tap: Allow ioctl() and openat() for tap_ns_tun() re-initialisation

If the tun interface disappears, we'll call tap_ns_tun() after the
seccomp profile is applied: add ioctl() and openat() to it.

Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
This commit is contained in:
Stefano Brivio 2022-03-29 23:47:35 +02:00
parent 37c228ada8
commit 8d85b6a99e
2 changed files with 3 additions and 1 deletions

View file

@ -288,7 +288,7 @@ speeding up local connections, and usually requiring NAT. _pasta_:
* ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted) * ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted)
* ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached * ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached
* ✅ no external dependencies (other than a standard C library) * ✅ no external dependencies (other than a standard C library)
* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 37 for * ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 39 for
_pasta_ on x86_64) _pasta_ on x86_64)
* ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and * ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and
[SELinux](/passt/tree/contrib/selinux) profiles available [SELinux](/passt/tree/contrib/selinux) profiles available

2
tap.c
View file

@ -873,6 +873,8 @@ static int tun_ns_fd = -1;
* @c: Execution context * @c: Execution context
* *
* Return: 0 * Return: 0
*
* #syscalls:pasta ioctl openat
*/ */
static int tap_ns_tun(void *arg) static int tap_ns_tun(void *arg)
{ {