seccomp: add SECCOMP_RET_ERRNO

	bool

	help

	  This symbol should be selected by an architecure if it provides

	  asm/syscall.h, specifically syscall_get_arguments() and

	  syscall_get_arch().

	  asm/syscall.h, specifically syscall_get_arguments(),

	  syscall_get_arch(), and syscall_set_return_value().  Additionally,

	  its system call entry path must respect a return value of -1 from

	  __secure_computing() and/or secure_computing().

config SECCOMP_FILTER

	def_bool y

/*

 * All BPF programs must return a 32-bit value.

 * The bottom 16-bits are reserved for future use.

 * The bottom 16-bits are for optional return data.

 * The upper 16-bits are ordered from least permissive values to most.

 *

 * The ordering ensures that a min_t() over composed return values always

 * selects the least permissive choice.

 */

#define SECCOMP_RET_KILL	0x00000000U /* kill the task immediately */

#define SECCOMP_RET_ERRNO	0x00050000U /* returns an errno */

#define SECCOMP_RET_ALLOW	0x7fff0000U /* allow */

/* Masks for the return value sections. */

	struct seccomp_filter *filter;

};

extern void __secure_computing(int);

static inline void secure_computing(int this_syscall)

extern int __secure_computing(int);

static inline int secure_computing(int this_syscall)

{

	if (unlikely(test_thread_flag(TIF_SECCOMP)))

		__secure_computing(this_syscall);

		return  __secure_computing(this_syscall);

	return 0;

}

extern long prctl_get_seccomp(void);

static u32 seccomp_run_filters(int syscall)

{

	struct seccomp_filter *f;

	u32 ret = SECCOMP_RET_KILL;

	u32 ret = SECCOMP_RET_ALLOW;

	/* Ensure unexpected behavior doesn't result in failing open. */

	if (WARN_ON(current->seccomp.filter == NULL))

		return SECCOMP_RET_KILL;

	/*

	 * All filters in the list are evaluated and the lowest BPF return

	 * value always takes priority.

	 * value always takes priority (ignoring the DATA).

	 */

	for (f = current->seccomp.filter; f; f = f->prev) {

		ret = sk_run_filter(NULL, f->insns);

		if (ret != SECCOMP_RET_ALLOW)

			break;

		u32 cur_ret = sk_run_filter(NULL, f->insns);

		if ((cur_ret & SECCOMP_RET_ACTION) < (ret & SECCOMP_RET_ACTION))

			ret = cur_ret;

	}

	return ret;

}

};

#endif

void __secure_computing(int this_syscall)

int __secure_computing(int this_syscall)

{

	int mode = current->seccomp.mode;

	int exit_sig = 0;

	int *syscall;

	u32 ret = SECCOMP_RET_KILL;

	int data;

	switch (mode) {

	case SECCOMP_MODE_STRICT:

#endif

		do {

			if (*syscall == this_syscall)

				return;

				return 0;

		} while (*++syscall);

		exit_sig = SIGKILL;

		break;

#ifdef CONFIG_SECCOMP_FILTER

	case SECCOMP_MODE_FILTER:

		if (seccomp_run_filters(this_syscall) == SECCOMP_RET_ALLOW)

			return;

		ret = seccomp_run_filters(this_syscall);

		data = ret & SECCOMP_RET_DATA;

		switch (ret & SECCOMP_RET_ACTION) {

		case SECCOMP_RET_ERRNO:

			/* Set the low-order 16-bits as a errno. */

			syscall_set_return_value(current, task_pt_regs(current),

						 -data, 0);

			goto skip;

		case SECCOMP_RET_ALLOW:

			return 0;

		case SECCOMP_RET_KILL:

		default:

			break;

		}

		exit_sig = SIGSYS;

		break;

#endif

#ifdef SECCOMP_DEBUG

	dump_stack();

#endif

	audit_seccomp(this_syscall, exit_code, SECCOMP_RET_KILL);

	audit_seccomp(this_syscall, exit_sig, ret);

	do_exit(exit_sig);

skip:

	audit_seccomp(this_syscall, exit_sig, ret);

	return -1;

}

long prctl_get_seccomp(void)