[mirror_lxc.git] / src / lxc / lxcseccomp.h

/*
 * lxc: linux Container library
 *
 * (C) Copyright Canonical, Inc. 2012
 *
 * Authors:
 * Serge Hallyn <serge.hallyn@canonical.com>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Lesser General Public
 * License as published by the Free Software Foundation; either
 * version 2.1 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this library; if not, write to the Free Software
 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
 */

#ifndef __LXC_LXCSECCOMP_H
#define __LXC_LXCSECCOMP_H

#ifndef _GNU_SOURCE
#define _GNU_SOURCE 1
#endif
#include <errno.h>
#ifdef HAVE_SECCOMP
#include <linux/seccomp.h>
#include <seccomp.h>
#endif
#if HAVE_DECL_SECCOMP_NOTIFY_FD
#include <sys/socket.h>
#include <sys/un.h>
#endif

#include "conf.h"
#include "config.h"
#include "memory_utils.h"

struct lxc_conf;
struct lxc_epoll_descr;
struct lxc_handler;

#ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
#define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
#endif

#ifdef HAVE_SECCOMP


#if HAVE_DECL_SECCOMP_NOTIFY_FD

struct seccomp_notify_proxy_msg {
	uint32_t version;
	struct seccomp_notif req;
	struct seccomp_notif_resp resp;
	pid_t monitor_pid;
	pid_t init_pid;
};

struct seccomp_notify {
	bool wants_supervision;
	int notify_fd;
	int proxy_fd;
	struct sockaddr_un proxy_addr;
	struct seccomp_notif *req_buf;
	struct seccomp_notif_resp *rsp_buf;
	char *cookie;
};

#define HAVE_SECCOMP_NOTIFY 1

#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */

struct lxc_seccomp {
	char *seccomp;
#if HAVE_SCMP_FILTER_CTX
	unsigned int allow_nesting;
	scmp_filter_ctx seccomp_ctx;
#endif /* HAVE_SCMP_FILTER_CTX */

#if HAVE_DECL_SECCOMP_NOTIFY_FD
	struct seccomp_notify notifier;
#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
};

extern int lxc_seccomp_load(struct lxc_conf *conf);
extern int lxc_read_seccomp_config(struct lxc_conf *conf);
extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
				  struct lxc_epoll_descr *descr);
extern void seccomp_conf_init(struct lxc_conf *conf);
extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
				   struct lxc_epoll_descr *descr,
				   struct lxc_handler *handler);
extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
					int socket_fd);
extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
					int socket_fd);
extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
				    struct lxc_seccomp *seccomp);
static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
{
#if HAVE_DECL_SECCOMP_NOTIFY_FD
	return seccomp->notifier.notify_fd;
#else
	errno = ENOSYS;
	return -EBADF;
#endif
}

#else /* HAVE_SECCOMP */

struct lxc_seccomp {
	char *seccomp;
};

static inline int lxc_seccomp_load(struct lxc_conf *conf)
{
	return 0;
}

static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
{
	return 0;
}

static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
{
	free_disarm(seccomp->seccomp);
}

static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
				  struct lxc_epoll_descr *descr)
{
	return -ENOSYS;
}

static inline void seccomp_conf_init(struct lxc_conf *conf)
{
}

static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
					  struct lxc_epoll_descr *descr,
					  struct lxc_handler *handler)
{
	return 0;
}

static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
					       int socket_fd)
{
	return 0;
}

static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
					int socket_fd)
{
	return 0;
}

static inline int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
					   struct lxc_seccomp *seccomp)
{
	return 0;
}

static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
{
	return -EBADF;
}

#endif /* HAVE_SECCOMP */
#endif /* __LXC_LXCSECCOMP_H */
Commit	Line	Data
8f2c3a70 SH	1	/*
	2	* lxc: linux Container library
	3	*
	4	* (C) Copyright Canonical, Inc. 2012
	5	*
	6	* Authors:
	7	* Serge Hallyn <serge.hallyn@canonical.com>
	8	*
	9	* This library is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU Lesser General Public
	11	* License as published by the Free Software Foundation; either
	12	* version 2.1 of the License, or (at your option) any later version.
	13	*
	14	* This library is distributed in the hope that it will be useful,
	15	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	16	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	17	* Lesser General Public License for more details.
	18	*
	19	* You should have received a copy of the GNU Lesser General Public
	20	* License along with this library; if not, write to the Free Software
250b1eec	21	* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
8f2c3a70 SH	22	*/
8f2c3a70 SH	23
f1a4a029 ÇO	24	#ifndef __LXC_LXCSECCOMP_H
f1a4a029 ÇO	25	#define __LXC_LXCSECCOMP_H
8f2c3a70	26
c3e3c21a CB	27	#ifndef _GNU_SOURCE
	28	#define _GNU_SOURCE 1
	29	#endif
cdb2a47f CB	30	#include <errno.h>
cdb2a47f CB	31	#ifdef HAVE_SECCOMP
c3e3c21a	32	#include <linux/seccomp.h>
cdb2a47f CB	33	#include <seccomp.h>
cdb2a47f CB	34	#endif
d7d2d2d9	35	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a CB	36	#include <sys/socket.h>
	37	#include <sys/un.h>
	38	#endif
cdb2a47f	39
8f2c3a70	40	#include "conf.h"
c3e3c21a CB	41	#include "config.h"
	42	#include "memory_utils.h"
	43
	44	struct lxc_conf;
	45	struct lxc_epoll_descr;
	46	struct lxc_handler;
8f2c3a70	47
fe02f63c CB	48	#ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
	49	#define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
	50	#endif
	51
8f2c3a70	52	#ifdef HAVE_SECCOMP
c3e3c21a	53
ebc1c319	54
d7d2d2d9	55	#if HAVE_DECL_SECCOMP_NOTIFY_FD
ebc1c319 CB	56
	57	struct seccomp_notify_proxy_msg {
	58	uint32_t version;
	59	struct seccomp_notif req;
	60	struct seccomp_notif_resp resp;
	61	pid_t monitor_pid;
	62	pid_t init_pid;
2a621ece	63	};
ebc1c319	64
c3e3c21a CB	65	struct seccomp_notify {
	66	bool wants_supervision;
	67	int notify_fd;
	68	int proxy_fd;
	69	struct sockaddr_un proxy_addr;
	70	struct seccomp_notif *req_buf;
	71	struct seccomp_notif_resp *rsp_buf;
84cf6d25	72	char *cookie;
c3e3c21a CB	73	};
	74
	75	#define HAVE_SECCOMP_NOTIFY 1
	76
d7d2d2d9	77	#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
c3e3c21a CB	78
	79	struct lxc_seccomp {
	80	char *seccomp;
	81	#if HAVE_SCMP_FILTER_CTX
	82	unsigned int allow_nesting;
	83	scmp_filter_ctx seccomp_ctx;
	84	#endif /* HAVE_SCMP_FILTER_CTX */
	85
d7d2d2d9	86	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a	87	struct seccomp_notify notifier;
d7d2d2d9	88	#endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
c3e3c21a CB	89	};
c3e3c21a CB	90
5fdc4e77 CB	91	extern int lxc_seccomp_load(struct lxc_conf *conf);
5fdc4e77 CB	92	extern int lxc_read_seccomp_config(struct lxc_conf *conf);
c3e3c21a	93	extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
cdb2a47f CB	94	extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
cdb2a47f CB	95	struct lxc_epoll_descr *descr);
c3e3c21a	96	extern void seccomp_conf_init(struct lxc_conf *conf);
2ac0f627 CB	97	extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
	98	struct lxc_epoll_descr *descr,
	99	struct lxc_handler *handler);
c3e3c21a CB	100	extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
	101	int socket_fd);
	102	extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
	103	int socket_fd);
	104	extern int lxc_seccomp_add_notifier(const char name, const char lxcpath,
	105	struct lxc_seccomp *seccomp);
	106	static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
	107	{
d7d2d2d9	108	#if HAVE_DECL_SECCOMP_NOTIFY_FD
c3e3c21a	109	return seccomp->notifier.notify_fd;
8f2c3a70	110	#else
c3e3c21a CB	111	errno = ENOSYS;
	112	return -EBADF;
	113	#endif
	114	}
	115
	116	#else /* HAVE_SECCOMP */
	117
	118	struct lxc_seccomp {
	119	char *seccomp;
	120	};
	121
5fdc4e77 CB	122	static inline int lxc_seccomp_load(struct lxc_conf *conf)
5fdc4e77 CB	123	{
8f2c3a70 SH	124	return 0;
	125	}
	126
5fdc4e77 CB	127	static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
5fdc4e77 CB	128	{
8f2c3a70 SH	129	return 0;
8f2c3a70 SH	130	}
769872f9	131
c3e3c21a	132	static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
5fdc4e77	133	{
c3e3c21a	134	free_disarm(seccomp->seccomp);
769872f9	135	}
c3e3c21a	136
cdb2a47f CB	137	static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
	138	struct lxc_epoll_descr *descr)
	139	{
	140	return -ENOSYS;
	141	}
8f2c3a70	142
c3e3c21a CB	143	static inline void seccomp_conf_init(struct lxc_conf *conf)
	144	{
	145	}
	146
2ac0f627 CB	147	static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
	148	struct lxc_epoll_descr *descr,
	149	struct lxc_handler *handler)
c3e3c21a CB	150	{
	151	return 0;
	152	}
	153
	154	static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
	155	int socket_fd)
	156	{
	157	return 0;
	158	}
	159
	160	static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
	161	int socket_fd)
	162	{
	163	return 0;
	164	}
	165
	166	static inline int lxc_seccomp_add_notifier(const char name, const char lxcpath,
	167	struct lxc_seccomp *seccomp)
	168	{
	169	return 0;
	170	}
	171
	172	static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
	173	{
	174	return -EBADF;
	175	}
	176
	177	#endif /* HAVE_SECCOMP */
	178	#endif /* __LXC_LXCSECCOMP_H */