diff options
author | David Gibson <david@gibson.dropbear.id.au> | 2022-10-14 15:25:31 +1100 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2022-10-15 02:10:36 +0200 |
commit | 096e48669b56273d44a3242d7af4840b38335961 (patch) | |
tree | f88f70e1843ebc5edc7c323a817bf86d1b3cd014 /passt.c | |
parent | 6909a8e3390913d656f55803fa6cf5d0b1d46812 (diff) | |
download | passt-096e48669b56273d44a3242d7af4840b38335961.tar passt-096e48669b56273d44a3242d7af4840b38335961.tar.gz passt-096e48669b56273d44a3242d7af4840b38335961.tar.bz2 passt-096e48669b56273d44a3242d7af4840b38335961.tar.lz passt-096e48669b56273d44a3242d7af4840b38335961.tar.xz passt-096e48669b56273d44a3242d7af4840b38335961.tar.zst passt-096e48669b56273d44a3242d7af4840b38335961.zip |
isolation: Clarify various self-isolation steps
We have a number of steps of self-isolation scattered across our code.
Improve function names and add comments to make it clearer what the self
isolation model is, what the steps do, and why they happen at the points
they happen.
Signed-off-by: David Gibson <david@gibson.dropbear.id.au>
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'passt.c')
-rw-r--r-- | passt.c | 8 |
1 files changed, 3 insertions, 5 deletions
@@ -185,7 +185,7 @@ int main(int argc, char **argv) arch_avx2_exec(argv); - drop_caps(); + isolate_initial(); c.pasta_netns_fd = c.fd_tap = c.fd_tap_listen = -1; @@ -289,7 +289,7 @@ int main(int argc, char **argv) } } - if (sandbox(&c)) { + if (isolate_prefork(&c)) { err("Failed to sandbox process, exiting\n"); exit(EXIT_FAILURE); } @@ -299,9 +299,7 @@ int main(int argc, char **argv) else write_pidfile(pidfile_fd, getpid()); - prctl(PR_SET_DUMPABLE, 0); - - seccomp(&c); + isolate_postfork(&c); timer_init(&c, &now); |