aboutgitcodebugslistschat
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2022-03-29 23:47:35 +0200
committerStefano Brivio <sbrivio@redhat.com>2022-03-30 05:49:46 +0200
commit8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5 (patch)
tree48003495498d752ceeda85db06cdc3b34dc457f4
parent37c228ada88b7fa0001659b13c34a783ba75df83 (diff)
downloadpasst-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar
passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar.gz
passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar.bz2
passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar.lz
passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar.xz
passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar.zst
passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.zip
tap: Allow ioctl() and openat() for tap_ns_tun() re-initialisation
If the tun interface disappears, we'll call tap_ns_tun() after the seccomp profile is applied: add ioctl() and openat() to it. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-rw-r--r--README.md2
-rw-r--r--tap.c2
2 files changed, 3 insertions, 1 deletions
diff --git a/README.md b/README.md
index b045c6f..2ce01e9 100644
--- a/README.md
+++ b/README.md
@@ -288,7 +288,7 @@ speeding up local connections, and usually requiring NAT. _pasta_:
* ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted)
* ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached
* ✅ no external dependencies (other than a standard C library)
-* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 37 for
+* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 39 for
_pasta_ on x86_64)
* ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and
[SELinux](/passt/tree/contrib/selinux) profiles available
diff --git a/tap.c b/tap.c
index aca8c75..f6de5f1 100644
--- a/tap.c
+++ b/tap.c
@@ -873,6 +873,8 @@ static int tun_ns_fd = -1;
* @c: Execution context
*
* Return: 0
+ *
+ * #syscalls:pasta ioctl openat
*/
static int tap_ns_tun(void *arg)
{