From 8d85b6a99ebf02a65a097ac3f5cdb83cd4119bd5 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Tue, 29 Mar 2022 23:47:35 +0200 Subject: tap: Allow ioctl() and openat() for tap_ns_tun() re-initialisation If the tun interface disappears, we'll call tap_ns_tun() after the seccomp profile is applied: add ioctl() and openat() to it. Signed-off-by: Stefano Brivio --- README.md | 2 +- tap.c | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index b045c6f..2ce01e9 100644 --- a/README.md +++ b/README.md @@ -288,7 +288,7 @@ speeding up local connections, and usually requiring NAT. _pasta_: * ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted) * ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached * ✅ no external dependencies (other than a standard C library) -* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 37 for +* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 39 for _pasta_ on x86_64) * ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and [SELinux](/passt/tree/contrib/selinux) profiles available diff --git a/tap.c b/tap.c index aca8c75..f6de5f1 100644 --- a/tap.c +++ b/tap.c @@ -873,6 +873,8 @@ static int tun_ns_fd = -1; * @c: Execution context * * Return: 0 + * + * #syscalls:pasta ioctl openat */ static int tap_ns_tun(void *arg) { -- cgit v1.2.3