system: add LOG action to seccomp.h

This return code was added in 4.14, so let's reflect that here.

Signed-off-by: Tycho Andersen <tycho@tycho.ws>
[PM: cleanup up some duplication with the existing SECCOMP_RET_LOG code]
Signed-off-by: Paul Moore <paul@paul-moore.com>

1 files changed, 8 insertions, 4 deletions

diff --git a/src/system.h b/src/system.h
index 7e75ac8..99fd9a3 100644
--- a/src/system.h
+++ b/src/system.h
@@ -61,6 +61,7 @@ struct db_filter_col;
 #define SECCOMP_RET_TRAP	0x00030000U /* disallow and force a SIGSYS */
 #define SECCOMP_RET_ERRNO	0x00050000U /* returns an errno */
 #define SECCOMP_RET_TRACE	0x7ff00000U /* pass to a tracer or disallow */
+#define SECCOMP_RET_LOG		0x7ffc0000U /* allow after logging */
 #define SECCOMP_RET_ALLOW	0x7fff0000U /* allow */
 
 /* Masks for the return value sections. */
@@ -117,10 +118,6 @@ typedef struct sock_filter bpf_instr_raw;
 #define SECCOMP_FILTER_FLAG_LOG			(1UL << 1)
 #endif
 
-#ifndef SECCOMP_RET_LOG
-#define SECCOMP_RET_LOG		0x7ffc0000U /* allow after logging */
-#endif
-
 /* SECCOMP_RET_ACTION_FULL was added in kernel v4.14.  It may not be
  * defined on older kernels
  */
@@ -128,6 +125,13 @@ typedef struct sock_filter bpf_instr_raw;
 #define SECCOMP_RET_ACTION_FULL 0xffff0000U
 #endif
 
+/* SECCOMP_RET_LOG was added in kernel v4.14.  It may not be defined on
+ * older kernels.
+ */
+#ifndef SECCOMP_RET_LOG
+#define SECCOMP_RET_LOG	 0x7fc00000U
+#endif
+
 int sys_chk_seccomp_syscall(void);
 void sys_set_seccomp_syscall(bool enable);