Use libc seccomp constants

Use libc constants now that rust-lang/libc/pull/3343 is merged and
released.

SECCOMP_RET_MASK does not exist anymore and appears to have not existed
for a while. SECCOMP_RET_DATA is exactly the same mask value, and the
usage here is in line with the man page.

Completes #60

Signed-off-by: Harry Stern <[email protected]>

Author: boustrophedon

src/backend/bpf.rs

@@ -75,7 +75,7 @@ pub(crate) fn build_arch_validation_sequence(target_arch: TargetArch) -> Vec<soc
     vec![
         bpf_stmt(BPF_LD | BPF_W | BPF_ABS, SECCOMP_DATA_ARCH_OFFSET as u32),
         bpf_jump(BPF_JMP | BPF_JEQ | BPF_K, audit_arch_value, 1, 0),
-        bpf_stmt(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS),
+        bpf_stmt(BPF_RET | BPF_K, libc::SECCOMP_RET_KILL_PROCESS),
     ]
 }
 
@@ -112,17 +112,6 @@ pub const BPF_JGE: u16 = 0x30;
 // Test against the value in the K register.
 pub const BPF_K: u16 = 0x00;
 
-// Return codes for BPF programs.
-// See /usr/include/linux/seccomp.h .
-pub const SECCOMP_RET_ALLOW: u32 = 0x7fff_0000;
-pub const SECCOMP_RET_ERRNO: u32 = 0x0005_0000;
-pub const SECCOMP_RET_KILL_THREAD: u32 = 0x0000_0000;
-pub const SECCOMP_RET_KILL_PROCESS: u32 = 0x8000_0000;
-pub const SECCOMP_RET_LOG: u32 = 0x7ffc_0000;
-pub const SECCOMP_RET_TRACE: u32 = 0x7ff0_0000;
-pub const SECCOMP_RET_TRAP: u32 = 0x0003_0000;
-pub const SECCOMP_RET_MASK: u32 = 0x0000_ffff;
-
 // Architecture identifier for x86_64 LE.
 // See /usr/include/linux/audit.h .
 // Defined as:

src/backend/mod.rs

@@ -19,12 +19,14 @@ use serde::Deserialize;
 use core::fmt::Formatter;
 use std::fmt::Display;
 
-use bpf::{
-    ARG_NUMBER_MAX, AUDIT_ARCH_AARCH64, AUDIT_ARCH_X86_64, BPF_MAX_LEN, SECCOMP_RET_ALLOW,
-    SECCOMP_RET_ERRNO, SECCOMP_RET_KILL_PROCESS, SECCOMP_RET_KILL_THREAD, SECCOMP_RET_LOG,
-    SECCOMP_RET_MASK, SECCOMP_RET_TRACE, SECCOMP_RET_TRAP,
+// See /usr/include/linux/seccomp.h
+use libc::{
+    SECCOMP_RET_ALLOW, SECCOMP_RET_DATA, SECCOMP_RET_ERRNO, SECCOMP_RET_KILL_PROCESS,
+    SECCOMP_RET_KILL_THREAD, SECCOMP_RET_LOG, SECCOMP_RET_TRACE, SECCOMP_RET_TRAP,
 };
 
+use bpf::{ARG_NUMBER_MAX, AUDIT_ARCH_AARCH64, AUDIT_ARCH_X86_64, BPF_MAX_LEN};
+
 pub use bpf::{sock_filter, BpfProgram, BpfProgramRef};
 
 /// Backend Result type.
@@ -173,11 +175,11 @@ impl From<SeccompAction> for u32 {
     fn from(action: SeccompAction) -> Self {
         match action {
             SeccompAction::Allow => SECCOMP_RET_ALLOW,
-            SeccompAction::Errno(x) => SECCOMP_RET_ERRNO | (x & SECCOMP_RET_MASK),
+            SeccompAction::Errno(x) => SECCOMP_RET_ERRNO | (x & SECCOMP_RET_DATA),
             SeccompAction::KillThread => SECCOMP_RET_KILL_THREAD,
             SeccompAction::KillProcess => SECCOMP_RET_KILL_PROCESS,
             SeccompAction::Log => SECCOMP_RET_LOG,
-            SeccompAction::Trace(x) => SECCOMP_RET_TRACE | (x & SECCOMP_RET_MASK),
+            SeccompAction::Trace(x) => SECCOMP_RET_TRACE | (x & SECCOMP_RET_DATA),
             SeccompAction::Trap => SECCOMP_RET_TRAP,
         }
     }

src/lib.rs

@@ -208,10 +208,6 @@ pub use backend::{
     SeccompCmpOp, SeccompCondition, SeccompFilter, SeccompRule, TargetArch,
 };
 
-// Until https://github.com/rust-lang/libc/issues/3342 is fixed, define locally
-// From <linux/seccomp.h>
-const SECCOMP_SET_MODE_FILTER: libc::c_int = 1;
-
 // BPF structure definition for filter array.
 // See /usr/include/linux/filter.h .
 #[repr(C)]
@@ -361,7 +357,7 @@ fn apply_filter_with_flags(bpf_filter: BpfProgramRef, flags: libc::c_ulong) -> R
     let rc = unsafe {
         libc::syscall(
             libc::SYS_seccomp,
-            SECCOMP_SET_MODE_FILTER,
+            libc::SECCOMP_SET_MODE_FILTER,
             flags,
             bpf_prog_ptr,
         )