[mirror_lxc.git] / src / lxc / attach_options.h

/*! \file
 *
 * lxc: linux Container library
 *
 * (C) Copyright IBM Corp. 2007, 2008
 *
 * Authors:
 * Daniel Lezcano <daniel.lezcano at free.fr>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

#ifndef __LXC_ATTACH_OPTIONS_H
#define __LXC_ATTACH_OPTIONS_H

#include <sys/types.h>

#ifdef  __cplusplus
extern "C" {
#endif

/*!
 * LXC environment policy.
 */
typedef enum lxc_attach_env_policy_t {
	LXC_ATTACH_KEEP_ENV,   /*!< Retain the environment */
	LXC_ATTACH_CLEAR_ENV   /*!< Clear the environment */
} lxc_attach_env_policy_t;

enum {
	/* The following are on by default: */
	LXC_ATTACH_MOVE_TO_CGROUP        = 0x00000001, /*!< Move to cgroup */
	LXC_ATTACH_DROP_CAPABILITIES     = 0x00000002, /*!< Drop capabilities */
	LXC_ATTACH_SET_PERSONALITY       = 0x00000004, /*!< Set personality */
	LXC_ATTACH_LSM_EXEC              = 0x00000008, /*!< Execute under a Linux Security Module */

	/* The following are off by default: */
	LXC_ATTACH_REMOUNT_PROC_SYS      = 0x00010000, /*!< Remount /proc filesystem */
	LXC_ATTACH_LSM_NOW               = 0x00020000, /*!< FIXME: unknown */
	/* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */
	LXC_ATTACH_NO_NEW_PRIVS		 = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */
	LXC_ATTACH_TERMINAL              = 0x00080000, /*!< Allocate new terminal for attached process. */

	/* We have 16 bits for things that are on by default and 16 bits that
	 * are off by default, that should be sufficient to keep binary
	 * compatibility for a while
	 */
	LXC_ATTACH_DEFAULT               = 0x0000FFFF  /*!< Mask of flags to apply by default */
};

/*! All Linux Security Module flags */
#define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC | LXC_ATTACH_LSM_NOW)

/*! LXC attach function type.
 *
 * Function to run in container.
 *
 * \param payload \ref lxc_attach_command_t to run.
 *
 * \return Function should return \c 0 on success, and any other value to denote failure.
 */
typedef int (*lxc_attach_exec_t)(void* payload);

/*!
 * LXC attach options for \ref lxc_container \c attach().
 */
typedef struct lxc_attach_options_t {
	/*! Any combination of LXC_ATTACH_* flags */
	int attach_flags;

	/*! The namespaces to attach to (CLONE_NEW... flags) */
	int namespaces;

	/*! Initial personality (\c -1 to autodetect).
	 * \warning This may be ignored if lxc is compiled without personality
	 * support)
	 */
	long personality;

	/*! Initial current directory, use \c NULL to use cwd.
	 * If the current directory does not exist in the container, the root
	 * directory will be used instead because of kernel defaults.
	 */
	char* initial_cwd;

	/*! The user-id to run as.
	 *
	 * \note Set to \c -1 for default behaviour (init uid for userns
	 * containers or \c 0 (super-user) if detection fails).
	 */
	uid_t uid;

	/*! The group-id to run as.
	 *
	 * \note Set to \c -1 for default behaviour (init gid for userns
	 * containers or \c 0 (super-user) if detection fails).
	 */
	gid_t gid;

	/*! Environment policy */
	lxc_attach_env_policy_t env_policy;

	/*! Extra environment variables to set in the container environment */
	char** extra_env_vars;

	/*! Names of environment variables in existing environment to retain
	 * in container environment.
	 */
	char** extra_keep_env;

	/**@{*/
	/*! File descriptors for stdin, stdout and stderr,
	 * \c dup2() will be used before calling exec_function,
	 * (assuming not \c 0, \c 1 and \c 2 are specified) and the
	 * original fds are closed before passing control
	 * over. Any \c O_CLOEXEC flag will be removed after
	 * that.
	 */
	int stdin_fd; /*!< stdin file descriptor */
	int stdout_fd; /*!< stdout file descriptor */
	int stderr_fd; /*!< stderr file descriptor */
	/**@}*/

	/*! File descriptor to log output. */
	int log_fd;
} lxc_attach_options_t;

/*! Default attach options to use */
#define LXC_ATTACH_OPTIONS_DEFAULT                                             \
	{                                                                      \
		/* .attach_flags = */   LXC_ATTACH_DEFAULT,                    \
		/* .namespaces = */     -1,                                    \
		/* .personality = */    -1,                                    \
		/* .initial_cwd = */    NULL,                                  \
		/* .uid = */            (uid_t)-1,                             \
		/* .gid = */            (gid_t)-1,                             \
		/* .env_policy = */     LXC_ATTACH_KEEP_ENV,                   \
		/* .extra_env_vars = */ NULL,                                  \
		/* .extra_keep_env = */ NULL,                                  \
		/* .stdin_fd = */       0,                                     \
		/* .stdout_fd = */      1,                                     \
		/* .stderr_fd = */      2,                                     \
		/* .log_fd    = */      -EBADF,                                \
	}

/*!
 * Representation of a command to run in a container.
 */
typedef struct lxc_attach_command_t {
	char* program; /*!< The program to run (passed to execvp) */
	char** argv;   /*!< The argv pointer of that program, including the program itself in argv[0] */
} lxc_attach_command_t;

/*!
 * \brief Run a command in the container.
 *
 * \param payload \ref lxc_attach_command_t to run.
 *
 * \return \c -1 on error, exit code of lxc_attach_command_t program on success.
 */
extern int lxc_attach_run_command(void* payload);

/*!
 * \brief Run a shell command in the container.
 *
 * \param payload Not used.
 *
 * \return Exit code of shell.
 */
extern int lxc_attach_run_shell(void* payload);

#ifdef  __cplusplus
}
#endif

#endif
Commit	Line	Data
953e611c JH	1	/*! \file
953e611c JH	2	*
9c4693b8 CS	3	* lxc: linux Container library
	4	*
	5	* (C) Copyright IBM Corp. 2007, 2008
	6	*
	7	* Authors:
	8	* Daniel Lezcano <daniel.lezcano at free.fr>
	9	*
	10	* This library is free software; you can redistribute it and/or
	11	* modify it under the terms of the GNU Lesser General Public
	12	* License as published by the Free Software Foundation; either
	13	* version 2.1 of the License, or (at your option) any later version.
	14	*
	15	* This library is distributed in the hope that it will be useful,
	16	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	17	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	18	* Lesser General Public License for more details.
	19	*
	20	* You should have received a copy of the GNU Lesser General Public
	21	* License along with this library; if not, write to the Free Software
250b1eec	22	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
9c4693b8 CS	23	*/
9c4693b8 CS	24
f1a4a029 ÇO	25	#ifndef __LXC_ATTACH_OPTIONS_H
f1a4a029 ÇO	26	#define __LXC_ATTACH_OPTIONS_H
9c4693b8 CS	27
	28	#include <sys/types.h>
	29
579e783e AM	30	#ifdef __cplusplus
	31	extern "C" {
	32	#endif
	33
953e611c JH	34	/*!
	35	* LXC environment policy.
	36	*/
9c4693b8	37	typedef enum lxc_attach_env_policy_t {
1a0e70ac CB	38	LXC_ATTACH_KEEP_ENV, /!< Retain the environment /
1a0e70ac CB	39	LXC_ATTACH_CLEAR_ENV /!< Clear the environment /
9c4693b8 CS	40	} lxc_attach_env_policy_t;
	41
	42	enum {
1a0e70ac CB	43	/* The following are on by default: */
	44	LXC_ATTACH_MOVE_TO_CGROUP = 0x00000001, /!< Move to cgroup /
	45	LXC_ATTACH_DROP_CAPABILITIES = 0x00000002, /!< Drop capabilities /
	46	LXC_ATTACH_SET_PERSONALITY = 0x00000004, /!< Set personality /
	47	LXC_ATTACH_LSM_EXEC = 0x00000008, /!< Execute under a Linux Security Module /
	48
	49	/* The following are off by default: */
	50	LXC_ATTACH_REMOUNT_PROC_SYS = 0x00010000, /!< Remount /proc filesystem /
	51	LXC_ATTACH_LSM_NOW = 0x00020000, /!< FIXME: unknown /
1325da7e	52	/* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */
1a0e70ac	53	LXC_ATTACH_NO_NEW_PRIVS = 0x00040000, /!< PR_SET_NO_NEW_PRIVS /
9e84479f	54	LXC_ATTACH_TERMINAL = 0x00080000, /!< Allocate new terminal for attached process. /
9c4693b8	55
1a0e70ac CB	56	/* We have 16 bits for things that are on by default and 16 bits that
	57	* are off by default, that should be sufficient to keep binary
	58	* compatibility for a while
9c4693b8	59	*/
1a0e70ac	60	LXC_ATTACH_DEFAULT = 0x0000FFFF /!< Mask of flags to apply by default /
9c4693b8 CS	61	};
9c4693b8 CS	62
953e611c	63	/! All Linux Security Module flags /
72863294 DE	64	#define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC \| LXC_ATTACH_LSM_NOW)
72863294 DE	65
953e611c JH	66	/*! LXC attach function type.
	67	*
	68	* Function to run in container.
	69	*
	70	* \param payload \ref lxc_attach_command_t to run.
	71	*
	72	* \return Function should return \c 0 on success, and any other value to denote failure.
	73	*/
9c4693b8 CS	74	typedef int (lxc_attach_exec_t)(void payload);
9c4693b8 CS	75
953e611c JH	76	/*!
	77	* LXC attach options for \ref lxc_container \c attach().
	78	*/
	79	typedef struct lxc_attach_options_t {
	80	/! Any combination of LXC_ATTACH_ flags */
9c4693b8	81	int attach_flags;
953e611c JH	82
953e611c JH	83	/! The namespaces to attach to (CLONE_NEW... flags) /
9c4693b8	84	int namespaces;
953e611c JH	85
953e611c JH	86	/*! Initial personality (\c -1 to autodetect).
1a0e70ac CB	87	* \warning This may be ignored if lxc is compiled without personality
1a0e70ac CB	88	* support)
953e611c	89	*/
9c4693b8 CS	90	long personality;
9c4693b8 CS	91
ec64264d	92	/*! Initial current directory, use \c NULL to use cwd.
1a0e70ac CB	93	* If the current directory does not exist in the container, the root
1a0e70ac CB	94	* directory will be used instead because of kernel defaults.
9c4693b8 CS	95	*/
	96	char* initial_cwd;
	97
953e611c JH	98	/*! The user-id to run as.
	99	*
	100	* \note Set to \c -1 for default behaviour (init uid for userns
	101	* containers or \c 0 (super-user) if detection fails).
9c4693b8 CS	102	*/
9c4693b8 CS	103	uid_t uid;
953e611c JH	104
	105	/*! The group-id to run as.
	106	*
	107	* \note Set to \c -1 for default behaviour (init gid for userns
	108	* containers or \c 0 (super-user) if detection fails).
	109	*/
9c4693b8 CS	110	gid_t gid;
9c4693b8 CS	111
953e611c	112	/! Environment policy /
9c4693b8	113	lxc_attach_env_policy_t env_policy;
953e611c JH	114
953e611c JH	115	/! Extra environment variables to set in the container environment /
9c4693b8	116	char** extra_env_vars;
953e611c JH	117
	118	/*! Names of environment variables in existing environment to retain
	119	* in container environment.
	120	*/
9c4693b8 CS	121	char** extra_keep_env;
9c4693b8 CS	122
953e611c JH	123	/*@{/
	124	/*! File descriptors for stdin, stdout and stderr,
	125	* \c dup2() will be used before calling exec_function,
	126	* (assuming not \c 0, \c 1 and \c 2 are specified) and the
9c4693b8	127	* original fds are closed before passing control
953e611c JH	128	* over. Any \c O_CLOEXEC flag will be removed after
953e611c JH	129	* that.
9c4693b8	130	*/
953e611c JH	131	int stdin_fd; /!< stdin file descriptor /
	132	int stdout_fd; /!< stdout file descriptor /
	133	int stderr_fd; /!< stderr file descriptor /
	134	/*@}/
79bd7662 CB	135
	136	/! File descriptor to log output. /
	137	int log_fd;
953e611c	138	} lxc_attach_options_t;
9c4693b8	139
953e611c	140	/! Default attach options to use /
1a0e70ac CB	141	#define LXC_ATTACH_OPTIONS_DEFAULT \
	142	{ \
	143	/* .attach_flags = */ LXC_ATTACH_DEFAULT, \
	144	/* .namespaces = */ -1, \
	145	/* .personality = */ -1, \
	146	/* .initial_cwd = */ NULL, \
	147	/* .uid = */ (uid_t)-1, \
	148	/* .gid = */ (gid_t)-1, \
	149	/* .env_policy = */ LXC_ATTACH_KEEP_ENV, \
	150	/* .extra_env_vars = */ NULL, \
	151	/* .extra_keep_env = */ NULL, \
79bd7662 CB	152	/* .stdin_fd = */ 0, \
	153	/* .stdout_fd = */ 1, \
	154	/* .stderr_fd = */ 2, \
	155	/* .log_fd = */ -EBADF, \
9c4693b8 CS	156	}
9c4693b8 CS	157
953e611c JH	158	/*!
	159	* Representation of a command to run in a container.
	160	*/
9c4693b8	161	typedef struct lxc_attach_command_t {
953e611c JH	162	char* program; /!< The program to run (passed to execvp) /
953e611c JH	163	char** argv; /!< The argv pointer of that program, including the program itself in argv[0] /
9c4693b8 CS	164	} lxc_attach_command_t;
9c4693b8 CS	165
953e611c JH	166	/*!
	167	* \brief Run a command in the container.
	168	*
	169	* \param payload \ref lxc_attach_command_t to run.
	170	*
	171	* \return \c -1 on error, exit code of lxc_attach_command_t program on success.
9c4693b8 CS	172	*/
9c4693b8 CS	173	extern int lxc_attach_run_command(void* payload);
953e611c JH	174
	175	/*!
	176	* \brief Run a shell command in the container.
	177	*
	178	* \param payload Not used.
	179	*
	180	* \return Exit code of shell.
	181	*/
9c4693b8 CS	182	extern int lxc_attach_run_shell(void* payload);
9c4693b8 CS	183
579e783e AM	184	#ifdef __cplusplus
	185	}
	186	#endif
	187
9c4693b8	188	#endif