github.com/Lephar/snapd@v0.0.0-20210825215435-c7fba9cef4d2/cmd/libsnap-confine-private/device-cgroup-support.h

github.com/Lephar/snapd@v0.0.0-20210825215435-c7fba9cef4d2/cmd/libsnap-confine-private/device-cgroup-support.h (about)

     1  /*
     2   * Copyright (C) 2021 Canonical Ltd
     3   *
     4   * This program is free software: you can redistribute it and/or modify
     5   * it under the terms of the GNU General Public License version 3 as
     6   * published by the Free Software Foundation.
     7   *
     8   * This program is distributed in the hope that it will be useful,
     9   * but WITHOUT ANY WARRANTY; without even the implied warranty of
    10   * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    11   * GNU General Public License for more details.
    12   *
    13   * You should have received a copy of the GNU General Public License
    14   * along with this program.  If not, see <http://www.gnu.org/licenses/>.
    15   *
    16   */
    17  
    18  #ifndef SNAP_CONFINE_DEVICE_CGROUP_SUPPORT_H
    19  #define SNAP_CONFINE_DEVICE_CGROUP_SUPPORT_H
    20  
    21  #include <stdint.h>
    22  #include <unistd.h>
    23  
    24  struct sc_device_cgroup;
    25  typedef struct sc_device_cgroup sc_device_cgroup;
    26  
    27  enum {
    28      /* when creating a device cgroup wrapped, do not set up a new cgroup but
    29       * rather use an existing one */
    30      SC_DEVICE_CGROUP_FROM_EXISTING = 1,
    31  };
    32  
    33  /**
    34   * sc_device_cgroup_new returns a new cgroup device wrapper that is suitable for
    35   * the current system. Flags can contain SC_DEVICE_CGROUP_FROM_EXISTING in which
    36   * case an existing cgroup will be used, and a -1 return value with errno set to
    37   * ENOENT indicates that the group was not found. Otherwise, a new device cgroup
    38   * for a given tag will be set up.
    39   */
    40  sc_device_cgroup* sc_device_cgroup_new(const char* security_tag, int flags);
    41  /**
    42   * sc_device_cgroup_cleanup disposes of the cgroup wrapper and is suitable for
    43   * use with SC_CLEANUP
    44   */
    45  void sc_device_cgroup_cleanup(sc_device_cgroup** self);
    46  
    47  /**
    48   * SC_DEVICE_MINOR_ANY is used to indicate any minor device.
    49   */
    50  static const uint32_t SC_DEVICE_MINOR_ANY = UINT32_MAX;
    51  
    52  /**
    53   * sc_device_cgroup_allow sets up the cgroup to allow access to a given device
    54   * or a set of devices if SC_MINOR_ANY is passed as the minor number. The kind
    55   * must be one of S_IFCHR, S_IFBLK.
    56   */
    57  int sc_device_cgroup_allow(sc_device_cgroup* self, int kind, int major, int minor);
    58  
    59  /**
    60   * sc_device_cgroup_deny sets up the cgroup to deny access to a given device or
    61   * a set of devices if SC_MINOR_ANY is passed as the minor number. The kind must
    62   * be one of S_IFCHR, S_IFBLK.
    63   */
    64  int sc_device_cgroup_deny(sc_device_cgroup* self, int kind, int major, int minor);
    65  
    66  /**
    67   * sc_device_cgroup_attach_pid attaches given process ID to the associated
    68   * cgroup.
    69   */
    70  int sc_device_cgroup_attach_pid(sc_device_cgroup* self, pid_t pid);
    71  
    72  #endif /* SNAP_CONFINE_DEVICE_CGROUP_SUPPORT_H */