]>
Commit | Line | Data |
---|---|---|
cc73685d | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
9c4693b8 | 2 | |
f1a4a029 ÇO |
3 | #ifndef __LXC_ATTACH_OPTIONS_H |
4 | #define __LXC_ATTACH_OPTIONS_H | |
9c4693b8 CS |
5 | |
6 | #include <sys/types.h> | |
7 | ||
579e783e AM |
8 | #ifdef __cplusplus |
9 | extern "C" { | |
10 | #endif | |
11 | ||
953e611c JH |
12 | /*! |
13 | * LXC environment policy. | |
14 | */ | |
9c4693b8 | 15 | typedef enum lxc_attach_env_policy_t { |
1a0e70ac CB |
16 | LXC_ATTACH_KEEP_ENV, /*!< Retain the environment */ |
17 | LXC_ATTACH_CLEAR_ENV /*!< Clear the environment */ | |
9c4693b8 CS |
18 | } lxc_attach_env_policy_t; |
19 | ||
20 | enum { | |
1a0e70ac CB |
21 | /* The following are on by default: */ |
22 | LXC_ATTACH_MOVE_TO_CGROUP = 0x00000001, /*!< Move to cgroup */ | |
23 | LXC_ATTACH_DROP_CAPABILITIES = 0x00000002, /*!< Drop capabilities */ | |
24 | LXC_ATTACH_SET_PERSONALITY = 0x00000004, /*!< Set personality */ | |
25 | LXC_ATTACH_LSM_EXEC = 0x00000008, /*!< Execute under a Linux Security Module */ | |
26 | ||
27 | /* The following are off by default: */ | |
28 | LXC_ATTACH_REMOUNT_PROC_SYS = 0x00010000, /*!< Remount /proc filesystem */ | |
50e3e83d | 29 | LXC_ATTACH_LSM_NOW = 0x00020000, /*!< TODO: currently unused */ |
1325da7e | 30 | /* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */ |
1a0e70ac | 31 | LXC_ATTACH_NO_NEW_PRIVS = 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */ |
9e84479f | 32 | LXC_ATTACH_TERMINAL = 0x00080000, /*!< Allocate new terminal for attached process. */ |
65129087 | 33 | LXC_ATTACH_LSM_LABEL = 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */ |
9c4693b8 | 34 | |
1a0e70ac CB |
35 | /* We have 16 bits for things that are on by default and 16 bits that |
36 | * are off by default, that should be sufficient to keep binary | |
37 | * compatibility for a while | |
9c4693b8 | 38 | */ |
1a0e70ac | 39 | LXC_ATTACH_DEFAULT = 0x0000FFFF /*!< Mask of flags to apply by default */ |
9c4693b8 CS |
40 | }; |
41 | ||
953e611c | 42 | /*! All Linux Security Module flags */ |
72863294 DE |
43 | #define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC | LXC_ATTACH_LSM_NOW) |
44 | ||
953e611c JH |
45 | /*! LXC attach function type. |
46 | * | |
47 | * Function to run in container. | |
48 | * | |
49 | * \param payload \ref lxc_attach_command_t to run. | |
50 | * | |
51 | * \return Function should return \c 0 on success, and any other value to denote failure. | |
52 | */ | |
9c4693b8 CS |
53 | typedef int (*lxc_attach_exec_t)(void* payload); |
54 | ||
953e611c JH |
55 | /*! |
56 | * LXC attach options for \ref lxc_container \c attach(). | |
57 | */ | |
58 | typedef struct lxc_attach_options_t { | |
59 | /*! Any combination of LXC_ATTACH_* flags */ | |
9c4693b8 | 60 | int attach_flags; |
953e611c JH |
61 | |
62 | /*! The namespaces to attach to (CLONE_NEW... flags) */ | |
9c4693b8 | 63 | int namespaces; |
953e611c JH |
64 | |
65 | /*! Initial personality (\c -1 to autodetect). | |
1a0e70ac CB |
66 | * \warning This may be ignored if lxc is compiled without personality |
67 | * support) | |
953e611c | 68 | */ |
9c4693b8 CS |
69 | long personality; |
70 | ||
ec64264d | 71 | /*! Initial current directory, use \c NULL to use cwd. |
1a0e70ac CB |
72 | * If the current directory does not exist in the container, the root |
73 | * directory will be used instead because of kernel defaults. | |
9c4693b8 CS |
74 | */ |
75 | char* initial_cwd; | |
76 | ||
953e611c JH |
77 | /*! The user-id to run as. |
78 | * | |
79 | * \note Set to \c -1 for default behaviour (init uid for userns | |
80 | * containers or \c 0 (super-user) if detection fails). | |
9c4693b8 CS |
81 | */ |
82 | uid_t uid; | |
953e611c JH |
83 | |
84 | /*! The group-id to run as. | |
85 | * | |
86 | * \note Set to \c -1 for default behaviour (init gid for userns | |
87 | * containers or \c 0 (super-user) if detection fails). | |
88 | */ | |
9c4693b8 CS |
89 | gid_t gid; |
90 | ||
953e611c | 91 | /*! Environment policy */ |
9c4693b8 | 92 | lxc_attach_env_policy_t env_policy; |
953e611c JH |
93 | |
94 | /*! Extra environment variables to set in the container environment */ | |
9c4693b8 | 95 | char** extra_env_vars; |
953e611c JH |
96 | |
97 | /*! Names of environment variables in existing environment to retain | |
98 | * in container environment. | |
99 | */ | |
9c4693b8 CS |
100 | char** extra_keep_env; |
101 | ||
953e611c JH |
102 | /**@{*/ |
103 | /*! File descriptors for stdin, stdout and stderr, | |
104 | * \c dup2() will be used before calling exec_function, | |
105 | * (assuming not \c 0, \c 1 and \c 2 are specified) and the | |
9c4693b8 | 106 | * original fds are closed before passing control |
953e611c JH |
107 | * over. Any \c O_CLOEXEC flag will be removed after |
108 | * that. | |
9c4693b8 | 109 | */ |
953e611c JH |
110 | int stdin_fd; /*!< stdin file descriptor */ |
111 | int stdout_fd; /*!< stdout file descriptor */ | |
112 | int stderr_fd; /*!< stderr file descriptor */ | |
113 | /**@}*/ | |
79bd7662 CB |
114 | |
115 | /*! File descriptor to log output. */ | |
116 | int log_fd; | |
8455e39e MB |
117 | |
118 | /*! lsm label to set. */ | |
119 | char *lsm_label; | |
953e611c | 120 | } lxc_attach_options_t; |
9c4693b8 | 121 | |
953e611c | 122 | /*! Default attach options to use */ |
1a0e70ac CB |
123 | #define LXC_ATTACH_OPTIONS_DEFAULT \ |
124 | { \ | |
125 | /* .attach_flags = */ LXC_ATTACH_DEFAULT, \ | |
126 | /* .namespaces = */ -1, \ | |
ee142207 | 127 | /* .personality = */ 0xffffffff, \ |
1a0e70ac CB |
128 | /* .initial_cwd = */ NULL, \ |
129 | /* .uid = */ (uid_t)-1, \ | |
130 | /* .gid = */ (gid_t)-1, \ | |
131 | /* .env_policy = */ LXC_ATTACH_KEEP_ENV, \ | |
132 | /* .extra_env_vars = */ NULL, \ | |
133 | /* .extra_keep_env = */ NULL, \ | |
79bd7662 CB |
134 | /* .stdin_fd = */ 0, \ |
135 | /* .stdout_fd = */ 1, \ | |
136 | /* .stderr_fd = */ 2, \ | |
137 | /* .log_fd = */ -EBADF, \ | |
afc691a0 | 138 | /* .lsm_label = */ NULL, \ |
9c4693b8 CS |
139 | } |
140 | ||
953e611c JH |
141 | /*! |
142 | * Representation of a command to run in a container. | |
143 | */ | |
9c4693b8 | 144 | typedef struct lxc_attach_command_t { |
953e611c JH |
145 | char* program; /*!< The program to run (passed to execvp) */ |
146 | char** argv; /*!< The argv pointer of that program, including the program itself in argv[0] */ | |
9c4693b8 CS |
147 | } lxc_attach_command_t; |
148 | ||
953e611c JH |
149 | /*! |
150 | * \brief Run a command in the container. | |
151 | * | |
152 | * \param payload \ref lxc_attach_command_t to run. | |
153 | * | |
154 | * \return \c -1 on error, exit code of lxc_attach_command_t program on success. | |
9c4693b8 CS |
155 | */ |
156 | extern int lxc_attach_run_command(void* payload); | |
953e611c JH |
157 | |
158 | /*! | |
159 | * \brief Run a shell command in the container. | |
160 | * | |
161 | * \param payload Not used. | |
162 | * | |
163 | * \return Exit code of shell. | |
164 | */ | |
9c4693b8 CS |
165 | extern int lxc_attach_run_shell(void* payload); |
166 | ||
579e783e AM |
167 | #ifdef __cplusplus |
168 | } | |
169 | #endif | |
170 | ||
9c4693b8 | 171 | #endif |