diff options
| author | Stefano Brivio <sbrivio@redhat.com> | 2021-10-13 22:25:03 +0200 |
|---|---|---|
| committer | Stefano Brivio <sbrivio@redhat.com> | 2021-10-14 13:15:46 +0200 |
| commit | 66d5930ec77caed942404ceef4829f2c4ca431bd (patch) | |
| tree | cef75db6ce37ddd50de819f1dc53dcd602b97c36 /tcp.c | |
| parent | f318174a9387ecd94d83ed0b9356940c60753846 (diff) | |
| download | passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.gz passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.bz2 passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.lz passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.xz passt-66d5930ec77caed942404ceef4829f2c4ca431bd.tar.zst passt-66d5930ec77caed942404ceef4829f2c4ca431bd.zip | |
passt, pasta: Add seccomp support
List of allowed syscalls comes from comments in the form:
#syscalls <list>
for syscalls needed both in passt and pasta mode, and:
#syscalls:pasta <list>
#syscalls:passt <list>
for syscalls specifically needed in pasta or passt mode only.
seccomp.sh builds a list of BPF statements from those comments,
prefixed by a binary search tree to keep lookup fast.
While at it, clean up a bit the Makefile using wildcards.
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Diffstat (limited to 'tcp.c')
| -rw-r--r-- | tcp.c | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -303,6 +303,8 @@ * - SPLICE_FIN_FROM: FIN (EPOLLRDHUP) seen from originating socket * - SPLICE_FIN_TO: FIN (EPOLLRDHUP) seen from connected socket * - SPLICE_FIN_BOTH: FIN (EPOLLRDHUP) seen from both sides + * + * #syscalls pipe pipe2 */ #define _GNU_SOURCE @@ -2078,6 +2080,9 @@ static void tcp_sock_consume(struct tcp_tap_conn *conn, uint32_t ack_seq) * @now: Current timestamp * * Return: negative on connection reset, 0 otherwise + * + * #syscalls recvmsg + * #syscalls:passt sendmmsg sendmsg */ static int tcp_data_from_sock(struct ctx *c, struct tcp_tap_conn *conn, struct timespec *now) @@ -2320,6 +2325,8 @@ out: * @msg: Array of messages from tap * @count: Count of messages * @now: Current timestamp + * + * #syscalls sendmsg */ static void tcp_data_from_tap(struct ctx *c, struct tcp_tap_conn *conn, struct tap_l4_msg *msg, int count, @@ -2965,6 +2972,8 @@ static void tcp_conn_from_sock(struct ctx *c, union epoll_ref ref, * @c: Execution context * @ref: epoll reference * @events: epoll events bitmap + * + * #syscalls splice */ void tcp_sock_handler_splice(struct ctx *c, union epoll_ref ref, uint32_t events) @@ -3525,6 +3534,8 @@ static int tcp_sock_refill(void *arg) * @c: Execution context * * Return: 0 on success, -1 on failure + * + * #syscalls getrandom */ int tcp_sock_init(struct ctx *c, struct timespec *now) { |