[mirror_lxc.git] / src / lxc / lxcseccomp.h

/*
 * lxc: linux Container library
 *
 * (C) Copyright Canonical, Inc. 2012
 *
 * Authors:
 * Serge Hallyn <serge.hallyn@canonical.com>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

#ifndef __LXC_LXCSECCOMP_H
#define __LXC_LXCSECCOMP_H

#ifndef _GNU_SOURCE
#define _GNU_SOURCE 1
#endif
#include <errno.h>
#ifdef HAVE_SECCOMP
#include <linux/seccomp.h>
#include <seccomp.h>
#endif
#if HAVE_DECL_SECCOMP_NOTIFY_FD
#include <sys/socket.h>
#include <sys/un.h>
#endif

#include "conf.h"
#include "config.h"
#include "memory_utils.h"

struct lxc_conf;
struct lxc_epoll_descr;
struct lxc_handler;

#ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
#define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
#endif

#ifdef HAVE_SECCOMP


#if HAVE_DECL_SECCOMP_NOTIFY_FD

struct seccomp_notify_proxy_msg {
	uint32_t version;
	struct seccomp_notif req;
	struct seccomp_notif_resp resp;
	pid_t monitor_pid;
	pid_t init_pid;
};

struct seccomp_notify {
	bool wants_supervision;
	int notify_fd;
	int proxy_fd;
	struct sockaddr_un proxy_addr;
	struct seccomp_notif *req_buf;
	struct seccomp_notif_resp *rsp_buf;
};

#define HAVE_SECCOMP_NOTIFY 1

#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */

struct lxc_seccomp {
	char *seccomp;
#if HAVE_SCMP_FILTER_CTX
	unsigned int allow_nesting;
	scmp_filter_ctx seccomp_ctx;
#endif /* HAVE_SCMP_FILTER_CTX */

#if HAVE_DECL_SECCOMP_NOTIFY_FD
	struct seccomp_notify notifier;
#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
};

extern int lxc_seccomp_load(struct lxc_conf *conf);
extern int lxc_read_seccomp_config(struct lxc_conf *conf);
extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
				  struct lxc_epoll_descr *descr);
extern void seccomp_conf_init(struct lxc_conf *conf);
extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
				   struct lxc_epoll_descr *descr,
				   struct lxc_handler *handler);
extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
					int socket_fd);
extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
					int socket_fd);
extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
				    struct lxc_seccomp *seccomp);
static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
{
#if HAVE_DECL_SECCOMP_NOTIFY_FD
	return seccomp->notifier.notify_fd;
#else
	errno = ENOSYS;
	return -EBADF;
#endif
}

#else /* HAVE_SECCOMP */

struct lxc_seccomp {
	char *seccomp;
};

static inline int lxc_seccomp_load(struct lxc_conf *conf)
{
	return 0;
}

static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
{
	return 0;
}

static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
{
	free_disarm(seccomp->seccomp);
}

static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
				  struct lxc_epoll_descr *descr)
{
	return -ENOSYS;
}

static inline void seccomp_conf_init(struct lxc_conf *conf)
{
}

static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
					  struct lxc_epoll_descr *descr,
					  struct lxc_handler *handler)
{
	return 0;
}

static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
					       int socket_fd)
{
	return 0;
}

static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
					int socket_fd)
{
	return 0;
}

static inline int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
					   struct lxc_seccomp *seccomp)
{
	return 0;
}

static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
{
	return -EBADF;
}

#endif /* HAVE_SECCOMP */
#endif /* __LXC_LXCSECCOMP_H */
Commit	Line	Data
8f2c3a70 SH	1	/*
	2	* lxc: linux Container library
	3	*
	4	* (C) Copyright Canonical, Inc. 2012
	5	*
	6	* Authors:
	7	* Serge Hallyn <serge.hallyn@canonical.com>
	8	*
	9	* This library is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU Lesser General Public
	11	* License as published by the Free Software Foundation; either
	12	* version 2.1 of the License, or (at your option) any later version.
	13	*
	14	* This library is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	17	* Lesser General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU Lesser General Public
	20	* License along with this library; if not, write to the Free Software
250b1eec	21	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
8f2c3a70 SH	22	*/
8f2c3a70 SH	23
f1a4a029 ÇO	24	#ifndef __LXC_LXCSECCOMP_H
f1a4a029 ÇO	25	#define __LXC_LXCSECCOMP_H
8f2c3a70	26
c3e3c21a CB	27	#ifndef _GNU_SOURCE
	28	#define _GNU_SOURCE 1
	29	#endif
cdb2a47f CB	30	#include <errno.h>
cdb2a47f CB	31	#ifdef HAVE_SECCOMP
c3e3c21a	32	#include <linux/seccomp.h>
cdb2a47f CB	33	#include <seccomp.h>
cdb2a47f CB	34	#endif
d7d2d2d9	35	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a CB	36	#include <sys/socket.h>
	37	#include <sys/un.h>
	38	#endif
cdb2a47f	39
8f2c3a70	40	#include "conf.h"
c3e3c21a CB	41	#include "config.h"
	42	#include "memory_utils.h"
	43
	44	struct lxc_conf;
	45	struct lxc_epoll_descr;
	46	struct lxc_handler;
8f2c3a70	47
fe02f63c CB	48	#ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
	49	#define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
	50	#endif
	51
8f2c3a70	52	#ifdef HAVE_SECCOMP
c3e3c21a	53
ebc1c319	54
d7d2d2d9	55	#if HAVE_DECL_SECCOMP_NOTIFY_FD
ebc1c319 CB	56
	57	struct seccomp_notify_proxy_msg {
	58	uint32_t version;
	59	struct seccomp_notif req;
	60	struct seccomp_notif_resp resp;
	61	pid_t monitor_pid;
	62	pid_t init_pid;
2a621ece	63	};
ebc1c319	64
c3e3c21a CB	65	struct seccomp_notify {
	66	bool wants_supervision;
	67	int notify_fd;
	68	int proxy_fd;
	69	struct sockaddr_un proxy_addr;
	70	struct seccomp_notif *req_buf;
	71	struct seccomp_notif_resp *rsp_buf;
	72	};
	73
	74	#define HAVE_SECCOMP_NOTIFY 1
	75
d7d2d2d9	76	#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
c3e3c21a CB	77
	78	struct lxc_seccomp {
	79	char *seccomp;
	80	#if HAVE_SCMP_FILTER_CTX
	81	unsigned int allow_nesting;
	82	scmp_filter_ctx seccomp_ctx;
	83	#endif /* HAVE_SCMP_FILTER_CTX */
	84
d7d2d2d9	85	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a	86	struct seccomp_notify notifier;
d7d2d2d9	87	#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
c3e3c21a CB	88	};
c3e3c21a CB	89
5fdc4e77 CB	90	extern int lxc_seccomp_load(struct lxc_conf *conf);
5fdc4e77 CB	91	extern int lxc_read_seccomp_config(struct lxc_conf *conf);
c3e3c21a	92	extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
cdb2a47f CB	93	extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
cdb2a47f CB	94	struct lxc_epoll_descr *descr);
c3e3c21a	95	extern void seccomp_conf_init(struct lxc_conf *conf);
2ac0f627 CB	96	extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
	97	struct lxc_epoll_descr *descr,
	98	struct lxc_handler *handler);
c3e3c21a CB	99	extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
	100	int socket_fd);
	101	extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
	102	int socket_fd);
	103	extern int lxc_seccomp_add_notifier(const char name, const char lxcpath,
	104	struct lxc_seccomp *seccomp);
	105	static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
	106	{
d7d2d2d9	107	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a	108	return seccomp->notifier.notify_fd;
8f2c3a70	109	#else
c3e3c21a CB	110	errno = ENOSYS;
	111	return -EBADF;
	112	#endif
	113	}
	114
	115	#else /* HAVE_SECCOMP */
	116
	117	struct lxc_seccomp {
	118	char *seccomp;
	119	};
	120
5fdc4e77 CB	121	static inline int lxc_seccomp_load(struct lxc_conf *conf)
5fdc4e77 CB	122	{
8f2c3a70 SH	123	return 0;
	124	}
	125
5fdc4e77 CB	126	static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
5fdc4e77 CB	127	{
8f2c3a70 SH	128	return 0;
8f2c3a70 SH	129	}
769872f9	130
c3e3c21a	131	static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
5fdc4e77	132	{
c3e3c21a	133	free_disarm(seccomp->seccomp);
769872f9	134	}
c3e3c21a	135
cdb2a47f CB	136	static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
	137	struct lxc_epoll_descr *descr)
	138	{
	139	return -ENOSYS;
	140	}
8f2c3a70	141
c3e3c21a CB	142	static inline void seccomp_conf_init(struct lxc_conf *conf)
	143	{
	144	}
	145
2ac0f627 CB	146	static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
	147	struct lxc_epoll_descr *descr,
	148	struct lxc_handler *handler)
c3e3c21a CB	149	{
	150	return 0;
	151	}
	152
	153	static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
	154	int socket_fd)
	155	{
	156	return 0;
	157	}
	158
	159	static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
	160	int socket_fd)
	161	{
	162	return 0;
	163	}
	164
	165	static inline int lxc_seccomp_add_notifier(const char name, const char lxcpath,
	166	struct lxc_seccomp *seccomp)
	167	{
	168	return 0;
	169	}
	170
	171	static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
	172	{
	173	return -EBADF;
	174	}
	175
	176	#endif /* HAVE_SECCOMP */
	177	#endif /* __LXC_LXCSECCOMP_H */