diff options
| author | Stefano Brivio <sbrivio@redhat.com> | 2022-01-26 06:55:28 +0100 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2022-01-26 16:30:59 +0100 |
| commit | 33b1bdd079f1b40dffb040e40579d7434c28d10a (patch) | |
| tree | bb087d77e93f7c88bf4ab69dab03b75a319da747 /passt.c | |
| parent | be265eef0631217e6566781d388ae078c4797752 (diff) | |
| download | passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.gz passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.bz2 passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.lz passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.xz passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.zst passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.zip | |
seccomp: Add a number of alternate and per-arch syscalls
Depending on the C library, but not necessarily in all the
functions we use, statx() might be used instead of stat(),
getdents() instead of getdents64(), readlinkat() instead of
readlink(), openat() instead of open().
On aarch64, it's clone() and not fork(), and dup3() instead of
dup2() -- just allow the existing alternative instead of dealing
with per-arch selections.
Since glibc commit 9a7565403758 ("posix: Consolidate fork
implementation"), we need to allow set_robust_list() for
fork()/clone(), even in a single-threaded context.
On some architectures, epoll_pwait() is provided instead of
epoll_wait(), but never both. Same with newfstat() and
fstat(), sigreturn() and rt_sigreturn(), getdents64() and
getdents(), readlink() and readlinkat(), unlink() and
unlinkat(), whereas pipe() might not be available, but
pipe2() always is, exclusively or not.
Seen on Fedora 34: newfstatat() is used on top of fstat().
syslog() is an actual system call on some glibc/arch combinations,
instead of a connect()/send() implementation.
On ppc64 and ppc64le, _llseek(), recv(), send() and getuid()
are used. For ppc64 only: ugetrlimit() for the getrlimit()
implementation, plus sigreturn() and fcntl64().
On s390x, additionally, we need to allow socketcall() (on top
of socket()), and sigreturn() also for passt (not just for
pasta).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'passt.c')
| -rw-r--r-- | passt.c | 14 |
1 files changed, 9 insertions, 5 deletions
@@ -273,12 +273,16 @@ static void pid_file(struct ctx *c) { * * Return: non-zero on failure * - * #syscalls read write open close fork dup2 exit chdir ioctl writev syslog - * #syscalls prlimit64 epoll_ctl epoll_create1 epoll_wait accept4 accept listen + * #syscalls read write open|openat close fork|clone dup2|dup3 ioctl writev * #syscalls socket bind connect getsockopt setsockopt recvfrom sendto shutdown - * #syscalls openat fstat fcntl lseek clone setsid exit_group getpid - * #syscalls clock_gettime newfstatat - * #syscalls:pasta rt_sigreturn + * #syscalls accept4 accept listen set_robust_list getrlimit setrlimit + * #syscalls openat fcntl lseek clone setsid exit exit_group getpid chdir + * #syscalls epoll_ctl epoll_create1 epoll_wait|epoll_pwait epoll_pwait + * #syscalls prlimit64 clock_gettime fstat|newfstat newfstatat syslog + * #syscalls ppc64le:_llseek ppc64le:recv ppc64le:send ppc64le:getuid + * #syscalls ppc64:_llseek ppc64:recv ppc64:send ppc64:getuid ppc64:ugetrlimit + * #syscalls s390x:socketcall s390x:sigreturn + * #syscalls:pasta rt_sigreturn|sigreturn ppc64:sigreturn ppc64:fcntl64 */ int main(int argc, char **argv) { |