[mirror_lxc.git] / src / lxc / attach_options.h

/* SPDX-License-Identifier: LGPL-2.1+ */

#ifndef __LXC_ATTACH_OPTIONS_H
#define __LXC_ATTACH_OPTIONS_H

#include <sys/types.h>

#ifdef  __cplusplus
extern "C" {
#endif

/*!
 * LXC environment policy.
 */
typedef enum lxc_attach_env_policy_t {
	LXC_ATTACH_KEEP_ENV     = 0, /*!< Retain the environment */
#define LXC_ATTACH_KEEP_ENV     LXC_ATTACH_KEEP_ENV

	LXC_ATTACH_CLEAR_ENV    = 1, /*!< Clear the environment */
#define LXC_ATTACH_CLEAR_ENV    LXC_ATTACH_CLEAR_ENV
} lxc_attach_env_policy_t;

enum {
	/* The following are on by default: */
	LXC_ATTACH_MOVE_TO_CGROUP        = 0x00000001, /*!< Move to cgroup */
#define LXC_ATTACH_MOVE_TO_CGROUP        LXC_ATTACH_MOVE_TO_CGROUP

	LXC_ATTACH_DROP_CAPABILITIES     = 0x00000002, /*!< Drop capabilities */
#define LXC_ATTACH_DROP_CAPABILITIES     LXC_ATTACH_DROP_CAPABILITIES

	LXC_ATTACH_SET_PERSONALITY       = 0x00000004, /*!< Set personality */
#define LXC_ATTACH_SET_PERSONALITY       LXC_ATTACH_SET_PERSONALITY

	LXC_ATTACH_LSM_EXEC              = 0x00000008, /*!< Execute under a Linux Security Module */
#define LXC_ATTACH_LSM_EXEC              LXC_ATTACH_LSM_EXEC


	/* The following are off by default: */
	LXC_ATTACH_REMOUNT_PROC_SYS      = 0x00010000, /*!< Remount /proc filesystem */
#define LXC_ATTACH_REMOUNT_PROC_SYS      LXC_ATTACH_REMOUNT_PROC_SYS

	LXC_ATTACH_LSM_NOW               = 0x00020000, /*!< TODO: currently unused */
#define LXC_ATTACH_LSM_NOW               LXC_ATTACH_LSM_NOW

	/* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */
	LXC_ATTACH_NO_NEW_PRIVS          = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */
#define LXC_ATTACH_NO_NEW_PRIVS          LXC_ATTACH_NO_NEW_PRIVS

	LXC_ATTACH_TERMINAL              = 0x00080000, /*!< Allocate new terminal for attached process. */
#define LXC_ATTACH_TERMINAL              LXC_ATTACH_TERMINAL

	LXC_ATTACH_LSM_LABEL             = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */
#define LXC_ATTACH_LSM_LABEL             LXC_ATTACH_LSM_LABEL

	LXC_ATTACH_SETGROUPS             = 0x00200000, /*!< Set additional group ids specified in @groups. */
#define LXC_ATTACH_SETGROUPS             LXC_ATTACH_SETGROUPS


	/* We have 16 bits for things that are on by default and 16 bits that
	 * are off by default, that should be sufficient to keep binary
	 * compatibility for a while
	 */
	LXC_ATTACH_DEFAULT               = 0x0000FFFF  /*!< Mask of flags to apply by default */
#define LXC_ATTACH_DEFAULT               LXC_ATTACH_DEFAULT
};

/*! All Linux Security Module flags */
#define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC | LXC_ATTACH_LSM_NOW)

/*! LXC attach function type.
 *
 * Function to run in container.
 *
 * \param payload \ref lxc_attach_command_t to run.
 *
 * \return Function should return \c 0 on success, and any other value to denote failure.
 */
typedef int (*lxc_attach_exec_t)(void* payload);

typedef struct lxc_groups_t {
	size_t size;
	gid_t *list;
} lxc_groups_t;

/*!
 * LXC attach options for \ref lxc_container \c attach().
 */
typedef struct lxc_attach_options_t {
	/*! Any combination of LXC_ATTACH_* flags */
	int attach_flags;

	/*! The namespaces to attach to (CLONE_NEW... flags) */
	int namespaces;

	/*! Initial personality (\c -1 to autodetect).
	 * \warning This may be ignored if lxc is compiled without personality
	 * support)
	 */
	long personality;

	/*! Initial current directory, use \c NULL to use cwd.
	 * If the current directory does not exist in the container, the root
	 * directory will be used instead because of kernel defaults.
	 */
	char *initial_cwd;

	/*! The user-id to run as.
	 *
	 * \note Set to \c -1 for default behaviour (init uid for userns
	 * containers or \c 0 (super-user) if detection fails).
	 */
	uid_t uid;

	/*! The group-id to run as.
	 *
	 * \note Set to \c -1 for default behaviour (init gid for userns
	 * containers or \c 0 (super-user) if detection fails).
	 */
	gid_t gid;

	/*! Environment policy */
	lxc_attach_env_policy_t env_policy;

	/*! Extra environment variables to set in the container environment */
	char **extra_env_vars;

	/*! Names of environment variables in existing environment to retain
	 * in container environment.
	 */
	char **extra_keep_env;

	/**@{*/
	/*! File descriptors for stdin, stdout and stderr,
	 * \c dup2() will be used before calling exec_function,
	 * (assuming not \c 0, \c 1 and \c 2 are specified) and the
	 * original fds are closed before passing control
	 * over. Any \c O_CLOEXEC flag will be removed after
	 * that.
	 */
	int stdin_fd; /*!< stdin file descriptor */
	int stdout_fd; /*!< stdout file descriptor */
	int stderr_fd; /*!< stderr file descriptor */
	/**@}*/

	/*! File descriptor to log output. */
	int log_fd;

	/*! lsm label to set. */
	char *lsm_label;

	/*! The additional group GIDs to run with.
	 *
	 * If unset all additional groups are dropped.
	 */
	lxc_groups_t groups;
} lxc_attach_options_t;

/*! Default attach options to use */
#define LXC_ATTACH_OPTIONS_DEFAULT			\
	{                                               \
		.attach_flags	= LXC_ATTACH_DEFAULT,   \
		.namespaces	= -1,                   \
		.personality	= 0xffffffff,           \
		.initial_cwd	= NULL,                 \
		.uid		= (uid_t)-1,            \
		.gid		= (gid_t)-1,            \
		.env_policy	= LXC_ATTACH_KEEP_ENV,  \
		.extra_env_vars = NULL,                 \
		.extra_keep_env = NULL,                 \
		.stdin_fd	= 0,                    \
		.stdout_fd	= 1,                    \
		.stderr_fd	= 2,                    \
		.log_fd		= -EBADF,               \
		.lsm_label	= NULL,			\
		.groups		= {},			\
	}

/*!
 * Representation of a command to run in a container.
 */
typedef struct lxc_attach_command_t {
	char *program;	/*!< The program to run (passed to execvp) */
	char **argv;	/*!< The argv pointer of that program, including the program itself in argv[0] */
} lxc_attach_command_t;

/*!
 * \brief Run a command in the container.
 *
 * \param payload \ref lxc_attach_command_t to run.
 *
 * \return \c -1 on error, exit code of lxc_attach_command_t program on success.
 */
extern int lxc_attach_run_command(void* payload);

/*!
 * \brief Run a shell command in the container.
 *
 * \param payload Not used.
 *
 * \return Exit code of shell.
 */
extern int lxc_attach_run_shell(void* payload);

#ifdef  __cplusplus
}
#endif

#endif
Commit	Line	Data
cc73685d	1	/* SPDX-License-Identifier: LGPL-2.1+ */
9c4693b8	2
f1a4a029 ÇO	3	#ifndef __LXC_ATTACH_OPTIONS_H
f1a4a029 ÇO	4	#define __LXC_ATTACH_OPTIONS_H
9c4693b8 CS	5
	6	#include <sys/types.h>
	7
579e783e AM	8	#ifdef __cplusplus
	9	extern "C" {
	10	#endif
	11
953e611c JH	12	/*!
	13	* LXC environment policy.
	14	*/
9c4693b8	15	typedef enum lxc_attach_env_policy_t {
42b245e3	16	LXC_ATTACH_KEEP_ENV = 0, /!< Retain the environment /
6df53e84 CB	17	#define LXC_ATTACH_KEEP_ENV LXC_ATTACH_KEEP_ENV
6df53e84 CB	18
42b245e3	19	LXC_ATTACH_CLEAR_ENV = 1, /!< Clear the environment /
6df53e84	20	#define LXC_ATTACH_CLEAR_ENV LXC_ATTACH_CLEAR_ENV
9c4693b8 CS	21	} lxc_attach_env_policy_t;
	22
	23	enum {
1a0e70ac CB	24	/* The following are on by default: */
1a0e70ac CB	25	LXC_ATTACH_MOVE_TO_CGROUP = 0x00000001, /!< Move to cgroup /
6df53e84 CB	26	#define LXC_ATTACH_MOVE_TO_CGROUP LXC_ATTACH_MOVE_TO_CGROUP
6df53e84 CB	27
1a0e70ac	28	LXC_ATTACH_DROP_CAPABILITIES = 0x00000002, /!< Drop capabilities /
6df53e84 CB	29	#define LXC_ATTACH_DROP_CAPABILITIES LXC_ATTACH_DROP_CAPABILITIES
6df53e84 CB	30
1a0e70ac	31	LXC_ATTACH_SET_PERSONALITY = 0x00000004, /!< Set personality /
6df53e84 CB	32	#define LXC_ATTACH_SET_PERSONALITY LXC_ATTACH_SET_PERSONALITY
6df53e84 CB	33
1a0e70ac	34	LXC_ATTACH_LSM_EXEC = 0x00000008, /!< Execute under a Linux Security Module /
6df53e84 CB	35	#define LXC_ATTACH_LSM_EXEC LXC_ATTACH_LSM_EXEC
6df53e84 CB	36
1a0e70ac CB	37
	38	/* The following are off by default: */
	39	LXC_ATTACH_REMOUNT_PROC_SYS = 0x00010000, /!< Remount /proc filesystem /
6df53e84 CB	40	#define LXC_ATTACH_REMOUNT_PROC_SYS LXC_ATTACH_REMOUNT_PROC_SYS
6df53e84 CB	41
50e3e83d	42	LXC_ATTACH_LSM_NOW = 0x00020000, /!< TODO: currently unused /
6df53e84 CB	43	#define LXC_ATTACH_LSM_NOW LXC_ATTACH_LSM_NOW
6df53e84 CB	44
1325da7e	45	/* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */
a84c81bf	46	LXC_ATTACH_NO_NEW_PRIVS = 0x00040000, /!< PR_SET_NO_NEW_PRIVS /
6df53e84 CB	47	#define LXC_ATTACH_NO_NEW_PRIVS LXC_ATTACH_NO_NEW_PRIVS
6df53e84 CB	48
9e84479f	49	LXC_ATTACH_TERMINAL = 0x00080000, /!< Allocate new terminal for attached process. /
6df53e84 CB	50	#define LXC_ATTACH_TERMINAL LXC_ATTACH_TERMINAL
6df53e84 CB	51
65129087	52	LXC_ATTACH_LSM_LABEL = 0x00100000, /!< Set custom LSM label specified in @lsm_label. /
6df53e84 CB	53	#define LXC_ATTACH_LSM_LABEL LXC_ATTACH_LSM_LABEL
6df53e84 CB	54
8caac583	55	LXC_ATTACH_SETGROUPS = 0x00200000, /!< Set additional group ids specified in @groups. /
6df53e84 CB	56	#define LXC_ATTACH_SETGROUPS LXC_ATTACH_SETGROUPS
6df53e84 CB	57
9c4693b8	58
1a0e70ac CB	59	/* We have 16 bits for things that are on by default and 16 bits that
	60	* are off by default, that should be sufficient to keep binary
	61	* compatibility for a while
9c4693b8	62	*/
1a0e70ac	63	LXC_ATTACH_DEFAULT = 0x0000FFFF /!< Mask of flags to apply by default /
6df53e84	64	#define LXC_ATTACH_DEFAULT LXC_ATTACH_DEFAULT
9c4693b8 CS	65	};
9c4693b8 CS	66
953e611c	67	/! All Linux Security Module flags /
72863294 DE	68	#define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC \| LXC_ATTACH_LSM_NOW)
72863294 DE	69
953e611c JH	70	/*! LXC attach function type.
	71	*
	72	* Function to run in container.
	73	*
	74	* \param payload \ref lxc_attach_command_t to run.
	75	*
	76	* \return Function should return \c 0 on success, and any other value to denote failure.
	77	*/
9c4693b8 CS	78	typedef int (lxc_attach_exec_t)(void payload);
9c4693b8 CS	79
8caac583	80	typedef struct lxc_groups_t {
fb4dbb51	81	size_t size;
8caac583 RJ	82	gid_t *list;
	83	} lxc_groups_t;
	84
953e611c JH	85	/*!
	86	* LXC attach options for \ref lxc_container \c attach().
	87	*/
	88	typedef struct lxc_attach_options_t {
	89	/! Any combination of LXC_ATTACH_ flags */
9c4693b8	90	int attach_flags;
953e611c JH	91
953e611c JH	92	/! The namespaces to attach to (CLONE_NEW... flags) /
9c4693b8	93	int namespaces;
953e611c JH	94
953e611c JH	95	/*! Initial personality (\c -1 to autodetect).
1a0e70ac CB	96	* \warning This may be ignored if lxc is compiled without personality
1a0e70ac CB	97	* support)
953e611c	98	*/
9c4693b8 CS	99	long personality;
9c4693b8 CS	100
ec64264d	101	/*! Initial current directory, use \c NULL to use cwd.
1a0e70ac CB	102	* If the current directory does not exist in the container, the root
1a0e70ac CB	103	* directory will be used instead because of kernel defaults.
9c4693b8	104	*/
f5072dcd	105	char *initial_cwd;
9c4693b8	106
953e611c JH	107	/*! The user-id to run as.
	108	*
	109	* \note Set to \c -1 for default behaviour (init uid for userns
	110	* containers or \c 0 (super-user) if detection fails).
9c4693b8 CS	111	*/
9c4693b8 CS	112	uid_t uid;
953e611c JH	113
	114	/*! The group-id to run as.
	115	*
	116	* \note Set to \c -1 for default behaviour (init gid for userns
	117	* containers or \c 0 (super-user) if detection fails).
	118	*/
9c4693b8 CS	119	gid_t gid;
9c4693b8 CS	120
953e611c	121	/! Environment policy /
9c4693b8	122	lxc_attach_env_policy_t env_policy;
953e611c JH	123
953e611c JH	124	/! Extra environment variables to set in the container environment /
f5072dcd	125	char **extra_env_vars;
953e611c JH	126
	127	/*! Names of environment variables in existing environment to retain
	128	* in container environment.
	129	*/
f5072dcd	130	char **extra_keep_env;
9c4693b8	131
953e611c JH	132	/*@{/
	133	/*! File descriptors for stdin, stdout and stderr,
	134	* \c dup2() will be used before calling exec_function,
	135	* (assuming not \c 0, \c 1 and \c 2 are specified) and the
9c4693b8	136	* original fds are closed before passing control
953e611c JH	137	* over. Any \c O_CLOEXEC flag will be removed after
953e611c JH	138	* that.
9c4693b8	139	*/
953e611c JH	140	int stdin_fd; /!< stdin file descriptor /
	141	int stdout_fd; /!< stdout file descriptor /
	142	int stderr_fd; /!< stderr file descriptor /
	143	/*@}/
79bd7662 CB	144
	145	/! File descriptor to log output. /
	146	int log_fd;
8455e39e MB	147
	148	/! lsm label to set. /
	149	char *lsm_label;
8caac583 RJ	150
	151	/*! The additional group GIDs to run with.
	152	*
	153	* If unset all additional groups are dropped.
	154	*/
	155	lxc_groups_t groups;
953e611c	156	} lxc_attach_options_t;
9c4693b8	157
953e611c	158	/! Default attach options to use /
f41aa73b CB	159	#define LXC_ATTACH_OPTIONS_DEFAULT \
	160	{ \
	161	.attach_flags = LXC_ATTACH_DEFAULT, \
	162	.namespaces = -1, \
	163	.personality = 0xffffffff, \
	164	.initial_cwd = NULL, \
	165	.uid = (uid_t)-1, \
	166	.gid = (gid_t)-1, \
	167	.env_policy = LXC_ATTACH_KEEP_ENV, \
	168	.extra_env_vars = NULL, \
	169	.extra_keep_env = NULL, \
	170	.stdin_fd = 0, \
	171	.stdout_fd = 1, \
	172	.stderr_fd = 2, \
	173	.log_fd = -EBADF, \
	174	.lsm_label = NULL, \
	175	.groups = {}, \
9c4693b8 CS	176	}
9c4693b8 CS	177
953e611c JH	178	/*!
	179	* Representation of a command to run in a container.
	180	*/
9c4693b8	181	typedef struct lxc_attach_command_t {
f5072dcd CB	182	char program; /!< The program to run (passed to execvp) */
f5072dcd CB	183	char *argv; /!< The argv pointer of that program, including the program itself in argv[0] */
9c4693b8 CS	184	} lxc_attach_command_t;
9c4693b8 CS	185
953e611c JH	186	/*!
	187	* \brief Run a command in the container.
	188	*
	189	* \param payload \ref lxc_attach_command_t to run.
	190	*
	191	* \return \c -1 on error, exit code of lxc_attach_command_t program on success.
9c4693b8 CS	192	*/
9c4693b8 CS	193	extern int lxc_attach_run_command(void* payload);
953e611c JH	194
	195	/*!
	196	* \brief Run a shell command in the container.
	197	*
	198	* \param payload Not used.
	199	*
	200	* \return Exit code of shell.
	201	*/
9c4693b8 CS	202	extern int lxc_attach_run_shell(void* payload);
9c4693b8 CS	203
579e783e AM	204	#ifdef __cplusplus
	205	}
	206	#endif
	207
9c4693b8	208	#endif