From 8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5 Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Tue, 29 Mar 2022 23:47:35 +0200
Subject: tap: Allow ioctl() and openat() for tap_ns_tun() re-initialisation

If the tun interface disappears, we'll call tap_ns_tun() after the
seccomp profile is applied: add ioctl() and openat() to it.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 README.md | 2 +-
 tap.c     | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index b045c6f..2ce01e9 100644
--- a/README.md
+++ b/README.md
@@ -288,7 +288,7 @@ speeding up local connections, and usually requiring NAT. _pasta_:
 * ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted)
 * ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached
 * ✅ no external dependencies (other than a standard C library)
-* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 37 for
+* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 39 for
   _pasta_ on x86_64)
 * ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and
   [SELinux](/passt/tree/contrib/selinux) profiles available
diff --git a/tap.c b/tap.c
index aca8c75..f6de5f1 100644
--- a/tap.c
+++ b/tap.c
@@ -873,6 +873,8 @@ static int tun_ns_fd = -1;
  * @c:		Execution context
  *
  * Return: 0
+ *
+ * #syscalls:pasta ioctl openat
  */
 static int tap_ns_tun(void *arg)
 {
-- 
cgit v1.2.3