src/lxc/lxcseccomp.h

   1 /* SPDX-License-Identifier: LGPL-2.1+ */
   2
   3 #ifndef __LXC_LXCSECCOMP_H
   4 #define __LXC_LXCSECCOMP_H
   5
   6 #ifndef _GNU_SOURCE
   7 #define _GNU_SOURCE 1
   8 #endif
   9 #include <errno.h>
  10 #ifdef HAVE_SECCOMP
  11 #include <linux/seccomp.h>
  12 #include <seccomp.h>
  13 #endif
  14 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  15 #include <sys/socket.h>
  16 #include <sys/un.h>
  17 #endif
  18
  19 #include "conf.h"
  20 #include "config.h"
  21 #include "memory_utils.h"
  22
  23 struct lxc_conf;
  24 struct lxc_epoll_descr;
  25 struct lxc_handler;
  26
  27 #ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
  28 #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
  29 #endif
  30
  31 #ifdef HAVE_SECCOMP
  32
  33
  34 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  35
  36 #if !HAVE_STRUCT_SECCOMP_NOTIF_SIZES
  37 struct seccomp_notif_sizes {
  38         __u16 seccomp_notif;
  39         __u16 seccomp_notif_resp;
  40         __u16 seccomp_data;
  41 };
  42 #endif
  43
  44 struct seccomp_notify_proxy_msg {
  45         uint64_t __reserved;
  46         pid_t monitor_pid;
  47         pid_t init_pid;
  48         struct seccomp_notif_sizes sizes;
  49         uint64_t cookie_len;
  50         /* followed by: seccomp_notif, seccomp_notif_resp, cookie */
  51 };
  52
  53 struct seccomp_notify {
  54         bool wants_supervision;
  55         int notify_fd;
  56         int proxy_fd;
  57         struct sockaddr_un proxy_addr;
  58         struct seccomp_notif_sizes sizes;
  59         struct seccomp_notif *req_buf;
  60         struct seccomp_notif_resp *rsp_buf;
  61         char *cookie;
  62 };
  63
  64 #define HAVE_SECCOMP_NOTIFY 1
  65
  66 #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
  67
  68 struct lxc_seccomp {
  69         char *seccomp;
  70 #if HAVE_SCMP_FILTER_CTX
  71         unsigned int allow_nesting;
  72         scmp_filter_ctx seccomp_ctx;
  73 #endif /* HAVE_SCMP_FILTER_CTX */
  74
  75 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  76         struct seccomp_notify notifier;
  77 #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
  78 };
  79
  80 extern int lxc_seccomp_load(struct lxc_conf *conf);
  81 extern int lxc_read_seccomp_config(struct lxc_conf *conf);
  82 extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
  83 extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
  84                                   struct lxc_epoll_descr *descr);
  85 extern void seccomp_conf_init(struct lxc_conf *conf);
  86 extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
  87                                    struct lxc_epoll_descr *descr,
  88                                    struct lxc_handler *handler);
  89 extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
  90                                         int socket_fd);
  91 extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
  92                                         int socket_fd);
  93 extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
  94                                     struct lxc_seccomp *seccomp);
  95 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
  96 {
  97 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  98         return seccomp->notifier.notify_fd;
  99 #else
 100         errno = ENOSYS;
 101         return -EBADF;
 102 #endif
 103 }
 104
 105 #else /* HAVE_SECCOMP */
 106
 107 struct lxc_seccomp {
 108         char *seccomp;
 109 };
 110
 111 static inline int lxc_seccomp_load(struct lxc_conf *conf)
 112 {
 113         return 0;
 114 }
 115
 116 static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
 117 {
 118         return 0;
 119 }
 120
 121 static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
 122 {
 123         free_disarm(seccomp->seccomp);
 124 }
 125
 126 static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
 127                                   struct lxc_epoll_descr *descr)
 128 {
 129         return -ENOSYS;
 130 }
 131
 132 static inline void seccomp_conf_init(struct lxc_conf *conf)
 133 {
 134 }
 135
 136 static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
 137                                           struct lxc_epoll_descr *descr,
 138                                           struct lxc_handler *handler)
 139 {
 140         return 0;
 141 }
 142
 143 static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
 144                                                int socket_fd)
 145 {
 146         return 0;
 147 }
 148
 149 static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
 150                                         int socket_fd)
 151 {
 152         return 0;
 153 }
 154
 155 static inline int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 156                                            struct lxc_seccomp *seccomp)
 157 {
 158         return 0;
 159 }
 160
 161 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 162 {
 163         return -EBADF;
 164 }
 165
 166 #endif /* HAVE_SECCOMP */
 167 #endif /* __LXC_LXCSECCOMP_H */