1 /* SPDX-License-Identifier: LGPL-2.1+ */
3 #ifndef __LXC_ATTACH_OPTIONS_H
4 #define __LXC_ATTACH_OPTIONS_H
13 * LXC environment policy.
15 typedef enum lxc_attach_env_policy_t
{
16 LXC_ATTACH_KEEP_ENV
= 0, /*!< Retain the environment */
17 #define LXC_ATTACH_KEEP_ENV LXC_ATTACH_KEEP_ENV
19 LXC_ATTACH_CLEAR_ENV
= 1, /*!< Clear the environment */
20 #define LXC_ATTACH_CLEAR_ENV LXC_ATTACH_CLEAR_ENV
21 } lxc_attach_env_policy_t
;
24 /* The following are on by default: */
25 LXC_ATTACH_MOVE_TO_CGROUP
= 0x00000001, /*!< Move to cgroup */
26 #define LXC_ATTACH_MOVE_TO_CGROUP LXC_ATTACH_MOVE_TO_CGROUP
28 LXC_ATTACH_DROP_CAPABILITIES
= 0x00000002, /*!< Drop capabilities */
29 #define LXC_ATTACH_DROP_CAPABILITIES LXC_ATTACH_DROP_CAPABILITIES
31 LXC_ATTACH_SET_PERSONALITY
= 0x00000004, /*!< Set personality */
32 #define LXC_ATTACH_SET_PERSONALITY LXC_ATTACH_SET_PERSONALITY
34 LXC_ATTACH_LSM_EXEC
= 0x00000008, /*!< Execute under a Linux Security Module */
35 #define LXC_ATTACH_LSM_EXEC LXC_ATTACH_LSM_EXEC
38 /* The following are off by default: */
39 LXC_ATTACH_REMOUNT_PROC_SYS
= 0x00010000, /*!< Remount /proc filesystem */
40 #define LXC_ATTACH_REMOUNT_PROC_SYS LXC_ATTACH_REMOUNT_PROC_SYS
42 LXC_ATTACH_LSM_NOW
= 0x00020000, /*!< TODO: currently unused */
43 #define LXC_ATTACH_LSM_NOW LXC_ATTACH_LSM_NOW
45 /* Set PR_SET_NO_NEW_PRIVS to block execve() gainable privileges. */
46 LXC_ATTACH_NO_NEW_PRIVS
= 0x00040000, /*!< PR_SET_NO_NEW_PRIVS */
47 #define LXC_ATTACH_NO_NEW_PRIVS LXC_ATTACH_NO_NEW_PRIVS
49 LXC_ATTACH_TERMINAL
= 0x00080000, /*!< Allocate new terminal for attached process. */
50 #define LXC_ATTACH_TERMINAL LXC_ATTACH_TERMINAL
52 LXC_ATTACH_LSM_LABEL
= 0x00100000, /*!< Set custom LSM label specified in @lsm_label. */
53 #define LXC_ATTACH_LSM_LABEL LXC_ATTACH_LSM_LABEL
55 LXC_ATTACH_SETGROUPS
= 0x00200000, /*!< Set additional group ids specified in @groups. */
56 #define LXC_ATTACH_SETGROUPS LXC_ATTACH_SETGROUPS
59 /* We have 16 bits for things that are on by default and 16 bits that
60 * are off by default, that should be sufficient to keep binary
61 * compatibility for a while
63 LXC_ATTACH_DEFAULT
= 0x0000FFFF /*!< Mask of flags to apply by default */
64 #define LXC_ATTACH_DEFAULT LXC_ATTACH_DEFAULT
67 /*! All Linux Security Module flags */
68 #define LXC_ATTACH_LSM (LXC_ATTACH_LSM_EXEC | LXC_ATTACH_LSM_NOW | LXC_ATTACH_LSM_LABEL)
70 /*! LXC attach function type.
72 * Function to run in container.
74 * \param payload \ref lxc_attach_command_t to run.
76 * \return Function should return \c 0 on success, and any other value to denote failure.
78 typedef int (*lxc_attach_exec_t
)(void* payload
);
80 typedef struct lxc_groups_t
{
85 #define LXC_ATTACH_DETECT_PERSONALITY ~0L
88 * LXC attach options for \ref lxc_container \c attach().
90 typedef struct lxc_attach_options_t
{
91 /*! Any combination of LXC_ATTACH_* flags */
94 /*! The namespaces to attach to (CLONE_NEW... flags) */
97 /*! Initial personality (\c LXC_ATTACH_DETECT_PERSONALITY to autodetect).
98 * \warning This may be ignored if lxc is compiled without personality
103 /*! Initial current directory, use \c NULL to use cwd.
104 * If the current directory does not exist in the container, the root
105 * directory will be used instead because of kernel defaults.
109 /*! The user-id to run as.
111 * \note Set to \c -1 for default behaviour (init uid for userns
112 * containers or \c 0 (super-user) if detection fails).
116 /*! The group-id to run as.
118 * \note Set to \c -1 for default behaviour (init gid for userns
119 * containers or \c 0 (super-user) if detection fails).
123 /*! Environment policy */
124 lxc_attach_env_policy_t env_policy
;
126 /*! Extra environment variables to set in the container environment */
127 char **extra_env_vars
;
129 /*! Names of environment variables in existing environment to retain
130 * in container environment.
132 char **extra_keep_env
;
135 /*! File descriptors for stdin, stdout and stderr,
136 * \c dup2() will be used before calling exec_function,
137 * (assuming not \c 0, \c 1 and \c 2 are specified) and the
138 * original fds are closed before passing control
139 * over. Any \c O_CLOEXEC flag will be removed after
142 int stdin_fd
; /*!< stdin file descriptor */
143 int stdout_fd
; /*!< stdout file descriptor */
144 int stderr_fd
; /*!< stderr file descriptor */
147 /*! File descriptor to log output. */
150 /*! lsm label to set. */
153 /*! The additional group GIDs to run with.
155 * If unset all additional groups are dropped.
158 } lxc_attach_options_t
;
160 /*! Default attach options to use */
161 #define LXC_ATTACH_OPTIONS_DEFAULT \
163 .attach_flags = LXC_ATTACH_DEFAULT, \
165 .personality = LXC_ATTACH_DETECT_PERSONALITY, \
166 .initial_cwd = NULL, \
169 .env_policy = LXC_ATTACH_KEEP_ENV, \
170 .extra_env_vars = NULL, \
171 .extra_keep_env = NULL, \
181 * Representation of a command to run in a container.
183 typedef struct lxc_attach_command_t
{
184 char *program
; /*!< The program to run (passed to execvp) */
185 char **argv
; /*!< The argv pointer of that program, including the program itself in argv[0] */
186 } lxc_attach_command_t
;
189 * \brief Run a command in the container.
191 * \param payload \ref lxc_attach_command_t to run.
193 * \return \c -1 on error, exit code of lxc_attach_command_t program on success.
195 extern int lxc_attach_run_command(void* payload
);
198 * \brief Run a shell command in the container.
200 * \param payload Not used.
202 * \return Exit code of shell.
204 extern int lxc_attach_run_shell(void* payload
);