src/lxc/lxcseccomp.h

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2
   3 #ifndef __LXC_LXCSECCOMP_H
   4 #define __LXC_LXCSECCOMP_H
   5
   6 #ifndef _GNU_SOURCE
   7 #define _GNU_SOURCE 1
   8 #endif
   9 #include <errno.h>
  10 #ifdef HAVE_SECCOMP
  11 #include <linux/seccomp.h>
  12 #include <seccomp.h>
  13 #endif
  14 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  15 #include <sys/socket.h>
  16 #include <sys/un.h>
  17 #endif
  18
  19 #include "compiler.h"
  20 #include "conf.h"
  21 #include "config.h"
  22 #include "memory_utils.h"
  23
  24 struct lxc_conf;
  25 struct lxc_epoll_descr;
  26 struct lxc_handler;
  27
  28 #ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
  29 #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
  30 #endif
  31
  32 #ifdef HAVE_SECCOMP
  33
  34
  35 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  36
  37 #if !HAVE_STRUCT_SECCOMP_NOTIF_SIZES
  38 struct seccomp_notif_sizes {
  39         __u16 seccomp_notif;
  40         __u16 seccomp_notif_resp;
  41         __u16 seccomp_data;
  42 };
  43 #endif
  44
  45 struct seccomp_notify_proxy_msg {
  46         uint64_t __reserved;
  47         pid_t monitor_pid;
  48         pid_t init_pid;
  49         struct seccomp_notif_sizes sizes;
  50         uint64_t cookie_len;
  51         /* followed by: seccomp_notif, seccomp_notif_resp, cookie */
  52 };
  53
  54 struct seccomp_notify {
  55         bool wants_supervision;
  56         int notify_fd;
  57         int proxy_fd;
  58         struct sockaddr_un proxy_addr;
  59         struct seccomp_notif_sizes sizes;
  60         struct seccomp_notif *req_buf;
  61         struct seccomp_notif_resp *rsp_buf;
  62         char *cookie;
  63 };
  64
  65 #define HAVE_SECCOMP_NOTIFY 1
  66
  67 #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
  68
  69 struct lxc_seccomp {
  70         char *seccomp;
  71 #if HAVE_SCMP_FILTER_CTX
  72         unsigned int allow_nesting;
  73         scmp_filter_ctx seccomp_ctx;
  74 #endif /* HAVE_SCMP_FILTER_CTX */
  75
  76 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  77         struct seccomp_notify notifier;
  78 #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
  79 };
  80
  81 __hidden extern int lxc_seccomp_load(struct lxc_conf *conf);
  82 __hidden extern int lxc_read_seccomp_config(struct lxc_conf *conf);
  83 __hidden extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
  84 __hidden extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
  85                                            struct lxc_epoll_descr *descr);
  86 __hidden extern void seccomp_conf_init(struct lxc_conf *conf);
  87 __hidden extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
  88                                             struct lxc_epoll_descr *descr,
  89                                             struct lxc_handler *handler);
  90 __hidden extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd);
  91 __hidden extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd);
  92 __hidden extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
  93                                              struct lxc_seccomp *seccomp);
  94 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
  95 {
  96 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  97         return seccomp->notifier.notify_fd;
  98 #else
  99         errno = ENOSYS;
 100         return -EBADF;
 101 #endif
 102 }
 103
 104 #else /* HAVE_SECCOMP */
 105
 106 struct lxc_seccomp {
 107         char *seccomp;
 108 };
 109
 110 static inline int lxc_seccomp_load(struct lxc_conf *conf)
 111 {
 112         return 0;
 113 }
 114
 115 static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
 116 {
 117         return 0;
 118 }
 119
 120 static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
 121 {
 122         free_disarm(seccomp->seccomp);
 123 }
 124
 125 static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
 126                                   struct lxc_epoll_descr *descr)
 127 {
 128         return -ENOSYS;
 129 }
 130
 131 static inline void seccomp_conf_init(struct lxc_conf *conf)
 132 {
 133 }
 134
 135 static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
 136                                           struct lxc_epoll_descr *descr,
 137                                           struct lxc_handler *handler)
 138 {
 139         return 0;
 140 }
 141
 142 static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
 143                                                int socket_fd)
 144 {
 145         return 0;
 146 }
 147
 148 static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
 149                                         int socket_fd)
 150 {
 151         return 0;
 152 }
 153
 154 static inline int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 155                                            struct lxc_seccomp *seccomp)
 156 {
 157         return 0;
 158 }
 159
 160 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 161 {
 162         return -EBADF;
 163 }
 164
 165 #endif /* HAVE_SECCOMP */
 166 #endif /* __LXC_LXCSECCOMP_H */