[mirror_lxc.git] / src / lxc / lxcseccomp.h

/*
 * lxc: linux Container library
 *
 * (C) Copyright Canonical, Inc. 2012
 *
 * Authors:
 * Serge Hallyn <serge.hallyn@canonical.com>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

#ifndef __LXC_LXCSECCOMP_H
#define __LXC_LXCSECCOMP_H

#ifndef _GNU_SOURCE
#define _GNU_SOURCE 1
#endif
#include <errno.h>
#ifdef HAVE_SECCOMP
#include <linux/seccomp.h>
#include <seccomp.h>
#endif
#if HAVE_DECL_SECCOMP_NOTIFY_FD
#include <sys/socket.h>
#include <sys/un.h>
#endif

#include "conf.h"
#include "config.h"
#include "memory_utils.h"

struct lxc_conf;
struct lxc_epoll_descr;
struct lxc_handler;

#ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
#define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
#endif

#ifdef HAVE_SECCOMP


#if HAVE_DECL_SECCOMP_NOTIFY_FD

#if !HAVE_STRUCT_SECCOMP_NOTIF_SIZES
struct seccomp_notif_sizes {
	__u16 seccomp_notif;
	__u16 seccomp_notif_resp;
	__u16 seccomp_data;
};
#endif

struct seccomp_notify_proxy_msg {
	uint64_t __reserved;
	pid_t monitor_pid;
	pid_t init_pid;
	struct seccomp_notif_sizes sizes;
	uint64_t cookie_len;
	/* followed by: seccomp_notif, seccomp_notif_resp, cookie */
};

struct seccomp_notify {
	bool wants_supervision;
	int notify_fd;
	int proxy_fd;
	struct sockaddr_un proxy_addr;
	struct seccomp_notif_sizes sizes;
	struct seccomp_notif *req_buf;
	struct seccomp_notif_resp *rsp_buf;
	char *cookie;
};

#define HAVE_SECCOMP_NOTIFY 1

#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */

struct lxc_seccomp {
	char *seccomp;
#if HAVE_SCMP_FILTER_CTX
	unsigned int allow_nesting;
	scmp_filter_ctx seccomp_ctx;
#endif /* HAVE_SCMP_FILTER_CTX */

#if HAVE_DECL_SECCOMP_NOTIFY_FD
	struct seccomp_notify notifier;
#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
};

extern int lxc_seccomp_load(struct lxc_conf *conf);
extern int lxc_read_seccomp_config(struct lxc_conf *conf);
extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
				  struct lxc_epoll_descr *descr);
extern void seccomp_conf_init(struct lxc_conf *conf);
extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
				   struct lxc_epoll_descr *descr,
				   struct lxc_handler *handler);
extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
					int socket_fd);
extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
					int socket_fd);
extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
				    struct lxc_seccomp *seccomp);
static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
{
#if HAVE_DECL_SECCOMP_NOTIFY_FD
	return seccomp->notifier.notify_fd;
#else
	errno = ENOSYS;
	return -EBADF;
#endif
}

#else /* HAVE_SECCOMP */

struct lxc_seccomp {
	char *seccomp;
};

static inline int lxc_seccomp_load(struct lxc_conf *conf)
{
	return 0;
}

static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
{
	return 0;
}

static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
{
	free_disarm(seccomp->seccomp);
}

static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
				  struct lxc_epoll_descr *descr)
{
	return -ENOSYS;
}

static inline void seccomp_conf_init(struct lxc_conf *conf)
{
}

static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
					  struct lxc_epoll_descr *descr,
					  struct lxc_handler *handler)
{
	return 0;
}

static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
					       int socket_fd)
{
	return 0;
}

static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
					int socket_fd)
{
	return 0;
}

static inline int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
					   struct lxc_seccomp *seccomp)
{
	return 0;
}

static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
{
	return -EBADF;
}

#endif /* HAVE_SECCOMP */
#endif /* __LXC_LXCSECCOMP_H */
Commit	Line	Data
8f2c3a70 SH	1	/*
	2	* lxc: linux Container library
	3	*
	4	* (C) Copyright Canonical, Inc. 2012
	5	*
	6	* Authors:
	7	* Serge Hallyn <serge.hallyn@canonical.com>
	8	*
	9	* This library is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU Lesser General Public
	11	* License as published by the Free Software Foundation; either
	12	* version 2.1 of the License, or (at your option) any later version.
	13	*
	14	* This library is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	17	* Lesser General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU Lesser General Public
	20	* License along with this library; if not, write to the Free Software
250b1eec	21	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
8f2c3a70 SH	22	*/
8f2c3a70 SH	23
f1a4a029 ÇO	24	#ifndef __LXC_LXCSECCOMP_H
f1a4a029 ÇO	25	#define __LXC_LXCSECCOMP_H
8f2c3a70	26
c3e3c21a CB	27	#ifndef _GNU_SOURCE
	28	#define _GNU_SOURCE 1
	29	#endif
cdb2a47f CB	30	#include <errno.h>
cdb2a47f CB	31	#ifdef HAVE_SECCOMP
c3e3c21a	32	#include <linux/seccomp.h>
cdb2a47f CB	33	#include <seccomp.h>
cdb2a47f CB	34	#endif
d7d2d2d9	35	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a CB	36	#include <sys/socket.h>
	37	#include <sys/un.h>
	38	#endif
cdb2a47f	39
8f2c3a70	40	#include "conf.h"
c3e3c21a CB	41	#include "config.h"
	42	#include "memory_utils.h"
	43
	44	struct lxc_conf;
	45	struct lxc_epoll_descr;
	46	struct lxc_handler;
8f2c3a70	47
fe02f63c CB	48	#ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
	49	#define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
	50	#endif
	51
8f2c3a70	52	#ifdef HAVE_SECCOMP
c3e3c21a	53
ebc1c319	54
d7d2d2d9	55	#if HAVE_DECL_SECCOMP_NOTIFY_FD
ebc1c319	56
4a094eec WB	57	#if !HAVE_STRUCT_SECCOMP_NOTIF_SIZES
	58	struct seccomp_notif_sizes {
	59	__u16 seccomp_notif;
	60	__u16 seccomp_notif_resp;
	61	__u16 seccomp_data;
	62	};
	63	#endif
	64
ebc1c319	65	struct seccomp_notify_proxy_msg {
4a094eec	66	uint64_t __reserved;
ebc1c319 CB	67	pid_t monitor_pid;
ebc1c319 CB	68	pid_t init_pid;
4a094eec WB	69	struct seccomp_notif_sizes sizes;
	70	uint64_t cookie_len;
	71	/* followed by: seccomp_notif, seccomp_notif_resp, cookie */
2a621ece	72	};
ebc1c319	73
c3e3c21a CB	74	struct seccomp_notify {
	75	bool wants_supervision;
	76	int notify_fd;
	77	int proxy_fd;
	78	struct sockaddr_un proxy_addr;
4a094eec	79	struct seccomp_notif_sizes sizes;
c3e3c21a CB	80	struct seccomp_notif *req_buf;
c3e3c21a CB	81	struct seccomp_notif_resp *rsp_buf;
84cf6d25	82	char *cookie;
c3e3c21a CB	83	};
	84
	85	#define HAVE_SECCOMP_NOTIFY 1
	86
d7d2d2d9	87	#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
c3e3c21a CB	88
	89	struct lxc_seccomp {
	90	char *seccomp;
	91	#if HAVE_SCMP_FILTER_CTX
	92	unsigned int allow_nesting;
	93	scmp_filter_ctx seccomp_ctx;
	94	#endif /* HAVE_SCMP_FILTER_CTX */
	95
d7d2d2d9	96	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a	97	struct seccomp_notify notifier;
d7d2d2d9	98	#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
c3e3c21a CB	99	};
c3e3c21a CB	100
5fdc4e77 CB	101	extern int lxc_seccomp_load(struct lxc_conf *conf);
5fdc4e77 CB	102	extern int lxc_read_seccomp_config(struct lxc_conf *conf);
c3e3c21a	103	extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
cdb2a47f CB	104	extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
cdb2a47f CB	105	struct lxc_epoll_descr *descr);
c3e3c21a	106	extern void seccomp_conf_init(struct lxc_conf *conf);
2ac0f627 CB	107	extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
	108	struct lxc_epoll_descr *descr,
	109	struct lxc_handler *handler);
c3e3c21a CB	110	extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
	111	int socket_fd);
	112	extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
	113	int socket_fd);
	114	extern int lxc_seccomp_add_notifier(const char name, const char lxcpath,
	115	struct lxc_seccomp *seccomp);
	116	static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
	117	{
d7d2d2d9	118	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a	119	return seccomp->notifier.notify_fd;
8f2c3a70	120	#else
c3e3c21a CB	121	errno = ENOSYS;
	122	return -EBADF;
	123	#endif
	124	}
	125
	126	#else /* HAVE_SECCOMP */
	127
	128	struct lxc_seccomp {
	129	char *seccomp;
	130	};
	131
5fdc4e77 CB	132	static inline int lxc_seccomp_load(struct lxc_conf *conf)
5fdc4e77 CB	133	{
8f2c3a70 SH	134	return 0;
	135	}
	136
5fdc4e77 CB	137	static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
5fdc4e77 CB	138	{
8f2c3a70 SH	139	return 0;
8f2c3a70 SH	140	}
769872f9	141
c3e3c21a	142	static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
5fdc4e77	143	{
c3e3c21a	144	free_disarm(seccomp->seccomp);
769872f9	145	}
c3e3c21a	146
cdb2a47f CB	147	static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
	148	struct lxc_epoll_descr *descr)
	149	{
	150	return -ENOSYS;
	151	}
8f2c3a70	152
c3e3c21a CB	153	static inline void seccomp_conf_init(struct lxc_conf *conf)
	154	{
	155	}
	156
2ac0f627 CB	157	static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
	158	struct lxc_epoll_descr *descr,
	159	struct lxc_handler *handler)
c3e3c21a CB	160	{
	161	return 0;
	162	}
	163
	164	static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
	165	int socket_fd)
	166	{
	167	return 0;
	168	}
	169
	170	static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
	171	int socket_fd)
	172	{
	173	return 0;
	174	}
	175
	176	static inline int lxc_seccomp_add_notifier(const char name, const char lxcpath,
	177	struct lxc_seccomp *seccomp)
	178	{
	179	return 0;
	180	}
	181
	182	static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
	183	{
	184	return -EBADF;
	185	}
	186
	187	#endif /* HAVE_SECCOMP */
	188	#endif /* __LXC_LXCSECCOMP_H */