diff options
| -rw-r--r-- | README.md | 2 | ||||
| -rw-r--r-- | conf.c | 2 | ||||
| -rw-r--r-- | passt.c | 14 | ||||
| -rw-r--r-- | pasta.c | 3 | ||||
| -rw-r--r-- | tap.c | 2 | ||||
| -rw-r--r-- | tcp.c | 2 |
6 files changed, 15 insertions, 10 deletions
@@ -233,7 +233,7 @@ speeding up local connections, and usually requiring NAT. _pasta_: * ✅ root operation not allowed outside user namespaces * ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted) * ✅ no external dependencies (other than a standard C library) -* ✅ restrictive seccomp profiles (46 syscalls allowed for _passt_, 58 for +* ✅ restrictive seccomp profiles (50 syscalls allowed for _passt_, 62 for _pasta_) * ✅ static checkers in continuous integration (clang-tidy, cppcheck) * 🛠️ rework of TCP state machine (flags instead of states), TCP timers, and code @@ -11,7 +11,7 @@ * Copyright (c) 2020-2021 Red Hat GmbH * Author: Stefano Brivio <sbrivio@redhat.com> * - * #syscalls stat + * #syscalls stat|statx */ #include <arpa/inet.h> @@ -273,12 +273,16 @@ static void pid_file(struct ctx *c) { * * Return: non-zero on failure * - * #syscalls read write open close fork dup2 exit chdir ioctl writev syslog - * #syscalls prlimit64 epoll_ctl epoll_create1 epoll_wait accept4 accept listen + * #syscalls read write open|openat close fork|clone dup2|dup3 ioctl writev * #syscalls socket bind connect getsockopt setsockopt recvfrom sendto shutdown - * #syscalls openat fstat fcntl lseek clone setsid exit_group getpid - * #syscalls clock_gettime newfstatat - * #syscalls:pasta rt_sigreturn + * #syscalls accept4 accept listen set_robust_list getrlimit setrlimit + * #syscalls openat fcntl lseek clone setsid exit exit_group getpid chdir + * #syscalls epoll_ctl epoll_create1 epoll_wait|epoll_pwait epoll_pwait + * #syscalls prlimit64 clock_gettime fstat|newfstat newfstatat syslog + * #syscalls ppc64le:_llseek ppc64le:recv ppc64le:send ppc64le:getuid + * #syscalls ppc64:_llseek ppc64:recv ppc64:send ppc64:getuid ppc64:ugetrlimit + * #syscalls s390x:socketcall s390x:sigreturn + * #syscalls:pasta rt_sigreturn|sigreturn ppc64:sigreturn ppc64:fcntl64 */ int main(int argc, char **argv) { @@ -12,7 +12,8 @@ * Author: Stefano Brivio <sbrivio@redhat.com> * * #syscalls:pasta clone unshare waitid kill execve exit_group rt_sigprocmask - * #syscalls:pasta geteuid getdents64 readlink setsid nanosleep clock_nanosleep + * #syscalls:pasta geteuid getdents64|getdents readlink|readlinkat setsid + * #syscalls:pasta nanosleep clock_nanosleep */ #include <sched.h> @@ -772,7 +772,7 @@ restart: * tap_sock_init_unix() - Create and bind AF_UNIX socket, wait for connection * @c: Execution context * - * #syscalls:passt unlink + * #syscalls:passt unlink|unlinkat */ static void tap_sock_init_unix(struct ctx *c) { @@ -304,7 +304,7 @@ * - SPLICE_FIN_TO: FIN (EPOLLRDHUP) seen from connected socket * - SPLICE_FIN_BOTH: FIN (EPOLLRDHUP) seen from both sides * - * #syscalls pipe pipe2 + * #syscalls pipe|pipe2 pipe2 */ #include <sched.h> |