From 66d5930ec77caed942404ceef4829f2c4ca431bd Mon Sep 17 00:00:00 2001
From: Stefano Brivio <sbrivio@redhat.com>
Date: Wed, 13 Oct 2021 22:25:03 +0200
Subject: passt, pasta: Add seccomp support

List of allowed syscalls comes from comments in the form:
	#syscalls <list>

for syscalls needed both in passt and pasta mode, and:
	#syscalls:pasta <list>
	#syscalls:passt <list>

for syscalls specifically needed in pasta or passt mode only.

seccomp.sh builds a list of BPF statements from those comments,
prefixed by a binary search tree to keep lookup fast.

While at it, clean up a bit the Makefile using wildcards.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
---
 tcp.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'tcp.c')

diff --git a/tcp.c b/tcp.c
index b49f49e..05382f7 100644
--- a/tcp.c
+++ b/tcp.c
@@ -303,6 +303,8 @@
  * - SPLICE_FIN_FROM:		FIN (EPOLLRDHUP) seen from originating socket
  * - SPLICE_FIN_TO:		FIN (EPOLLRDHUP) seen from connected socket
  * - SPLICE_FIN_BOTH:		FIN (EPOLLRDHUP) seen from both sides
+ *
+ * #syscalls pipe pipe2
  */
 
 #define _GNU_SOURCE
@@ -2078,6 +2080,9 @@ static void tcp_sock_consume(struct tcp_tap_conn *conn, uint32_t ack_seq)
  * @now:	Current timestamp
  *
  * Return: negative on connection reset, 0 otherwise
+ *
+ * #syscalls recvmsg
+ * #syscalls:passt sendmmsg sendmsg
  */
 static int tcp_data_from_sock(struct ctx *c, struct tcp_tap_conn *conn,
 			      struct timespec *now)
@@ -2320,6 +2325,8 @@ out:
  * @msg:	Array of messages from tap
  * @count:	Count of messages
  * @now:	Current timestamp
+ *
+ * #syscalls sendmsg
  */
 static void tcp_data_from_tap(struct ctx *c, struct tcp_tap_conn *conn,
 			      struct tap_l4_msg *msg, int count,
@@ -2965,6 +2972,8 @@ static void tcp_conn_from_sock(struct ctx *c, union epoll_ref ref,
  * @c:		Execution context
  * @ref:	epoll reference
  * @events:	epoll events bitmap
+ *
+ * #syscalls splice
  */
 void tcp_sock_handler_splice(struct ctx *c, union epoll_ref ref,
 			     uint32_t events)
@@ -3525,6 +3534,8 @@ static int tcp_sock_refill(void *arg)
  * @c:		Execution context
  *
  * Return: 0 on success, -1 on failure
+ *
+ * #syscalls getrandom
  */
 int tcp_sock_init(struct ctx *c, struct timespec *now)
 {
-- 
cgit v1.2.3