diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2021-10-13 22:25:03 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2021-10-14 13:15:46 +0200 |
commit | 66d5930ec77caed942404ceef4829f2c4ca431bd (patch) | |
tree | cef75db6ce37ddd50de819f1dc53dcd602b97c36 /Makefile | |
parent | f318174a9387ecd94d83ed0b9356940c60753846 (diff) | |
download | passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.gz passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.bz2 passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.lz passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.xz passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.zst passt-66d5930ec77caed942404ceef4829f2c4ca431bd.zip |
passt, pasta: Add seccomp support
List of allowed syscalls comes from comments in the form:
#syscalls <list>
for syscalls needed both in passt and pasta mode, and:
#syscalls:pasta <list>
#syscalls:passt <list>
for syscalls specifically needed in pasta or passt mode only.
seccomp.sh builds a list of BPF statements from those comments,
prefixed by a binary search tree to keep lookup fast.
While at it, clean up a bit the Makefile using wildcards.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'Makefile')
-rw-r--r-- | Makefile | 17 |
1 files changed, 8 insertions, 9 deletions
@@ -2,6 +2,7 @@ CFLAGS += -Wall -Wextra -pedantic CFLAGS += -DRLIMIT_STACK_VAL=$(shell ulimit -s) CFLAGS += -DPAGE_SIZE=$(shell getconf PAGE_SIZE) CFLAGS += -DNETNS_RUN_DIR=\"/run/netns\" +CFLAGS += -DPASST_AUDIT_ARCH=AUDIT_ARCH_$(shell uname -m | tr [a-z] [A-Z]) prefix ?= /usr/local @@ -13,14 +14,12 @@ avx2: clean all static: CFLAGS += -static static: clean all -passt: passt.c passt.h arp.c arp.h checksum.c checksum.h conf.c conf.h \ - dhcp.c dhcp.h dhcpv6.c dhcpv6.h pcap.c pcap.h ndp.c ndp.h \ - netlink.c netlink.h pasta.c pasta.h siphash.c siphash.h tap.c tap.h \ - icmp.c icmp.h tcp.c tcp.h udp.c udp.h util.c util.h - $(CC) $(CFLAGS) \ - passt.c arp.c checksum.c conf.c dhcp.c dhcpv6.c pasta.c pcap.c \ - ndp.c netlink.c siphash.c tap.c icmp.c tcp.c udp.c util.c \ - -o passt +seccomp.h: *.c $(filter-out seccomp.h,$(wildcard *.h)) + @ ./seccomp.sh + +passt: $(filter-out qrap.c,$(wildcard *.c)) \ + $(filter-out qrap.h,$(wildcard *.h)) seccomp.h + $(CC) $(CFLAGS) $(filter-out qrap.c,$(wildcard *.c)) -o passt pasta: passt ln -s passt pasta @@ -35,7 +34,7 @@ qrap: qrap.c passt.h .PHONY: clean clean: - -${RM} passt *.o qrap pasta pasta.1 passt4netns \ + -${RM} passt *.o seccomp.h qrap pasta pasta.1 passt4netns \ passt.tar passt.tar.gz *.deb *.rpm install: passt pasta qrap |