Skip to content

Commit 04afcef

Browse files
tgross35tgross35
authored
Merge pull request #4480 from chriswailes/securebits
Add SECBIT_ constants from securebits.h
2 parents 8e6f36c + f811577 commit 04afcef

File tree

3 files changed

+47
-0
lines changed

3 files changed

+47
-0
lines changed

libc-test/build.rs

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3879,6 +3879,7 @@ fn test_linux(target: &str) {
38793879
"linux/sched.h",
38803880
"linux/sctp.h",
38813881
"linux/seccomp.h",
3882+
"linux/securebits.h",
38823883
"linux/sock_diag.h",
38833884
"linux/sockios.h",
38843885
"linux/tls.h",

libc-test/semver/linux.txt

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2776,6 +2776,14 @@ SCTP_STATUS
27762776
SCTP_STREAM_RESET_INCOMING
27772777
SCTP_STREAM_RESET_OUTGOING
27782778
SCTP_UNORDERED
2779+
SECBIT_KEEP_CAPS
2780+
SECBIT_KEEP_CAPS_LOCKED
2781+
SECBIT_NOROOT
2782+
SECBIT_NOROOT_LOCKED
2783+
SECBIT_NO_CAP_AMBIENT_RAISE
2784+
SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED
2785+
SECBIT_NO_SETUID_FIXUP
2786+
SECBIT_NO_SETUID_FIXUP_LOCKED
27792787
SECCOMP_ADDFD_FLAG_SEND
27802788
SECCOMP_ADDFD_FLAG_SETFD
27812789
SECCOMP_FILTER_FLAG_LOG
@@ -2804,6 +2812,9 @@ SECCOMP_RET_USER_NOTIF
28042812
SECCOMP_SET_MODE_FILTER
28052813
SECCOMP_SET_MODE_STRICT
28062814
SECCOMP_USER_NOTIF_FLAG_CONTINUE
2815+
SECUREBITS_DEFAULT
2816+
SECURE_ALL_BITS
2817+
SECURE_ALL_LOCKS
28072818
SEEK_DATA
28082819
SEEK_HOLE
28092820
SELFMAG

src/unix/linux_like/linux/mod.rs

Lines changed: 35 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4817,6 +4817,41 @@ pub const IN_ONLYDIR: u32 = 0x0100_0000;
48174817
pub const IN_DONT_FOLLOW: u32 = 0x0200_0000;
48184818
pub const IN_EXCL_UNLINK: u32 = 0x0400_0000;
48194819

4820+
// uapi/linux/securebits.h
4821+
const SECURE_NOROOT: c_int = 0;
4822+
const SECURE_NOROOT_LOCKED: c_int = 1;
4823+
4824+
pub const SECBIT_NOROOT: c_int = issecure_mask(SECURE_NOROOT);
4825+
pub const SECBIT_NOROOT_LOCKED: c_int = issecure_mask(SECURE_NOROOT_LOCKED);
4826+
4827+
const SECURE_NO_SETUID_FIXUP: c_int = 2;
4828+
const SECURE_NO_SETUID_FIXUP_LOCKED: c_int = 3;
4829+
4830+
pub const SECBIT_NO_SETUID_FIXUP: c_int = issecure_mask(SECURE_NO_SETUID_FIXUP);
4831+
pub const SECBIT_NO_SETUID_FIXUP_LOCKED: c_int = issecure_mask(SECURE_NO_SETUID_FIXUP_LOCKED);
4832+
4833+
const SECURE_KEEP_CAPS: c_int = 4;
4834+
const SECURE_KEEP_CAPS_LOCKED: c_int = 5;
4835+
4836+
pub const SECBIT_KEEP_CAPS: c_int = issecure_mask(SECURE_KEEP_CAPS);
4837+
pub const SECBIT_KEEP_CAPS_LOCKED: c_int = issecure_mask(SECURE_KEEP_CAPS_LOCKED);
4838+
4839+
const SECURE_NO_CAP_AMBIENT_RAISE: c_int = 6;
4840+
const SECURE_NO_CAP_AMBIENT_RAISE_LOCKED: c_int = 7;
4841+
4842+
pub const SECBIT_NO_CAP_AMBIENT_RAISE: c_int = issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE);
4843+
pub const SECBIT_NO_CAP_AMBIENT_RAISE_LOCKED: c_int =
4844+
issecure_mask(SECURE_NO_CAP_AMBIENT_RAISE_LOCKED);
4845+
4846+
pub const SECUREBITS_DEFAULT: c_int = 0x00000000;
4847+
pub const SECURE_ALL_BITS: c_int =
4848+
SECBIT_NOROOT | SECBIT_NO_SETUID_FIXUP | SECBIT_KEEP_CAPS | SECBIT_NO_CAP_AMBIENT_RAISE;
4849+
pub const SECURE_ALL_LOCKS: c_int = SECURE_ALL_BITS << 1;
4850+
4851+
const fn issecure_mask(x: c_int) -> c_int {
4852+
1 << x
4853+
}
4854+
48204855
// linux/keyctl.h
48214856
pub const KEY_SPEC_THREAD_KEYRING: i32 = -1;
48224857
pub const KEY_SPEC_PROCESS_KEYRING: i32 = -2;

0 commit comments

Comments
 (0)