diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2022-01-26 06:55:28 +0100 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2022-01-26 16:30:59 +0100 |
commit | 33b1bdd079f1b40dffb040e40579d7434c28d10a (patch) | |
tree | bb087d77e93f7c88bf4ab69dab03b75a319da747 /pasta.c | |
parent | be265eef0631217e6566781d388ae078c4797752 (diff) | |
download | passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.gz passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.bz2 passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.lz passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.xz passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.tar.zst passt-33b1bdd079f1b40dffb040e40579d7434c28d10a.zip |
seccomp: Add a number of alternate and per-arch syscalls
Depending on the C library, but not necessarily in all the
functions we use, statx() might be used instead of stat(),
getdents() instead of getdents64(), readlinkat() instead of
readlink(), openat() instead of open().
On aarch64, it's clone() and not fork(), and dup3() instead of
dup2() -- just allow the existing alternative instead of dealing
with per-arch selections.
Since glibc commit 9a7565403758 ("posix: Consolidate fork
implementation"), we need to allow set_robust_list() for
fork()/clone(), even in a single-threaded context.
On some architectures, epoll_pwait() is provided instead of
epoll_wait(), but never both. Same with newfstat() and
fstat(), sigreturn() and rt_sigreturn(), getdents64() and
getdents(), readlink() and readlinkat(), unlink() and
unlinkat(), whereas pipe() might not be available, but
pipe2() always is, exclusively or not.
Seen on Fedora 34: newfstatat() is used on top of fstat().
syslog() is an actual system call on some glibc/arch combinations,
instead of a connect()/send() implementation.
On ppc64 and ppc64le, _llseek(), recv(), send() and getuid()
are used. For ppc64 only: ugetrlimit() for the getrlimit()
implementation, plus sigreturn() and fcntl64().
On s390x, additionally, we need to allow socketcall() (on top
of socket()), and sigreturn() also for passt (not just for
pasta).
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'pasta.c')
-rw-r--r-- | pasta.c | 3 |
1 files changed, 2 insertions, 1 deletions
@@ -12,7 +12,8 @@ * Author: Stefano Brivio <sbrivio@redhat.com> * * #syscalls:pasta clone unshare waitid kill execve exit_group rt_sigprocmask - * #syscalls:pasta geteuid getdents64 readlink setsid nanosleep clock_nanosleep + * #syscalls:pasta geteuid getdents64|getdents readlink|readlinkat setsid + * #syscalls:pasta nanosleep clock_nanosleep */ #include <sched.h> |