src/lxc/lxcseccomp.h

   1 /*
   2  * lxc: linux Container library
   3  *
   4  * (C) Copyright Canonical, Inc. 2012
   5  *
   6  * Authors:
   7  * Serge Hallyn <serge.hallyn@canonical.com>
   8  *
   9  * This library is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU Lesser General Public
  11  * License as published by the Free Software Foundation; either
  12  * version 2.1 of the License, or (at your option) any later version.
  13  *
  14  * This library is distributed in the hope that it will be useful,
  15  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  16  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
  17  * Lesser General Public License for more details.
  18  *
  19  * You should have received a copy of the GNU Lesser General Public
  20  * License along with this library; if not, write to the Free Software
  21  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
  22  */
  23
  24 #ifndef __LXC_LXCSECCOMP_H
  25 #define __LXC_LXCSECCOMP_H
  26
  27 #ifndef _GNU_SOURCE
  28 #define _GNU_SOURCE 1
  29 #endif
  30 #include <errno.h>
  31 #ifdef HAVE_SECCOMP
  32 #include <linux/seccomp.h>
  33 #include <seccomp.h>
  34 #endif
  35 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  36 #include <sys/socket.h>
  37 #include <sys/un.h>
  38 #endif
  39
  40 #include "conf.h"
  41 #include "config.h"
  42 #include "memory_utils.h"
  43
  44 struct lxc_conf;
  45 struct lxc_epoll_descr;
  46 struct lxc_handler;
  47
  48 #ifdef HAVE_SECCOMP
  49
  50
  51 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  52
  53 struct seccomp_notify_proxy_msg {
  54         uint32_t version;
  55         struct seccomp_notif req;
  56         struct seccomp_notif_resp resp;
  57         pid_t monitor_pid;
  58         pid_t init_pid;
  59 };
  60
  61 struct seccomp_notify {
  62         bool wants_supervision;
  63         int notify_fd;
  64         int proxy_fd;
  65         struct sockaddr_un proxy_addr;
  66         struct seccomp_notif *req_buf;
  67         struct seccomp_notif_resp *rsp_buf;
  68 };
  69
  70 #define HAVE_SECCOMP_NOTIFY 1
  71
  72 #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
  73
  74 struct lxc_seccomp {
  75         char *seccomp;
  76 #if HAVE_SCMP_FILTER_CTX
  77         unsigned int allow_nesting;
  78         scmp_filter_ctx seccomp_ctx;
  79 #endif /* HAVE_SCMP_FILTER_CTX */
  80
  81 #if HAVE_DECL_SECCOMP_NOTIFY_FD
  82         struct seccomp_notify notifier;
  83 #endif /* HAVE_DECL_SECCOMP_NOTIFY_FD */
  84 };
  85
  86 extern int lxc_seccomp_load(struct lxc_conf *conf);
  87 extern int lxc_read_seccomp_config(struct lxc_conf *conf);
  88 extern void lxc_seccomp_free(struct lxc_seccomp *seccomp);
  89 extern int seccomp_notify_handler(int fd, uint32_t events, void *data,
  90                                   struct lxc_epoll_descr *descr);
  91 extern void seccomp_conf_init(struct lxc_conf *conf);
  92 extern int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
  93                                    struct lxc_epoll_descr *descr,
  94                                    struct lxc_handler *handler);
  95 extern int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
  96                                         int socket_fd);
  97 extern int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
  98                                         int socket_fd);
  99 extern int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 100                                     struct lxc_seccomp *seccomp);
 101 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 102 {
 103 #if HAVE_DECL_SECCOMP_NOTIFY_FD
 104         return seccomp->notifier.notify_fd;
 105 #else
 106         errno = ENOSYS;
 107         return -EBADF;
 108 #endif
 109 }
 110
 111 #else /* HAVE_SECCOMP */
 112
 113 struct lxc_seccomp {
 114         char *seccomp;
 115 };
 116
 117 static inline int lxc_seccomp_load(struct lxc_conf *conf)
 118 {
 119         return 0;
 120 }
 121
 122 static inline int lxc_read_seccomp_config(struct lxc_conf *conf)
 123 {
 124         return 0;
 125 }
 126
 127 static inline void lxc_seccomp_free(struct lxc_seccomp *seccomp)
 128 {
 129         free_disarm(seccomp->seccomp);
 130 }
 131
 132 static inline int seccomp_notify_handler(int fd, uint32_t events, void *data,
 133                                   struct lxc_epoll_descr *descr)
 134 {
 135         return -ENOSYS;
 136 }
 137
 138 static inline void seccomp_conf_init(struct lxc_conf *conf)
 139 {
 140 }
 141
 142 static inline int lxc_seccomp_setup_proxy(struct lxc_seccomp *seccomp,
 143                                           struct lxc_epoll_descr *descr,
 144                                           struct lxc_handler *handler)
 145 {
 146         return 0;
 147 }
 148
 149 static inline int lxc_seccomp_send_notifier_fd(struct lxc_seccomp *seccomp,
 150                                                int socket_fd)
 151 {
 152         return 0;
 153 }
 154
 155 static inline int lxc_seccomp_recv_notifier_fd(struct lxc_seccomp *seccomp,
 156                                         int socket_fd)
 157 {
 158         return 0;
 159 }
 160
 161 static inline int lxc_seccomp_add_notifier(const char *name, const char *lxcpath,
 162                                            struct lxc_seccomp *seccomp)
 163 {
 164         return 0;
 165 }
 166
 167 static inline int lxc_seccomp_get_notify_fd(struct lxc_seccomp *seccomp)
 168 {
 169         return -EBADF;
 170 }
 171
 172 #endif /* HAVE_SECCOMP */
 173 #endif /* __LXC_LXCSECCOMP_H */