diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2022-03-29 23:47:35 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2022-03-30 05:49:46 +0200 |
commit | 8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5 (patch) | |
tree | 48003495498d752ceeda85db06cdc3b34dc457f4 | |
parent | 37c228ada88b7fa0001659b13c34a783ba75df83 (diff) | |
download | passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar.gz passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar.bz2 passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar.lz passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar.xz passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.tar.zst passt-8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5.zip |
tap: Allow ioctl() and openat() for tap_ns_tun() re-initialisation
If the tun interface disappears, we'll call tap_ns_tun() after the
seccomp profile is applied: add ioctl() and openat() to it.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
-rw-r--r-- | README.md | 2 | ||||
-rw-r--r-- | tap.c | 2 |
2 files changed, 3 insertions, 1 deletions
@@ -288,7 +288,7 @@ speeding up local connections, and usually requiring NAT. _pasta_: * ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted) * ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached * ✅ no external dependencies (other than a standard C library) -* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 37 for +* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 39 for _pasta_ on x86_64) * ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and [SELinux](/passt/tree/contrib/selinux) profiles available @@ -873,6 +873,8 @@ static int tun_ns_fd = -1; * @c: Execution context * * Return: 0 + * + * #syscalls:pasta ioctl openat */ static int tap_ns_tun(void *arg) { |