[mirror_lxc.git] / src / lxc / attach_options.h

/* SPDX-License-Identifier: LGPL-2.1+ */

#ifndef __LXC_ATTACH_OPTIONS_H
#define __LXC_ATTACH_OPTIONS_H

#include <sys/types.h>

#ifdef  __cplusplus
extern "C" {
#endif

/*!
 * LXC environment policy.
 */
typedef enum lxc_attach_env_policy_t {
	LXC_ATTACH_KEEP_ENV,   /*!< Retain the environment */
	LXC_ATTACH_CLEAR_ENV   /*!< Clear the environment */
} lxc_attach_env_policy_t;

enum {
	/* The following are on by default: */
	LXC_ATTACH_MOVE_TO_CGROUP        = 0x00000001, /*!< Move to cgroup */
	LXC_ATTACH_DROP_CAPABILITIES     = 0x00000002, /*!< Drop capabilities */
	LXC_ATTACH_SET_PERSONALITY       = 0x00000004, /*!< Set personality */
	LXC_ATTACH_LSM_EXEC              = 0x00000008, /*!< Execute under a Linux Security Module */

	/* The following are off by default: */
	LXC_ATTACH_REMOUNT_PROC_SYS      = 0x00010000, /*!< Remount /proc filesystem */
	LXC_ATTACH_LSM_NOW               = 0x00020000, /*!< TODO: currently unused */
	/* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */
	LXC_ATTACH_NO_NEW_PRIVS		 = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */
	LXC_ATTACH_TERMINAL              = 0x00080000, /*!< Allocate new terminal for attached process. */
	LXC_ATTACH_LSM_LABEL             = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */

	/* We have 16 bits for things that are on by default and 16 bits that
	 * are off by default, that should be sufficient to keep binary
	 * compatibility for a while
	 */
	LXC_ATTACH_DEFAULT               = 0x0000FFFF  /*!< Mask of flags to apply by default */
};

/*! All Linux Security Module flags */
#define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC | LXC_ATTACH_LSM_NOW)

/*! LXC attach function type.
 *
 * Function to run in container.
 *
 * \param payload \ref lxc_attach_command_t to run.
 *
 * \return Function should return \c 0 on success, and any other value to denote failure.
 */
typedef int (*lxc_attach_exec_t)(void* payload);

/*!
 * LXC attach options for \ref lxc_container \c attach().
 */
typedef struct lxc_attach_options_t {
	/*! Any combination of LXC_ATTACH_* flags */
	int attach_flags;

	/*! The namespaces to attach to (CLONE_NEW... flags) */
	int namespaces;

	/*! Initial personality (\c -1 to autodetect).
	 * \warning This may be ignored if lxc is compiled without personality
	 * support)
	 */
	long personality;

	/*! Initial current directory, use \c NULL to use cwd.
	 * If the current directory does not exist in the container, the root
	 * directory will be used instead because of kernel defaults.
	 */
	char* initial_cwd;

	/*! The user-id to run as.
	 *
	 * \note Set to \c -1 for default behaviour (init uid for userns
	 * containers or \c 0 (super-user) if detection fails).
	 */
	uid_t uid;

	/*! The group-id to run as.
	 *
	 * \note Set to \c -1 for default behaviour (init gid for userns
	 * containers or \c 0 (super-user) if detection fails).
	 */
	gid_t gid;

	/*! Environment policy */
	lxc_attach_env_policy_t env_policy;

	/*! Extra environment variables to set in the container environment */
	char** extra_env_vars;

	/*! Names of environment variables in existing environment to retain
	 * in container environment.
	 */
	char** extra_keep_env;

	/**@{*/
	/*! File descriptors for stdin, stdout and stderr,
	 * \c dup2() will be used before calling exec_function,
	 * (assuming not \c 0, \c 1 and \c 2 are specified) and the
	 * original fds are closed before passing control
	 * over. Any \c O_CLOEXEC flag will be removed after
	 * that.
	 */
	int stdin_fd; /*!< stdin file descriptor */
	int stdout_fd; /*!< stdout file descriptor */
	int stderr_fd; /*!< stderr file descriptor */
	/**@}*/

	/*! File descriptor to log output. */
	int log_fd;

	/*! lsm label to set. */
	char *lsm_label;
} lxc_attach_options_t;

/*! Default attach options to use */
#define LXC_ATTACH_OPTIONS_DEFAULT                                             \
	{                                                                      \
		/* .attach_flags = */   LXC_ATTACH_DEFAULT,                    \
		/* .namespaces = */     -1,                                    \
		/* .personality = */    0xffffffff,                            \
		/* .initial_cwd = */    NULL,                                  \
		/* .uid = */            (uid_t)-1,                             \
		/* .gid = */            (gid_t)-1,                             \
		/* .env_policy = */     LXC_ATTACH_KEEP_ENV,                   \
		/* .extra_env_vars = */ NULL,                                  \
		/* .extra_keep_env = */ NULL,                                  \
		/* .stdin_fd = */       0,                                     \
		/* .stdout_fd = */      1,                                     \
		/* .stderr_fd = */      2,                                     \
		/* .log_fd    = */      -EBADF,                                \
		/* .lsm_label = */	NULL,				       \
	}

/*!
 * Representation of a command to run in a container.
 */
typedef struct lxc_attach_command_t {
	char* program; /*!< The program to run (passed to execvp) */
	char** argv;   /*!< The argv pointer of that program, including the program itself in argv[0] */
} lxc_attach_command_t;

/*!
 * \brief Run a command in the container.
 *
 * \param payload \ref lxc_attach_command_t to run.
 *
 * \return \c -1 on error, exit code of lxc_attach_command_t program on success.
 */
extern int lxc_attach_run_command(void* payload);

/*!
 * \brief Run a shell command in the container.
 *
 * \param payload Not used.
 *
 * \return Exit code of shell.
 */
extern int lxc_attach_run_shell(void* payload);

#ifdef  __cplusplus
}
#endif

#endif
Commit	Line	Data
cc73685d	1	/* SPDX-License-Identifier: LGPL-2.1+ */
9c4693b8	2
f1a4a029 ÇO	3	#ifndef __LXC_ATTACH_OPTIONS_H
f1a4a029 ÇO	4	#define __LXC_ATTACH_OPTIONS_H
9c4693b8 CS	5
	6	#include <sys/types.h>
	7
579e783e AM	8	#ifdef __cplusplus
	9	extern "C" {
	10	#endif
	11
953e611c JH	12	/*!
	13	* LXC environment policy.
	14	*/
9c4693b8	15	typedef enum lxc_attach_env_policy_t {
1a0e70ac CB	16	LXC_ATTACH_KEEP_ENV, /!< Retain the environment /
1a0e70ac CB	17	LXC_ATTACH_CLEAR_ENV /!< Clear the environment /
9c4693b8 CS	18	} lxc_attach_env_policy_t;
	19
	20	enum {
1a0e70ac CB	21	/* The following are on by default: */
	22	LXC_ATTACH_MOVE_TO_CGROUP = 0x00000001, /!< Move to cgroup /
	23	LXC_ATTACH_DROP_CAPABILITIES = 0x00000002, /!< Drop capabilities /
	24	LXC_ATTACH_SET_PERSONALITY = 0x00000004, /!< Set personality /
	25	LXC_ATTACH_LSM_EXEC = 0x00000008, /!< Execute under a Linux Security Module /
	26
	27	/* The following are off by default: */
	28	LXC_ATTACH_REMOUNT_PROC_SYS = 0x00010000, /!< Remount /proc filesystem /
50e3e83d	29	LXC_ATTACH_LSM_NOW = 0x00020000, /!< TODO: currently unused /
1325da7e	30	/* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */
1a0e70ac	31	LXC_ATTACH_NO_NEW_PRIVS = 0x00040000, /!< PR_SET_NO_NEW_PRIVS /
9e84479f	32	LXC_ATTACH_TERMINAL = 0x00080000, /!< Allocate new terminal for attached process. /
65129087	33	LXC_ATTACH_LSM_LABEL = 0x00100000, /!< Set custom LSM label specified in @lsm_label. /
9c4693b8	34
1a0e70ac CB	35	/* We have 16 bits for things that are on by default and 16 bits that
	36	* are off by default, that should be sufficient to keep binary
	37	* compatibility for a while
9c4693b8	38	*/
1a0e70ac	39	LXC_ATTACH_DEFAULT = 0x0000FFFF /!< Mask of flags to apply by default /
9c4693b8 CS	40	};
9c4693b8 CS	41
953e611c	42	/! All Linux Security Module flags /
72863294 DE	43	#define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC \| LXC_ATTACH_LSM_NOW)
72863294 DE	44
953e611c JH	45	/*! LXC attach function type.
	46	*
	47	* Function to run in container.
	48	*
	49	* \param payload \ref lxc_attach_command_t to run.
	50	*
	51	* \return Function should return \c 0 on success, and any other value to denote failure.
	52	*/
9c4693b8 CS	53	typedef int (lxc_attach_exec_t)(void payload);
9c4693b8 CS	54
953e611c JH	55	/*!
	56	* LXC attach options for \ref lxc_container \c attach().
	57	*/
	58	typedef struct lxc_attach_options_t {
	59	/! Any combination of LXC_ATTACH_ flags */
9c4693b8	60	int attach_flags;
953e611c JH	61
953e611c JH	62	/! The namespaces to attach to (CLONE_NEW... flags) /
9c4693b8	63	int namespaces;
953e611c JH	64
953e611c JH	65	/*! Initial personality (\c -1 to autodetect).
1a0e70ac CB	66	* \warning This may be ignored if lxc is compiled without personality
1a0e70ac CB	67	* support)
953e611c	68	*/
9c4693b8 CS	69	long personality;
9c4693b8 CS	70
ec64264d	71	/*! Initial current directory, use \c NULL to use cwd.
1a0e70ac CB	72	* If the current directory does not exist in the container, the root
1a0e70ac CB	73	* directory will be used instead because of kernel defaults.
9c4693b8 CS	74	*/
	75	char* initial_cwd;
	76
953e611c JH	77	/*! The user-id to run as.
	78	*
	79	* \note Set to \c -1 for default behaviour (init uid for userns
	80	* containers or \c 0 (super-user) if detection fails).
9c4693b8 CS	81	*/
9c4693b8 CS	82	uid_t uid;
953e611c JH	83
	84	/*! The group-id to run as.
	85	*
	86	* \note Set to \c -1 for default behaviour (init gid for userns
	87	* containers or \c 0 (super-user) if detection fails).
	88	*/
9c4693b8 CS	89	gid_t gid;
9c4693b8 CS	90
953e611c	91	/! Environment policy /
9c4693b8	92	lxc_attach_env_policy_t env_policy;
953e611c JH	93
953e611c JH	94	/! Extra environment variables to set in the container environment /
9c4693b8	95	char** extra_env_vars;
953e611c JH	96
	97	/*! Names of environment variables in existing environment to retain
	98	* in container environment.
	99	*/
9c4693b8 CS	100	char** extra_keep_env;
9c4693b8 CS	101
953e611c JH	102	/*@{/
	103	/*! File descriptors for stdin, stdout and stderr,
	104	* \c dup2() will be used before calling exec_function,
	105	* (assuming not \c 0, \c 1 and \c 2 are specified) and the
9c4693b8	106	* original fds are closed before passing control
953e611c JH	107	* over. Any \c O_CLOEXEC flag will be removed after
953e611c JH	108	* that.
9c4693b8	109	*/
953e611c JH	110	int stdin_fd; /!< stdin file descriptor /
	111	int stdout_fd; /!< stdout file descriptor /
	112	int stderr_fd; /!< stderr file descriptor /
	113	/*@}/
79bd7662 CB	114
	115	/! File descriptor to log output. /
	116	int log_fd;
8455e39e MB	117
	118	/! lsm label to set. /
	119	char *lsm_label;
953e611c	120	} lxc_attach_options_t;
9c4693b8	121
953e611c	122	/! Default attach options to use /
1a0e70ac CB	123	#define LXC_ATTACH_OPTIONS_DEFAULT \
	124	{ \
	125	/* .attach_flags = */ LXC_ATTACH_DEFAULT, \
	126	/* .namespaces = */ -1, \
ee142207	127	/* .personality = */ 0xffffffff, \
1a0e70ac CB	128	/* .initial_cwd = */ NULL, \
	129	/* .uid = */ (uid_t)-1, \
	130	/* .gid = */ (gid_t)-1, \
	131	/* .env_policy = */ LXC_ATTACH_KEEP_ENV, \
	132	/* .extra_env_vars = */ NULL, \
	133	/* .extra_keep_env = */ NULL, \
79bd7662 CB	134	/* .stdin_fd = */ 0, \
	135	/* .stdout_fd = */ 1, \
	136	/* .stderr_fd = */ 2, \
	137	/* .log_fd = */ -EBADF, \
afc691a0	138	/* .lsm_label = */ NULL, \
9c4693b8 CS	139	}
9c4693b8 CS	140
953e611c JH	141	/*!
	142	* Representation of a command to run in a container.
	143	*/
9c4693b8	144	typedef struct lxc_attach_command_t {
953e611c JH	145	char* program; /!< The program to run (passed to execvp) /
953e611c JH	146	char** argv; /!< The argv pointer of that program, including the program itself in argv[0] /
9c4693b8 CS	147	} lxc_attach_command_t;
9c4693b8 CS	148
953e611c JH	149	/*!
	150	* \brief Run a command in the container.
	151	*
	152	* \param payload \ref lxc_attach_command_t to run.
	153	*
	154	* \return \c -1 on error, exit code of lxc_attach_command_t program on success.
9c4693b8 CS	155	*/
9c4693b8 CS	156	extern int lxc_attach_run_command(void* payload);
953e611c JH	157
	158	/*!
	159	* \brief Run a shell command in the container.
	160	*
	161	* \param payload Not used.
	162	*
	163	* \return Exit code of shell.
	164	*/
9c4693b8 CS	165	extern int lxc_attach_run_shell(void* payload);
9c4693b8 CS	166
579e783e AM	167	#ifdef __cplusplus
	168	}
	169	#endif
	170
9c4693b8	171	#endif