From 66d5930ec77caed942404ceef4829f2c4ca431bd Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Wed, 13 Oct 2021 22:25:03 +0200 Subject: passt, pasta: Add seccomp support List of allowed syscalls comes from comments in the form: #syscalls for syscalls needed both in passt and pasta mode, and: #syscalls:pasta #syscalls:passt for syscalls specifically needed in pasta or passt mode only. seccomp.sh builds a list of BPF statements from those comments, prefixed by a binary search tree to keep lookup fast. While at it, clean up a bit the Makefile using wildcards. Signed-off-by: Stefano Brivio --- Makefile | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) (limited to 'Makefile') diff --git a/Makefile b/Makefile index 9f0e3bf..26b6840 100644 --- a/Makefile +++ b/Makefile @@ -2,6 +2,7 @@ CFLAGS += -Wall -Wextra -pedantic CFLAGS += -DRLIMIT_STACK_VAL=$(shell ulimit -s) CFLAGS += -DPAGE_SIZE=$(shell getconf PAGE_SIZE) CFLAGS += -DNETNS_RUN_DIR=\"/run/netns\" +CFLAGS += -DPASST_AUDIT_ARCH=AUDIT_ARCH_$(shell uname -m | tr [a-z] [A-Z]) prefix ?= /usr/local @@ -13,14 +14,12 @@ avx2: clean all static: CFLAGS += -static static: clean all -passt: passt.c passt.h arp.c arp.h checksum.c checksum.h conf.c conf.h \ - dhcp.c dhcp.h dhcpv6.c dhcpv6.h pcap.c pcap.h ndp.c ndp.h \ - netlink.c netlink.h pasta.c pasta.h siphash.c siphash.h tap.c tap.h \ - icmp.c icmp.h tcp.c tcp.h udp.c udp.h util.c util.h - $(CC) $(CFLAGS) \ - passt.c arp.c checksum.c conf.c dhcp.c dhcpv6.c pasta.c pcap.c \ - ndp.c netlink.c siphash.c tap.c icmp.c tcp.c udp.c util.c \ - -o passt +seccomp.h: *.c $(filter-out seccomp.h,$(wildcard *.h)) + @ ./seccomp.sh + +passt: $(filter-out qrap.c,$(wildcard *.c)) \ + $(filter-out qrap.h,$(wildcard *.h)) seccomp.h + $(CC) $(CFLAGS) $(filter-out qrap.c,$(wildcard *.c)) -o passt pasta: passt ln -s passt pasta @@ -35,7 +34,7 @@ qrap: qrap.c passt.h .PHONY: clean clean: - -${RM} passt *.o qrap pasta pasta.1 passt4netns \ + -${RM} passt *.o seccomp.h qrap pasta pasta.1 passt4netns \ passt.tar passt.tar.gz *.deb *.rpm install: passt pasta qrap -- cgit v1.2.3