+1 (609) 785-1322

Documentation

Integrating LVE and CageFS

You can integrate LVE and CageFS into your code in a manner so it would be safely ignored if LVE is not present (like on CentOS systems). This way you can ship single binary based on single code base for both, CageFS and CentOS. The code should be compiled with -ldl flag.

Here is an example of how to do both, enter into LVE and setup CageFS

#include <dlfcn.h>
...
/* your log function */
void log_error(...) { ... }
/* your function that executes some code that has to run inside LVE/CageFS */
void your_function() {
     void *lib_handle;
     void *lve;              /* lve structure pointer     */
     /* Load LVE functions */
     lib_handle = dlopen("liblve.so.0", RTLD_LAZY);
     if (lib_handle) {
        char *error; char error_msg[1024];
        int (*_lve_enter_flags)(void *, uint32_t, uint32_t *, uint32_t) = NULL;
        int (*_lve_instance_init)(void *) = NULL;
        dlerror();    /* Clear any existing error */
        if(!stat_result){
          _lve_enter_flags = dlsym(lib_handle, "lve_enter_flags");
          if ((error = dlerror()) != NULL) {
            log_err("failed to init LVE library (function lve_enter_flags) %s\n", error);
            _lve_enter_flags = NULL;
          }
          _lve_instance_init = dlsym(lib_handle, "lve_instance_init");
          if ((error = dlerror()) != NULL) {
            log_err("failed to init LVE library (function lve_instance_init) %s\n", error);
            _lve_instance_init = NULL;
          }
        }
        int (*jail)(struct passwd *, int, char*) = dlsym(lib_handle, "lve_jail_uid");
        if ((error = dlerror()) != NULL) {
            log_err("failed to init LVE library %s\n", error);
            exit(130);
        }
        /* Initialize LVE environment, and enter into LVE */
        if(!stat_result&&_lve_enter_flags&&_lve_instance_init){
          int lve_rc;
          errno = 0;
          lve = malloc(_lve_instance_init(NULL));
          lve_rc = _lve_instance_init(lve);
          if (rc || errno){
            log_err("failed to init LVE instance %d\n", errno);
          } else {
            uint32_t lve_cookie;
            if (uid>0){
              errno = 0;
              lve_rc = _lve_enter_flags(lve, (uint32_t)uid, &cookie, (uint32_t)(1 << 2));
              if (lve_rc){
                log_err("failed to enter LVE instance %d\n", errno);
              }
            }
          }
        }
#ifndef SECURELVE_MIN_UID
#define SECURELVE_MIN_UID 100
#endif
        /* Enter into CageFS */
        int result = jail(pw, SECURELVE_MIN_UID, error_msg);
        if (result != 1 && result != 0) {
            log_err("CageFS jail error %s\n", error_msg);
            exit(131);
        }
    }
   /* You are in LVE / CageFS now, run your code */
   ... 
}