aboutgitcodebugslistschat
path: root/contrib/kata-containers
diff options
context:
space:
mode:
authorStefano Brivio <sbrivio@redhat.com>2022-01-26 06:55:28 +0100
committerStefano Brivio <sbrivio@redhat.com>2022-01-26 16:30:59 +0100
commit33b1bdd079f1b40dffb040e40579d7434c28d10a (patch)
treebb087d77e93f7c88bf4ab69dab03b75a319da747 /contrib/kata-containers
parentbe265eef0631217e6566781d388ae078c4797752 (diff)
downloadpasst-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar
passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.gz
passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.bz2
passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.lz
passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.xz
passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.zst
passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.zip
seccomp: Add a number of alternate and per-arch syscalls
Depending on the C library, but not necessarily in all the functions we use, statx() might be used instead of stat(), getdents() instead of getdents64(), readlinkat() instead of readlink(), openat() instead of open(). On aarch64, it's clone() and not fork(), and dup3() instead of dup2() -- just allow the existing alternative instead of dealing with per-arch selections. Since glibc commit 9a7565403758 ("posix: Consolidate fork implementation"), we need to allow set_robust_list() for fork()/clone(), even in a single-threaded context. On some architectures, epoll_pwait() is provided instead of epoll_wait(), but never both. Same with newfstat() and fstat(), sigreturn() and rt_sigreturn(), getdents64() and getdents(), readlink() and readlinkat(), unlink() and unlinkat(), whereas pipe() might not be available, but pipe2() always is, exclusively or not. Seen on Fedora 34: newfstatat() is used on top of fstat(). syslog() is an actual system call on some glibc/arch combinations, instead of a connect()/send() implementation. On ppc64 and ppc64le, _llseek(), recv(), send() and getuid() are used. For ppc64 only: ugetrlimit() for the getrlimit() implementation, plus sigreturn() and fcntl64(). On s390x, additionally, we need to allow socketcall() (on top of socket()), and sigreturn() also for passt (not just for pasta). Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'contrib/kata-containers')
0 files changed, 0 insertions, 0 deletions