tap: Allow ioctl() and openat() for tap_ns_tun() re-initialisation
If the tun interface disappears, we'll call tap_ns_tun() after the seccomp profile is applied: add ioctl() and openat() to it. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
parent
37c228ada8
commit
8d85b6a99e
2 changed files with 3 additions and 1 deletions
|
@ -288,7 +288,7 @@ speeding up local connections, and usually requiring NAT. _pasta_:
|
||||||
* ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted)
|
* ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted)
|
||||||
* ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached
|
* ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached
|
||||||
* ✅ no external dependencies (other than a standard C library)
|
* ✅ no external dependencies (other than a standard C library)
|
||||||
* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 37 for
|
* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 39 for
|
||||||
_pasta_ on x86_64)
|
_pasta_ on x86_64)
|
||||||
* ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and
|
* ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and
|
||||||
[SELinux](/passt/tree/contrib/selinux) profiles available
|
[SELinux](/passt/tree/contrib/selinux) profiles available
|
||||||
|
|
2
tap.c
2
tap.c
|
@ -873,6 +873,8 @@ static int tun_ns_fd = -1;
|
||||||
* @c: Execution context
|
* @c: Execution context
|
||||||
*
|
*
|
||||||
* Return: 0
|
* Return: 0
|
||||||
|
*
|
||||||
|
* #syscalls:pasta ioctl openat
|
||||||
*/
|
*/
|
||||||
static int tap_ns_tun(void *arg)
|
static int tap_ns_tun(void *arg)
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue