| Dylan Reid | 837c74a | 2016-01-22 17:25:21 -0800 | [diff] [blame] | 1 | /* Copyright 2016 The Chromium OS Authors. All rights reserved. |
| 2 | * Use of this source code is governed by a BSD-style license that can be |
| 3 | * found in the LICENSE file. |
| 4 | */ |
| 5 | |
| 6 | #ifndef CONTAINER_MANAGER_LIBCONTAINER_H_ |
| 7 | #define CONTAINER_MANAGER_LIBCONTAINER_H_ |
| 8 | |
| Dylan Reid | 2bd9ea9 | 2016-04-07 20:57:47 -0700 | [diff] [blame^] | 9 | #include <stddef.h> |
| Dylan Reid | 837c74a | 2016-01-22 17:25:21 -0800 | [diff] [blame] | 10 | |
| 11 | #ifdef __cplusplus |
| 12 | extern "C" { |
| 13 | #endif |
| 14 | |
| 15 | struct container_config; |
| 16 | |
| 17 | /* Create a container config. */ |
| 18 | struct container_config *container_config_create(); |
| 19 | |
| 20 | /* Destroy a config create with container_config_create. */ |
| 21 | void container_config_destroy(struct container_config *c); |
| 22 | |
| 23 | /* rootfs - Path to the root of the container's filesystem. */ |
| 24 | int container_config_rootfs(struct container_config *c, const char *rootfs); |
| 25 | |
| 26 | /* The program to run and args, e.g. "/sbin/init", "--second-stage". */ |
| 27 | int container_config_program_argv(struct container_config *c, |
| 28 | char **argv, size_t num_args); |
| 29 | |
| 30 | /* The pid of the program will be written here. */ |
| 31 | int container_config_pid_file(struct container_config *c, const char *path); |
| 32 | |
| 33 | /* Mapping of UIDs in the container, e.g. "0 100000 1024" */ |
| 34 | int container_config_uid_map(struct container_config *c, const char *uid_map); |
| 35 | |
| 36 | /* Mapping of GIDs in the container, e.g. "0 100000 1024" */ |
| 37 | int container_config_gid_map(struct container_config *c, const char *gid_map); |
| 38 | |
| 39 | /* Alt-Syscall table to use or NULL if none. */ |
| 40 | int container_config_alt_syscall_table(struct container_config *c, |
| 41 | const char *alt_syscall_table); |
| 42 | |
| 43 | /* |
| 44 | * Add a filesystem to mount in the new VFS namespace. |
| 45 | * |
| 46 | * c - The container config in which to add the mount. |
| 47 | * source - Mount source, e.g. "tmpfs" or "/data". |
| 48 | * destination - Mount point in the container, e.g. "/dev". |
| 49 | * type - Mount type, e.g. "tmpfs", "selinuxfs", or "devpts". |
| 50 | * data - Mount data for extra options, e.g. "newinstance" or "ptmxmode=0000". |
| 51 | * flags - Mount flags as defined in mount(2); |
| 52 | * uid - uid to chown mount point to if created. |
| 53 | * gid - gid to chown mount point to if created. |
| 54 | * mode - Permissions of mount point if created. |
| 55 | * mount_in_ns - True if mount should happen in the process' vfs namespace. |
| 56 | * create - If true, create mount destination if it doesn't exist. |
| 57 | */ |
| 58 | int container_config_add_mount(struct container_config *c, |
| 59 | const char *name, |
| 60 | const char *source, |
| 61 | const char *destination, |
| 62 | const char *type, |
| 63 | const char *data, |
| 64 | int flags, |
| 65 | int uid, |
| 66 | int gid, |
| 67 | int mode, |
| 68 | int mount_in_ns, |
| 69 | int create); |
| 70 | |
| 71 | /* |
| 72 | * Add a device node to create. |
| 73 | * |
| 74 | * c - The container config in which to add the mount. |
| 75 | * type - 'c' or 'b' for char or block respectively. |
| 76 | * path - Where to mknod, "/dev/zero". |
| 77 | * fs_permissions - Permissions to set on the node. |
| 78 | * major - Major device number. |
| 79 | * minor - Minor device number. |
| 80 | * uid - User to own the device. |
| 81 | * gid - Group to own the device. |
| 82 | * read_allowed - If true allow reading from the device via "devices" cgroup. |
| 83 | * write_allowed - If true allow writing to the device via "devices" cgroup. |
| 84 | * modify_allowed - If true allow creation of the device via "devices" cgroup. |
| 85 | */ |
| 86 | int container_config_add_device(struct container_config *c, |
| 87 | char type, |
| 88 | const char *path, |
| 89 | int fs_permissions, |
| 90 | int major, |
| 91 | int minor, |
| 92 | int uid, |
| 93 | int gid, |
| 94 | int read_allowed, |
| 95 | int write_allowed, |
| 96 | int modify_allowed); |
| 97 | |
| Dylan Reid | 2bd9ea9 | 2016-04-07 20:57:47 -0700 | [diff] [blame^] | 98 | /* |
| 99 | * Set to cause the given setfiles command to be run whenever a mount is made |
| 100 | * in the parent mount namespace. |
| 101 | */ |
| 102 | void container_config_run_setfiles(struct container_config *c, |
| 103 | const char *setfiles_cmd); |
| Dylan Reid | 837c74a | 2016-01-22 17:25:21 -0800 | [diff] [blame] | 104 | |
| 105 | /* Container manipulation. */ |
| 106 | struct container; |
| 107 | |
| 108 | /* |
| 109 | * Create a container based on the given config. |
| 110 | * |
| 111 | * name - Name of the directory holding the container config files. |
| 112 | * rundir - Where to build the temporary rootfs. |
| 113 | * config - Details of how the container should be run. |
| 114 | */ |
| 115 | struct container *container_new(const char *name, |
| 116 | const char *rundir, |
| 117 | struct container_config *config); |
| 118 | |
| 119 | /* Destroy a container created with container_new. */ |
| 120 | void container_destroy(struct container *c); |
| 121 | |
| 122 | /* Start the container. Returns 0 on success. */ |
| 123 | int container_start(struct container *c); |
| 124 | |
| 125 | /* Get the path to the root of the container. */ |
| 126 | const char *container_root(struct container *c); |
| 127 | |
| 128 | /* Get the pid of the init process in the container. */ |
| 129 | int container_pid(struct container *c); |
| 130 | |
| 131 | /* Wait for the container to exit. Returns 0 on success. */ |
| 132 | int container_wait(struct container *c); |
| 133 | |
| 134 | /* Kill the container's init process, then wait for it to exit. */ |
| 135 | int container_kill(struct container *c); |
| 136 | |
| 137 | #ifdef __cplusplus |
| 138 | }; /* extern "C" */ |
| 139 | #endif |
| 140 | |
| 141 | #endif /* CONTAINER_MANAGER_LIBCONTAINER_H_ */ |