]>
Commit | Line | Data |
---|---|---|
cc73685d | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
9c4693b8 | 2 | |
f1a4a029 ÇO |
3 | #ifndef __LXC_ATTACH_OPTIONS_H |
4 | #define __LXC_ATTACH_OPTIONS_H | |
9c4693b8 CS |
5 | |
6 | #include <sys/types.h> | |
7 | ||
579e783e AM |
8 | #ifdef __cplusplus |
9 | extern "C" { | |
10 | #endif | |
11 | ||
953e611c JH |
12 | /*! |
13 | * LXC environment policy. | |
14 | */ | |
9c4693b8 | 15 | typedef enum lxc_attach_env_policy_t { |
42b245e3 | 16 | LXC_ATTACH_KEEP_ENV = 0, /*!< Retain the environment */ |
6df53e84 CB |
17 | #define LXC_ATTACH_KEEP_ENV LXC_ATTACH_KEEP_ENV |
18 | ||
42b245e3 | 19 | LXC_ATTACH_CLEAR_ENV = 1, /*!< Clear the environment */ |
6df53e84 | 20 | #define LXC_ATTACH_CLEAR_ENV LXC_ATTACH_CLEAR_ENV |
9c4693b8 CS |
21 | } lxc_attach_env_policy_t; |
22 | ||
23 | enum { | |
1a0e70ac CB |
24 | /* The following are on by default: */ |
25 | LXC_ATTACH_MOVE_TO_CGROUP = 0x00000001, /*!< Move to cgroup */ | |
6df53e84 CB |
26 | #define LXC_ATTACH_MOVE_TO_CGROUP LXC_ATTACH_MOVE_TO_CGROUP |
27 | ||
1a0e70ac | 28 | LXC_ATTACH_DROP_CAPABILITIES = 0x00000002, /*!< Drop capabilities */ |
6df53e84 CB |
29 | #define LXC_ATTACH_DROP_CAPABILITIES LXC_ATTACH_DROP_CAPABILITIES |
30 | ||
1a0e70ac | 31 | LXC_ATTACH_SET_PERSONALITY = 0x00000004, /*!< Set personality */ |
6df53e84 CB |
32 | #define LXC_ATTACH_SET_PERSONALITY LXC_ATTACH_SET_PERSONALITY |
33 | ||
1a0e70ac | 34 | LXC_ATTACH_LSM_EXEC = 0x00000008, /*!< Execute under a Linux Security Module */ |
6df53e84 CB |
35 | #define LXC_ATTACH_LSM_EXEC LXC_ATTACH_LSM_EXEC |
36 | ||
1a0e70ac CB |
37 | |
38 | /* The following are off by default: */ | |
39 | LXC_ATTACH_REMOUNT_PROC_SYS = 0x00010000, /*!< Remount /proc filesystem */ | |
6df53e84 CB |
40 | #define LXC_ATTACH_REMOUNT_PROC_SYS LXC_ATTACH_REMOUNT_PROC_SYS |
41 | ||
50e3e83d | 42 | LXC_ATTACH_LSM_NOW = 0x00020000, /*!< TODO: currently unused */ |
6df53e84 CB |
43 | #define LXC_ATTACH_LSM_NOW LXC_ATTACH_LSM_NOW |
44 | ||
1325da7e | 45 | /* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */ |
a84c81bf | 46 | LXC_ATTACH_NO_NEW_PRIVS = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */ |
6df53e84 CB |
47 | #define LXC_ATTACH_NO_NEW_PRIVS LXC_ATTACH_NO_NEW_PRIVS |
48 | ||
9e84479f | 49 | LXC_ATTACH_TERMINAL = 0x00080000, /*!< Allocate new terminal for attached process. */ |
6df53e84 CB |
50 | #define LXC_ATTACH_TERMINAL LXC_ATTACH_TERMINAL |
51 | ||
65129087 | 52 | LXC_ATTACH_LSM_LABEL = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */ |
6df53e84 CB |
53 | #define LXC_ATTACH_LSM_LABEL LXC_ATTACH_LSM_LABEL |
54 | ||
8caac583 | 55 | LXC_ATTACH_SETGROUPS = 0x00200000, /*!< Set additional group ids specified in @groups. */ |
6df53e84 CB |
56 | #define LXC_ATTACH_SETGROUPS LXC_ATTACH_SETGROUPS |
57 | ||
9c4693b8 | 58 | |
1a0e70ac CB |
59 | /* We have 16 bits for things that are on by default and 16 bits that |
60 | * are off by default, that should be sufficient to keep binary | |
61 | * compatibility for a while | |
9c4693b8 | 62 | */ |
1a0e70ac | 63 | LXC_ATTACH_DEFAULT = 0x0000FFFF /*!< Mask of flags to apply by default */ |
6df53e84 | 64 | #define LXC_ATTACH_DEFAULT LXC_ATTACH_DEFAULT |
9c4693b8 CS |
65 | }; |
66 | ||
953e611c | 67 | /*! All Linux Security Module flags */ |
72863294 DE |
68 | #define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC | LXC_ATTACH_LSM_NOW) |
69 | ||
953e611c JH |
70 | /*! LXC attach function type. |
71 | * | |
72 | * Function to run in container. | |
73 | * | |
74 | * \param payload \ref lxc_attach_command_t to run. | |
75 | * | |
76 | * \return Function should return \c 0 on success, and any other value to denote failure. | |
77 | */ | |
9c4693b8 CS |
78 | typedef int (*lxc_attach_exec_t)(void* payload); |
79 | ||
8caac583 | 80 | typedef struct lxc_groups_t { |
fb4dbb51 | 81 | size_t size; |
8caac583 RJ |
82 | gid_t *list; |
83 | } lxc_groups_t; | |
84 | ||
953e611c JH |
85 | /*! |
86 | * LXC attach options for \ref lxc_container \c attach(). | |
87 | */ | |
88 | typedef struct lxc_attach_options_t { | |
89 | /*! Any combination of LXC_ATTACH_* flags */ | |
9c4693b8 | 90 | int attach_flags; |
953e611c JH |
91 | |
92 | /*! The namespaces to attach to (CLONE_NEW... flags) */ | |
9c4693b8 | 93 | int namespaces; |
953e611c JH |
94 | |
95 | /*! Initial personality (\c -1 to autodetect). | |
1a0e70ac CB |
96 | * \warning This may be ignored if lxc is compiled without personality |
97 | * support) | |
953e611c | 98 | */ |
9c4693b8 CS |
99 | long personality; |
100 | ||
ec64264d | 101 | /*! Initial current directory, use \c NULL to use cwd. |
1a0e70ac CB |
102 | * If the current directory does not exist in the container, the root |
103 | * directory will be used instead because of kernel defaults. | |
9c4693b8 | 104 | */ |
f5072dcd | 105 | char *initial_cwd; |
9c4693b8 | 106 | |
953e611c JH |
107 | /*! The user-id to run as. |
108 | * | |
109 | * \note Set to \c -1 for default behaviour (init uid for userns | |
110 | * containers or \c 0 (super-user) if detection fails). | |
9c4693b8 CS |
111 | */ |
112 | uid_t uid; | |
953e611c JH |
113 | |
114 | /*! The group-id to run as. | |
115 | * | |
116 | * \note Set to \c -1 for default behaviour (init gid for userns | |
117 | * containers or \c 0 (super-user) if detection fails). | |
118 | */ | |
9c4693b8 CS |
119 | gid_t gid; |
120 | ||
953e611c | 121 | /*! Environment policy */ |
9c4693b8 | 122 | lxc_attach_env_policy_t env_policy; |
953e611c JH |
123 | |
124 | /*! Extra environment variables to set in the container environment */ | |
f5072dcd | 125 | char **extra_env_vars; |
953e611c JH |
126 | |
127 | /*! Names of environment variables in existing environment to retain | |
128 | * in container environment. | |
129 | */ | |
f5072dcd | 130 | char **extra_keep_env; |
9c4693b8 | 131 | |
953e611c JH |
132 | /**@{*/ |
133 | /*! File descriptors for stdin, stdout and stderr, | |
134 | * \c dup2() will be used before calling exec_function, | |
135 | * (assuming not \c 0, \c 1 and \c 2 are specified) and the | |
9c4693b8 | 136 | * original fds are closed before passing control |
953e611c JH |
137 | * over. Any \c O_CLOEXEC flag will be removed after |
138 | * that. | |
9c4693b8 | 139 | */ |
953e611c JH |
140 | int stdin_fd; /*!< stdin file descriptor */ |
141 | int stdout_fd; /*!< stdout file descriptor */ | |
142 | int stderr_fd; /*!< stderr file descriptor */ | |
143 | /**@}*/ | |
79bd7662 CB |
144 | |
145 | /*! File descriptor to log output. */ | |
146 | int log_fd; | |
8455e39e MB |
147 | |
148 | /*! lsm label to set. */ | |
149 | char *lsm_label; | |
8caac583 RJ |
150 | |
151 | /*! The additional group GIDs to run with. | |
152 | * | |
153 | * If unset all additional groups are dropped. | |
154 | */ | |
155 | lxc_groups_t groups; | |
953e611c | 156 | } lxc_attach_options_t; |
9c4693b8 | 157 | |
953e611c | 158 | /*! Default attach options to use */ |
f41aa73b CB |
159 | #define LXC_ATTACH_OPTIONS_DEFAULT \ |
160 | { \ | |
161 | .attach_flags = LXC_ATTACH_DEFAULT, \ | |
162 | .namespaces = -1, \ | |
163 | .personality = 0xffffffff, \ | |
164 | .initial_cwd = NULL, \ | |
165 | .uid = (uid_t)-1, \ | |
166 | .gid = (gid_t)-1, \ | |
167 | .env_policy = LXC_ATTACH_KEEP_ENV, \ | |
168 | .extra_env_vars = NULL, \ | |
169 | .extra_keep_env = NULL, \ | |
170 | .stdin_fd = 0, \ | |
171 | .stdout_fd = 1, \ | |
172 | .stderr_fd = 2, \ | |
173 | .log_fd = -EBADF, \ | |
174 | .lsm_label = NULL, \ | |
175 | .groups = {}, \ | |
9c4693b8 CS |
176 | } |
177 | ||
953e611c JH |
178 | /*! |
179 | * Representation of a command to run in a container. | |
180 | */ | |
9c4693b8 | 181 | typedef struct lxc_attach_command_t { |
f5072dcd CB |
182 | char *program; /*!< The program to run (passed to execvp) */ |
183 | char **argv; /*!< The argv pointer of that program, including the program itself in argv[0] */ | |
9c4693b8 CS |
184 | } lxc_attach_command_t; |
185 | ||
953e611c JH |
186 | /*! |
187 | * \brief Run a command in the container. | |
188 | * | |
189 | * \param payload \ref lxc_attach_command_t to run. | |
190 | * | |
191 | * \return \c -1 on error, exit code of lxc_attach_command_t program on success. | |
9c4693b8 CS |
192 | */ |
193 | extern int lxc_attach_run_command(void* payload); | |
953e611c JH |
194 | |
195 | /*! | |
196 | * \brief Run a shell command in the container. | |
197 | * | |
198 | * \param payload Not used. | |
199 | * | |
200 | * \return Exit code of shell. | |
201 | */ | |
9c4693b8 CS |
202 | extern int lxc_attach_run_shell(void* payload); |
203 | ||
579e783e AM |
204 | #ifdef __cplusplus |
205 | } | |
206 | #endif | |
207 | ||
9c4693b8 | 208 | #endif |