECCOMP_FILTER_FLAG_SPEC_ALLOW
 SECCOMP_FILTER_FLAG_TSYNC
+SECCOMP_FILTER_FLAG_TSYNC_ESRCH
+SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
+SECCOMP_GET_ACTION_AVAIL
+SECCOMP_GET_NOTIF_SIZES
 SECCOMP_MODE_DISABLED
-SECCOMP_MODE_FILTER
 SECCOMP_MODE_STRICT
+SECCOMP_MODE_FILTER
 SECCOMP_RET_ACTION
 SECCOMP_RET_ACTION_FULL
 SECCOMP_RET_ALLOW
 SECCOMP_RET_DATA
 SECCOMP_RET_ERRNO
-SECCOMP_RET_KILL
 SECCOMP_RET_KILL_PROCESS
 SECCOMP_RET_KILL_THREAD
+SECCOMP_RET_KILL
 SECCOMP_RET_LOG
 SECCOMP_RET_TRACE
 SECCOMP_RET_TRAP
+SECCOMP_SET_MODE_FILTER
+SECCOMP_SET_MODE_STRICT
+SECCOMP_USER_NOTIF_FLAG_CONTINUE
 SEEK_DATA
 SEEK_HOLE
 SELFMAG
@@ -3748,6 +3758,10 @@ sched_setparam
 sched_setscheduler
 sctp_assoc_t
 seccomp_data
+seccomp_notif
+seccomp_notif_addfd
+seccomp_notif_resp
+seccomp_notif_sizes
 seed48
 seekdir
 sem_close

src/unix/linux_like/linux/gnu/b32/arm/mod.rs

@@ -162,12 +162,6 @@ s! {
         pub ss_size: ::size_t
     }
 
-    pub struct seccomp_notif_sizes {
-        pub seccomp_notif: ::__u16,
-        pub seccomp_notif_resp: ::__u16,
-        pub seccomp_data: ::__u16,
-    }
-
     pub struct mcontext_t {
         pub trap_no: ::c_ulong,
         pub error_code: ::c_ulong,
@@ -466,11 +460,6 @@ pub const B3000000: ::speed_t = 0o010015;
 pub const B3500000: ::speed_t = 0o010016;
 pub const B4000000: ::speed_t = 0o010017;
 
-pub const SECCOMP_SET_MODE_STRICT: ::c_uint = 0;
-pub const SECCOMP_SET_MODE_FILTER: ::c_uint = 1;
-pub const SECCOMP_GET_ACTION_AVAIL: ::c_uint = 2;
-pub const SECCOMP_GET_NOTIF_SIZES: ::c_uint = 3;
-
 pub const VEOL: usize = 11;
 pub const VEOL2: usize = 16;
 pub const VMIN: usize = 6;

src/unix/linux_like/linux/gnu/b32/csky/mod.rs

@@ -415,11 +415,6 @@ pub const B3000000: ::speed_t = 0o010015;
 pub const B3500000: ::speed_t = 0o010016;
 pub const B4000000: ::speed_t = 0o010017;
 
-pub const SECCOMP_SET_MODE_STRICT: ::c_uint = 0;
-pub const SECCOMP_SET_MODE_FILTER: ::c_uint = 1;
-pub const SECCOMP_GET_ACTION_AVAIL: ::c_uint = 2;
-pub const SECCOMP_GET_NOTIF_SIZES: ::c_uint = 3;
-
 pub const VEOL: usize = 11;
 pub const VEOL2: usize = 16;
 pub const VMIN: usize = 6;

src/unix/linux_like/linux/gnu/b32/x86/mod.rs

@@ -236,11 +236,6 @@ s! {
         pub ss_size: ::size_t
     }
 
-    pub struct seccomp_notif_sizes {
-        pub seccomp_notif: ::__u16,
-        pub seccomp_notif_resp: ::__u16,
-        pub seccomp_data: ::__u16,
-    }
 }
 
 s_no_extra_traits! {
@@ -1090,11 +1085,6 @@ pub const REG_EFL: ::c_int = 16;
 pub const REG_UESP: ::c_int = 17;
 pub const REG_SS: ::c_int = 18;
 
-pub const SECCOMP_SET_MODE_STRICT: ::c_uint = 0;
-pub const SECCOMP_SET_MODE_FILTER: ::c_uint = 1;
-pub const SECCOMP_GET_ACTION_AVAIL: ::c_uint = 2;
-pub const SECCOMP_GET_NOTIF_SIZES: ::c_uint = 3;
-
 extern "C" {
     pub fn getcontext(ucp: *mut ucontext_t) -> ::c_int;
     pub fn setcontext(ucp: *const ucontext_t) -> ::c_int;

src/unix/linux_like/linux/gnu/b64/aarch64/mod.rs

@@ -197,11 +197,6 @@ s! {
         pub ss_size: ::size_t
     }
 
-    pub struct seccomp_notif_sizes {
-        pub seccomp_notif: ::__u16,
-        pub seccomp_notif_resp: ::__u16,
-        pub seccomp_data: ::__u16,
-    }
 }
 
 pub const VEOF: usize = 4;
@@ -513,11 +508,6 @@ pub const B3000000: ::speed_t = 0o010015;
 pub const B3500000: ::speed_t = 0o010016;
 pub const B4000000: ::speed_t = 0o010017;
 
-pub const SECCOMP_SET_MODE_STRICT: ::c_uint = 0;
-pub const SECCOMP_SET_MODE_FILTER: ::c_uint = 1;
-pub const SECCOMP_GET_ACTION_AVAIL: ::c_uint = 2;
-pub const SECCOMP_GET_NOTIF_SIZES: ::c_uint = 3;
-
 pub const VEOL: usize = 11;
 pub const VEOL2: usize = 16;
 pub const VMIN: usize = 6;

src/unix/linux_like/linux/gnu/b64/x86_64/mod.rs

@@ -260,12 +260,6 @@ s! {
         __unused5: u64
     }
 
-    pub struct seccomp_notif_sizes {
-        pub seccomp_notif: ::__u16,
-        pub seccomp_notif_resp: ::__u16,
-        pub seccomp_data: ::__u16,
-    }
-
     pub struct ptrace_rseq_configuration {
         pub rseq_abi_pointer: ::__u64,
         pub rseq_abi_size: ::__u32,
@@ -803,11 +797,6 @@ pub const REG_TRAPNO: ::c_int = 20;
 pub const REG_OLDMASK: ::c_int = 21;
 pub const REG_CR2: ::c_int = 22;
 
-pub const SECCOMP_SET_MODE_STRICT: ::c_uint = 0;
-pub const SECCOMP_SET_MODE_FILTER: ::c_uint = 1;
-pub const SECCOMP_GET_ACTION_AVAIL: ::c_uint = 2;
-pub const SECCOMP_GET_NOTIF_SIZES: ::c_uint = 3;
-
 extern "C" {
     pub fn getcontext(ucp: *mut ucontext_t) -> ::c_int;
     pub fn setcontext(ucp: *const ucontext_t) -> ::c_int;

src/unix/linux_like/linux/mod.rs

@@ -575,6 +575,34 @@ s! {
         pub args: [::__u64; 6],
     }
 
+    pub struct seccomp_notif_sizes {
+        pub seccomp_notif: ::__u16,
+        pub seccomp_notif_resp: ::__u16,
+        pub seccomp_data: ::__u16,
+    }
+
+    pub struct seccomp_notif {
+        pub id: ::__u64,
+        pub pid: ::__u32,
+        pub flags: ::__u32,
+        pub data: seccomp_data,
+    }
+
+    pub struct seccomp_notif_resp {
+        pub id: ::__u64,
+        pub val: ::__s64,
+        pub error: ::__s32,
+        pub flags: ::__u32,
+    }
+
+    pub struct seccomp_notif_addfd {
+        pub id: ::__u64,
+        pub flags: ::__u32,
+        pub srcfd: ::__u32,
+        pub newfd: ::__u32,
+        pub newfd_flags: ::__u32,
+    }
+
     pub struct nlmsghdr {
         pub nlmsg_len: u32,
         pub nlmsg_type: u16,
@@ -2272,13 +2300,22 @@ pub const GRND_NONBLOCK: ::c_uint = 0x0001;
 pub const GRND_RANDOM: ::c_uint = 0x0002;
 pub const GRND_INSECURE: ::c_uint = 0x0004;
 
+// <linux/seccomp.h>
 pub const SECCOMP_MODE_DISABLED: ::c_uint = 0;
 pub const SECCOMP_MODE_STRICT: ::c_uint = 1;
 pub const SECCOMP_MODE_FILTER: ::c_uint = 2;
 
+pub const SECCOMP_SET_MODE_STRICT: ::c_uint = 0;
+pub const SECCOMP_SET_MODE_FILTER: ::c_uint = 1;
+pub const SECCOMP_GET_ACTION_AVAIL: ::c_uint = 2;
+pub const SECCOMP_GET_NOTIF_SIZES: ::c_uint = 3;
+
 pub const SECCOMP_FILTER_FLAG_TSYNC: ::c_ulong = 1;
 pub const SECCOMP_FILTER_FLAG_LOG: ::c_ulong = 2;
 pub const SECCOMP_FILTER_FLAG_SPEC_ALLOW: ::c_ulong = 4;
+pub const SECCOMP_FILTER_FLAG_NEW_LISTENER: ::c_ulong = 8;
+pub const SECCOMP_FILTER_FLAG_TSYNC_ESRCH: ::c_ulong = 16;
+pub const SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV: ::c_ulong = 32;
 
 pub const SECCOMP_RET_KILL_PROCESS: ::c_uint = 0x80000000;
 pub const SECCOMP_RET_KILL_THREAD: ::c_uint = 0x00000000;
@@ -2293,6 +2330,11 @@ pub const SECCOMP_RET_ACTION_FULL: ::c_uint = 0xffff0000;
 pub const SECCOMP_RET_ACTION: ::c_uint = 0x7fff0000;
 pub const SECCOMP_RET_DATA: ::c_uint = 0x0000ffff;
 
+pub const SECCOMP_USER_NOTIF_FLAG_CONTINUE: ::c_ulong = 1;
+
+pub const SECCOMP_ADDFD_FLAG_SETFD: ::c_ulong = 1;
+pub const SECCOMP_ADDFD_FLAG_SEND: ::c_ulong = 2;
+
 pub const ITIMER_REAL: ::c_int = 0;
 pub const ITIMER_VIRTUAL: ::c_int = 1;
 pub const ITIMER_PROF: ::c_int = 2;