src/lxc/lxcseccomp.h

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2
   3 #ifndef __LXC_LXCSECCOMP_H
   4 #define __LXC_LXCSECCOMP_H
   5
   6 #include "config.h"
   7
   8 #include <errno.h>
   9
  10 #if HAVE_SECCOMP
  11 #include <linux/seccomp.h>
  12 #include <seccomp.h>
  13 #endif
  14
  15 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  16 #include <sys/socket.h>
  17 #include <sys/un.h>
  18 #endif
  19
  20 #include "compiler.h"
  21 #include "conf.h"
  22 #include "memory_utils.h"
  23
  24 struct lxc_conf;
  25 struct lxc_async_descr;
  26 struct lxc_handler;
  27
  28 #ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
  29 #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
  30 #endif
  31
  32 #if HAVE_SECCOMP
  33
  34
  35 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  36
  37 #if !HAVE_STRUCT_SECCOMP_NOTIF_SIZES
  38 struct seccomp_notif_sizes {
  39         __u16 seccomp_notif;
  40         __u16 seccomp_notif_resp;
  41         __u16 seccomp_data;
  42 };
  43 #endif
  44
  45 struct seccomp_notify_proxy_msg {
  46         uint64_t __reserved;
  47         pid_t monitor_pid;
  48         pid_t init_pid;
  49         struct seccomp_notif_sizes sizes;
  50         uint64_t cookie_len;
  51         /* followed by: seccomp_notif, seccomp_notif_resp, cookie */
  52 };
  53
  54 struct seccomp_notify {
  55         bool wants_supervision;
  56         int notify_fd;
  57         int proxy_fd;
  58         struct sockaddr_un proxy_addr;
  59         struct seccomp_notif_sizes sizes;
  60         struct seccomp_notif *req_buf;
  61         struct seccomp_notif_resp *rsp_buf;
  62         char *cookie;
  63 };
  64
  65 #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
  66
  67 struct lxc_seccomp {
  68         char *seccomp;
  69 #if HAVE_SCMP_FILTER_CTX
  70         unsigned int allow_nesting;
  71         scmp_filter_ctx seccomp_ctx;
  72 #endif /* HAVE_SCMP_FILTER_CTX */
  73
  74 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  75         struct seccomp_notify notifier;
  76 #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
  77 };
  78
  79 __hidden extern int lxc_seccomp_load(struct lxc_conf *conf);
  80 __hidden extern int lxc_read_seccomp_config(struct lxc_conf *conf);
  81 __hidden extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
  82 __hidden extern int seccomp_notify_cleanup_handler(int fd, void *data);
  83 __hidden extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
  84                                            struct lxc_async_descr *descr);
  85 __hidden extern void seccomp_conf_init(struct lxc_conf *conf);
  86 __hidden extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
  87                                             struct lxc_async_descr *descr,
  88                                             struct lxc_handler *handler);
  89 __hidden extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd);
  90 __hidden extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp, int socket_fd);
  91 __hidden extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
  92                                              struct lxc_seccomp *seccomp);
  93 static inline void lxc_seccomp_close_notifier_fd(struct lxc_seccomp *seccomp)
  94 {
  95 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  96         if (seccomp->notifier.wants_supervision)
  97                 close_prot_errno_disarm(seccomp->notifier.notify_fd);
  98 #endif
  99 }
 100
 101 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 102 {
 103 #if HAVE_DECL_SECCOMP_NOTIFY_FD
 104         return seccomp->notifier.notify_fd;
 105 #else
 106         errno = ENOSYS;
 107         return -EBADF;
 108 #endif
 109 }
 110
 111 #else /* HAVE_SECCOMP */
 112
 113 struct lxc_seccomp {
 114         char *seccomp;
 115 };
 116
 117 static inline int lxc_seccomp_load(struct lxc_conf *conf)
 118 {
 119         return 0;
 120 }
 121
 122 static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
 123 {
 124         return 0;
 125 }
 126
 127 static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
 128 {
 129         free_disarm(seccomp->seccomp);
 130 }
 131
 132 static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
 133                                   struct lxc_async_descr *descr)
 134 {
 135         return ret_errno(ENOSYS);
 136 }
 137
 138 static inline int seccomp_notify_cleanup_handler(void *data)
 139 {
 140         return ret_errno(ENOSYS);
 141 }
 142
 143 static inline void seccomp_conf_init(struct lxc_conf *conf)
 144 {
 145 }
 146
 147 static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
 148                                           struct lxc_async_descr *descr,
 149                                           struct lxc_handler *handler)
 150 {
 151         return 0;
 152 }
 153
 154 static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
 155                                                int socket_fd)
 156 {
 157         return 0;
 158 }
 159
 160 static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
 161                                         int socket_fd)
 162 {
 163         return 0;
 164 }
 165
 166 static inline int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 167                                            struct lxc_seccomp *seccomp)
 168 {
 169         return 0;
 170 }
 171
 172 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 173 {
 174         return -EBADF;
 175 }
 176
 177 static inline void lxc_seccomp_close_notifier_fd(struct lxc_seccomp *seccomp)
 178 {
 179 }
 180
 181 #endif /* HAVE_SECCOMP */
 182 #endif /* __LXC_LXCSECCOMP_H */