[mirror_lxc.git] / src / lxc / lxcseccomp.h

/* SPDX-License-Identifier: LGPL-2.1+ */

#ifndef __LXC_LXCSECCOMP_H
#define __LXC_LXCSECCOMP_H

#ifndef _GNU_SOURCE
#define _GNU_SOURCE 1
#endif
#include <errno.h>
#ifdef HAVE_SECCOMP
#include <linux/seccomp.h>
#include <seccomp.h>
#endif
#if HAVE_DECL_SECCOMP_NOTIFY_FD
#include <sys/socket.h>
#include <sys/un.h>
#endif

#include "compiler.h"
#include "conf.h"
#include "config.h"
#include "memory_utils.h"

struct lxc_conf;
struct lxc_epoll_descr;
struct lxc_handler;

#ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
#define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
#endif

#ifdef HAVE_SECCOMP


#if HAVE_DECL_SECCOMP_NOTIFY_FD

#if !HAVE_STRUCT_SECCOMP_NOTIF_SIZES
struct seccomp_notif_sizes {
	__u16 seccomp_notif;
	__u16 seccomp_notif_resp;
	__u16 seccomp_data;
};
#endif

struct seccomp_notify_proxy_msg {
	uint64_t __reserved;
	pid_t monitor_pid;
	pid_t init_pid;
	struct seccomp_notif_sizes sizes;
	uint64_t cookie_len;
	/* followed by: seccomp_notif, seccomp_notif_resp, cookie */
};

struct seccomp_notify {
	bool wants_supervision;
	int notify_fd;
	int proxy_fd;
	struct sockaddr_un proxy_addr;
	struct seccomp_notif_sizes sizes;
	struct seccomp_notif *req_buf;
	struct seccomp_notif_resp *rsp_buf;
	char *cookie;
};

#define HAVE_SECCOMP_NOTIFY 1

#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */

struct lxc_seccomp {
	char *seccomp;
#if HAVE_SCMP_FILTER_CTX
	unsigned int allow_nesting;
	scmp_filter_ctx seccomp_ctx;
#endif /* HAVE_SCMP_FILTER_CTX */

#if HAVE_DECL_SECCOMP_NOTIFY_FD
	struct seccomp_notify notifier;
#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
};

__hidden extern int lxc_seccomp_load(struct lxc_conf *conf);
__hidden extern int lxc_read_seccomp_config(struct lxc_conf *conf);
__hidden extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
__hidden extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
					   struct lxc_epoll_descr *descr);
__hidden extern void seccomp_conf_init(struct lxc_conf *conf);
__hidden extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
					    struct lxc_epoll_descr *descr,
					    struct lxc_handler *handler);
__hidden extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd);
__hidden extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd);
__hidden extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
					     struct lxc_seccomp *seccomp);
static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
{
#if HAVE_DECL_SECCOMP_NOTIFY_FD
	return seccomp->notifier.notify_fd;
#else
	errno = ENOSYS;
	return -EBADF;
#endif
}

#else /* HAVE_SECCOMP */

struct lxc_seccomp {
	char *seccomp;
};

static inline int lxc_seccomp_load(struct lxc_conf *conf)
{
	return 0;
}

static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
{
	return 0;
}

static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
{
	free_disarm(seccomp->seccomp);
}

static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
				  struct lxc_epoll_descr *descr)
{
	return -ENOSYS;
}

static inline void seccomp_conf_init(struct lxc_conf *conf)
{
}

static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
					  struct lxc_epoll_descr *descr,
					  struct lxc_handler *handler)
{
	return 0;
}

static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
					       int socket_fd)
{
	return 0;
}

static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
					int socket_fd)
{
	return 0;
}

static inline int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
					   struct lxc_seccomp *seccomp)
{
	return 0;
}

static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
{
	return -EBADF;
}

#endif /* HAVE_SECCOMP */
#endif /* __LXC_LXCSECCOMP_H */
Commit	Line	Data
cc73685d	1	/* SPDX-License-Identifier: LGPL-2.1+ */
8f2c3a70	2
f1a4a029 ÇO	3	#ifndef __LXC_LXCSECCOMP_H
f1a4a029 ÇO	4	#define __LXC_LXCSECCOMP_H
8f2c3a70	5
c3e3c21a CB	6	#ifndef _GNU_SOURCE
	7	#define _GNU_SOURCE 1
	8	#endif
cdb2a47f CB	9	#include <errno.h>
cdb2a47f CB	10	#ifdef HAVE_SECCOMP
c3e3c21a	11	#include <linux/seccomp.h>
cdb2a47f CB	12	#include <seccomp.h>
cdb2a47f CB	13	#endif
d7d2d2d9	14	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a CB	15	#include <sys/socket.h>
	16	#include <sys/un.h>
	17	#endif
cdb2a47f	18
d6e12907	19	#include "compiler.h"
8f2c3a70	20	#include "conf.h"
c3e3c21a CB	21	#include "config.h"
	22	#include "memory_utils.h"
	23
	24	struct lxc_conf;
	25	struct lxc_epoll_descr;
	26	struct lxc_handler;
8f2c3a70	27
fe02f63c CB	28	#ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
	29	#define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
	30	#endif
	31
8f2c3a70	32	#ifdef HAVE_SECCOMP
c3e3c21a	33
ebc1c319	34
d7d2d2d9	35	#if HAVE_DECL_SECCOMP_NOTIFY_FD
ebc1c319	36
4a094eec WB	37	#if !HAVE_STRUCT_SECCOMP_NOTIF_SIZES
	38	struct seccomp_notif_sizes {
	39	__u16 seccomp_notif;
	40	__u16 seccomp_notif_resp;
	41	__u16 seccomp_data;
	42	};
	43	#endif
	44
ebc1c319	45	struct seccomp_notify_proxy_msg {
4a094eec	46	uint64_t __reserved;
ebc1c319 CB	47	pid_t monitor_pid;
ebc1c319 CB	48	pid_t init_pid;
4a094eec WB	49	struct seccomp_notif_sizes sizes;
	50	uint64_t cookie_len;
	51	/* followed by: seccomp_notif, seccomp_notif_resp, cookie */
2a621ece	52	};
ebc1c319	53
c3e3c21a CB	54	struct seccomp_notify {
	55	bool wants_supervision;
	56	int notify_fd;
	57	int proxy_fd;
	58	struct sockaddr_un proxy_addr;
4a094eec	59	struct seccomp_notif_sizes sizes;
c3e3c21a CB	60	struct seccomp_notif *req_buf;
c3e3c21a CB	61	struct seccomp_notif_resp *rsp_buf;
84cf6d25	62	char *cookie;
c3e3c21a CB	63	};
	64
	65	#define HAVE_SECCOMP_NOTIFY 1
	66
d7d2d2d9	67	#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
c3e3c21a CB	68
	69	struct lxc_seccomp {
	70	char *seccomp;
	71	#if HAVE_SCMP_FILTER_CTX
	72	unsigned int allow_nesting;
	73	scmp_filter_ctx seccomp_ctx;
	74	#endif /* HAVE_SCMP_FILTER_CTX */
	75
d7d2d2d9	76	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a	77	struct seccomp_notify notifier;
d7d2d2d9	78	#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
c3e3c21a CB	79	};
c3e3c21a CB	80
d6e12907 CB	81	__hidden extern int lxc_seccomp_load(struct lxc_conf *conf);
	82	__hidden extern int lxc_read_seccomp_config(struct lxc_conf *conf);
	83	__hidden extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
	84	__hidden extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
	85	struct lxc_epoll_descr *descr);
	86	__hidden extern void seccomp_conf_init(struct lxc_conf *conf);
	87	__hidden extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
	88	struct lxc_epoll_descr *descr,
	89	struct lxc_handler *handler);
	90	__hidden extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd);
	91	__hidden extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd);
	92	__hidden extern int lxc_seccomp_add_notifier(const char name, const char lxcpath,
	93	struct lxc_seccomp *seccomp);
c3e3c21a CB	94	static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
c3e3c21a CB	95	{
d7d2d2d9	96	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a	97	return seccomp->notifier.notify_fd;
8f2c3a70	98	#else
c3e3c21a CB	99	errno = ENOSYS;
	100	return -EBADF;
	101	#endif
	102	}
	103
	104	#else /* HAVE_SECCOMP */
	105
	106	struct lxc_seccomp {
	107	char *seccomp;
	108	};
	109
5fdc4e77 CB	110	static inline int lxc_seccomp_load(struct lxc_conf *conf)
5fdc4e77 CB	111	{
8f2c3a70 SH	112	return 0;
	113	}
	114
5fdc4e77 CB	115	static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
5fdc4e77 CB	116	{
8f2c3a70 SH	117	return 0;
8f2c3a70 SH	118	}
769872f9	119
c3e3c21a	120	static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
5fdc4e77	121	{
c3e3c21a	122	free_disarm(seccomp->seccomp);
769872f9	123	}
c3e3c21a	124
cdb2a47f CB	125	static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
	126	struct lxc_epoll_descr *descr)
	127	{
	128	return -ENOSYS;
	129	}
8f2c3a70	130
c3e3c21a CB	131	static inline void seccomp_conf_init(struct lxc_conf *conf)
	132	{
	133	}
	134
2ac0f627 CB	135	static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
	136	struct lxc_epoll_descr *descr,
	137	struct lxc_handler *handler)
c3e3c21a CB	138	{
	139	return 0;
	140	}
	141
	142	static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
	143	int socket_fd)
	144	{
	145	return 0;
	146	}
	147
	148	static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
	149	int socket_fd)
	150	{
	151	return 0;
	152	}
	153
	154	static inline int lxc_seccomp_add_notifier(const char name, const char lxcpath,
	155	struct lxc_seccomp *seccomp)
	156	{
	157	return 0;
	158	}
	159
	160	static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
	161	{
	162	return -EBADF;
	163	}
	164
	165	#endif /* HAVE_SECCOMP */
	166	#endif /* __LXC_LXCSECCOMP_H */