src/lxc/lxcseccomp.h

   1 /*
   2  * lxc: linux Container library
   3  *
   4  * (C) Copyright Canonical, Inc. 2012
   5  *
   6  * Authors:
   7  * Serge Hallyn <serge.hallyn@canonical.com>
   8  *
   9  * This library is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public
  11  * License as published by the Free Software Foundation; either
  12  * version 2.1 of the License, or (at your option) any later version.
  13  *
  14  * This library is distributed in the hope that it will be useful,
  15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  17  * Lesser General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU Lesser General Public
  20  * License along with this library; if not, write to the Free Software
  21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  22  */
  23
  24 #ifndef __LXC_LXCSECCOMP_H
  25 #define __LXC_LXCSECCOMP_H
  26
  27 #ifndef _GNU_SOURCE
  28 #define _GNU_SOURCE 1
  29 #endif
  30 #include <errno.h>
  31 #ifdef HAVE_SECCOMP
  32 #include <linux/seccomp.h>
  33 #include <seccomp.h>
  34 #endif
  35 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  36 #include <sys/socket.h>
  37 #include <sys/un.h>
  38 #endif
  39
  40 #include "conf.h"
  41 #include "config.h"
  42 #include "memory_utils.h"
  43
  44 struct lxc_conf;
  45 struct lxc_epoll_descr;
  46 struct lxc_handler;
  47
  48 #ifndef SECCOMP_FILTER_FLAG_NEW_LISTENER
  49 #define SECCOMP_FILTER_FLAG_NEW_LISTENER (1UL << 3)
  50 #endif
  51
  52 #ifdef HAVE_SECCOMP
  53
  54
  55 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  56
  57 #if !HAVE_STRUCT_SECCOMP_NOTIF_SIZES
  58 struct seccomp_notif_sizes {
  59         __u16 seccomp_notif;
  60         __u16 seccomp_notif_resp;
  61         __u16 seccomp_data;
  62 };
  63 #endif
  64
  65 struct seccomp_notify_proxy_msg {
  66         uint64_t __reserved;
  67         pid_t monitor_pid;
  68         pid_t init_pid;
  69         struct seccomp_notif_sizes sizes;
  70         uint64_t cookie_len;
  71         /* followed by: seccomp_notif, seccomp_notif_resp, cookie */
  72 };
  73
  74 struct seccomp_notify {
  75         bool wants_supervision;
  76         int notify_fd;
  77         int proxy_fd;
  78         struct sockaddr_un proxy_addr;
  79         struct seccomp_notif_sizes sizes;
  80         struct seccomp_notif *req_buf;
  81         struct seccomp_notif_resp *rsp_buf;
  82         char *cookie;
  83 };
  84
  85 #define HAVE_SECCOMP_NOTIFY 1
  86
  87 #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
  88
  89 struct lxc_seccomp {
  90         char *seccomp;
  91 #if HAVE_SCMP_FILTER_CTX
  92         unsigned int allow_nesting;
  93         scmp_filter_ctx seccomp_ctx;
  94 #endif /* HAVE_SCMP_FILTER_CTX */
  95
  96 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  97         struct seccomp_notify notifier;
  98 #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
  99 };
 100
 101 extern int lxc_seccomp_load(struct lxc_conf *conf);
 102 extern int lxc_read_seccomp_config(struct lxc_conf *conf);
 103 extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
 104 extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
 105                                   struct lxc_epoll_descr *descr);
 106 extern void seccomp_conf_init(struct lxc_conf *conf);
 107 extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
 108                                    struct lxc_epoll_descr *descr,
 109                                    struct lxc_handler *handler);
 110 extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
 111                                         int socket_fd);
 112 extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
 113                                         int socket_fd);
 114 extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 115                                     struct lxc_seccomp *seccomp);
 116 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 117 {
 118 #if HAVE_DECL_SECCOMP_NOTIFY_FD
 119         return seccomp->notifier.notify_fd;
 120 #else
 121         errno = ENOSYS;
 122         return -EBADF;
 123 #endif
 124 }
 125
 126 #else /* HAVE_SECCOMP */
 127
 128 struct lxc_seccomp {
 129         char *seccomp;
 130 };
 131
 132 static inline int lxc_seccomp_load(struct lxc_conf *conf)
 133 {
 134         return 0;
 135 }
 136
 137 static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
 138 {
 139         return 0;
 140 }
 141
 142 static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
 143 {
 144         free_disarm(seccomp->seccomp);
 145 }
 146
 147 static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
 148                                   struct lxc_epoll_descr *descr)
 149 {
 150         return -ENOSYS;
 151 }
 152
 153 static inline void seccomp_conf_init(struct lxc_conf *conf)
 154 {
 155 }
 156
 157 static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
 158                                           struct lxc_epoll_descr *descr,
 159                                           struct lxc_handler *handler)
 160 {
 161         return 0;
 162 }
 163
 164 static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
 165                                                int socket_fd)
 166 {
 167         return 0;
 168 }
 169
 170 static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
 171                                         int socket_fd)
 172 {
 173         return 0;
 174 }
 175
 176 static inline int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 177                                            struct lxc_seccomp *seccomp)
 178 {
 179         return 0;
 180 }
 181
 182 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 183 {
 184         return -EBADF;
 185 }
 186
 187 #endif /* HAVE_SECCOMP */
 188 #endif /* __LXC_LXCSECCOMP_H */