diff options
author | Stefano Brivio <sbrivio@redhat.com> | 2021-10-13 22:25:03 +0200 |
---|---|---|
committer | Stefano Brivio <sbrivio@redhat.com> | 2021-10-14 13:15:46 +0200 |
commit | 66d5930ec77caed942404ceef4829f2c4ca431bd (patch) | |
tree | cef75db6ce37ddd50de819f1dc53dcd602b97c36 /tap.c | |
parent | f318174a9387ecd94d83ed0b9356940c60753846 (diff) | |
download | passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.gz passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.bz2 passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.lz passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.xz passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.zst passt-66d5930ec77caed942404ceef4829f2c4ca431bd.zip |
passt, pasta: Add seccomp support
List of allowed syscalls comes from comments in the form:
#syscalls <list>
for syscalls needed both in passt and pasta mode, and:
#syscalls:pasta <list>
#syscalls:passt <list>
for syscalls specifically needed in pasta or passt mode only.
seccomp.sh builds a list of BPF statements from those comments,
prefixed by a binary search tree to keep lookup fast.
While at it, clean up a bit the Makefile using wildcards.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'tap.c')
-rw-r--r-- | tap.c | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -10,6 +10,8 @@ * * Copyright (c) 2020-2021 Red Hat GmbH * Author: Stefano Brivio <sbrivio@redhat.com> + * + * #syscalls recvfrom sendto */ #define _GNU_SOURCE @@ -768,6 +770,8 @@ restart: /** * tap_sock_init_unix() - Create and bind AF_UNIX socket, wait for connection * @c: Execution context + * + * #syscalls:passt unlink */ static void tap_sock_init_unix(struct ctx *c) { @@ -819,8 +823,13 @@ static void tap_sock_init_unix(struct ctx *c) } info("UNIX domain socket bound at %s\n", addr.sun_path); +#ifdef PASST_LEGACY_NO_OPTIONS + /* + * syscalls:passt chmod + */ chmod(addr.sun_path, S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH); +#endif pcap_init(c, i); @@ -850,6 +859,8 @@ static int tun_ns_fd = -1; * @c: Execution context * * Return: 0 + * + * #syscalls:pasta ioctl */ static int tap_ns_tun(void *arg) { |