privsep: Add the SECCOMP BPF sandbox for Linux

Now we have capsicum, pledge and the POSIX resource limited sandboxes this was quite easy really.
author: Roy Marples <roy@marples.name> 2020-09-19 20:53:23 +0100
committer: Roy Marples <roy@marples.name> 2020-09-19 20:53:23 +0100
commit: a926ee6d8f4eb2f04e01d72664893e3cb95fceca (patch)
tree: f930821685bd5eea66833eb3c9018c89a41a27cf /src/privsep.h
parent: cf6e2fdc8e70c0a7cb0641144d55317eba196987 (diff)
download: dhcpcd-a926ee6d8f4eb2f04e01d72664893e3cb95fceca.tar.xz
1 files changed, 11 insertions, 0 deletions
diff --git a/src/privsep.h b/src/privsep.h
index 8d73af0e..d8c3dc8a 100644
--- a/src/privsep.h
+++ b/src/privsep.h
@@ -96,6 +96,13 @@
 #define PRIVSEP_RIGHTS
 #endif
 
+#ifdef __linux__
+# include <linux/version.h>
+# if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
+#  define HAVE_SECCOMP
+# endif
+#endif
+
 #include "config.h"
 #include "arp.h"
 #include "dhcp.h"
@@ -194,6 +201,10 @@ int ps_rights_limit_fd(int);
 int ps_rights_limit_fdpair(int []);
 #endif
 
+#ifdef HAVE_SECCOMP
+int ps_seccomp_enter(void);
+#endif
+
 pid_t ps_dostart(struct dhcpcd_ctx * ctx,
     pid_t *priv_pid, int *priv_fd,
     void (*recv_msg)(void *), void (*recv_unpriv_msg),
author	Roy Marples <roy@marples.name>	2020-09-19 20:53:23 +0100
committer	Roy Marples <roy@marples.name>	2020-09-19 20:53:23 +0100
commit	a926ee6d8f4eb2f04e01d72664893e3cb95fceca (patch)
tree	f930821685bd5eea66833eb3c9018c89a41a27cf /src/privsep.h
parent	cf6e2fdc8e70c0a7cb0641144d55317eba196987 (diff)
download	dhcpcd-a926ee6d8f4eb2f04e01d72664893e3cb95fceca.tar.xz