From 66d5930ec77caed942404ceef4829f2c4ca431bd Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Wed, 13 Oct 2021 22:25:03 +0200
Subject: passt, pasta: Add seccomp support

List of allowed syscalls comes from comments in the form:
	#syscalls <list>

for syscalls needed both in passt and pasta mode, and:
	#syscalls:pasta <list>
	#syscalls:passt <list>

for syscalls specifically needed in pasta or passt mode only.

seccomp.sh builds a list of BPF statements from those comments,
prefixed by a binary search tree to keep lookup fast.

While at it, clean up a bit the Makefile using wildcards.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 tap.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'tap.c')

diff --git a/tap.c b/tap.c
index ec2b8b5..d20503d 100644
--- a/tap.c
+++ b/tap.c
@@ -10,6 +10,8 @@
  *
  * Copyright (c) 2020-2021 Red Hat GmbH
  * Author: Stefano Brivio <sbrivio@redhat.com>
+ *
+ * #syscalls recvfrom sendto
  */
 
 #define _GNU_SOURCE
@@ -768,6 +770,8 @@ restart:
 /**
  * tap_sock_init_unix() - Create and bind AF_UNIX socket, wait for connection
  * @c:		Execution context
+ *
+ * #syscalls:passt unlink
  */
 static void tap_sock_init_unix(struct ctx *c)
 {
@@ -819,8 +823,13 @@ static void tap_sock_init_unix(struct ctx *c)
 	}
 
 	info("UNIX domain socket bound at %s\n", addr.sun_path);
+#ifdef PASST_LEGACY_NO_OPTIONS
+	/*
+	 * syscalls:passt chmod
+	 */
 	chmod(addr.sun_path,
 	      S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH);
+#endif
 
 	pcap_init(c, i);
 
@@ -850,6 +859,8 @@ static int tun_ns_fd = -1;
  * @c:		Execution context
  *
  * Return: 0
+ *
+ * #syscalls:pasta ioctl
  */
 static int tap_ns_tun(void *arg)
 {
-- 
cgit v1.2.3