Add //pkg/sentry/seccheck.

This defines common infrastructure for dynamically-configured security checks,
including an example usage in the clone(2) path.

PiperOrigin-RevId: 394797270

1 files changed, 21 insertions, 0 deletions

diff --git a/pkg/sentry/kernel/task.go b/pkg/sentry/kernel/task.go
index 59eeb253d..9a95bf44c 100644
--- a/pkg/sentry/kernel/task.go
+++ b/pkg/sentry/kernel/task.go
@@ -30,6 +30,7 @@ import (
 	"gvisor.dev/gvisor/pkg/sentry/kernel/sched"
 	ktime "gvisor.dev/gvisor/pkg/sentry/kernel/time"
 	"gvisor.dev/gvisor/pkg/sentry/platform"
+	"gvisor.dev/gvisor/pkg/sentry/seccheck"
 	"gvisor.dev/gvisor/pkg/sentry/usage"
 	"gvisor.dev/gvisor/pkg/sentry/vfs"
 	"gvisor.dev/gvisor/pkg/sync"
@@ -874,3 +875,23 @@ func (t *Task) ResetKcov() {
 		t.kcov = nil
 	}
 }
+
+// Preconditions: The TaskSet mutex must be locked.
+func (t *Task) loadSeccheckInfoLocked(req seccheck.TaskFieldSet, mask *seccheck.TaskFieldSet, info *seccheck.TaskInfo) {
+	if req.Contains(seccheck.TaskFieldThreadID) {
+		info.ThreadID = int32(t.k.tasks.Root.tids[t])
+		mask.Add(seccheck.TaskFieldThreadID)
+	}
+	if req.Contains(seccheck.TaskFieldThreadStartTime) {
+		info.ThreadStartTime = t.startTime
+		mask.Add(seccheck.TaskFieldThreadStartTime)
+	}
+	if req.Contains(seccheck.TaskFieldThreadGroupID) {
+		info.ThreadGroupID = int32(t.k.tasks.Root.tgids[t.tg])
+		mask.Add(seccheck.TaskFieldThreadGroupID)
+	}
+	if req.Contains(seccheck.TaskFieldThreadGroupStartTime) {
+		info.ThreadGroupStartTime = t.tg.leader.startTime
+		mask.Add(seccheck.TaskFieldThreadGroupStartTime)
+	}
+}