tap: Allow ioctl() and openat() for tap_ns_tun() re-initialisation

If the tun interface disappears, we'll call tap_ns_tun() after the seccomp profile is applied: add ioctl() and openat() to it. Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
2024-07-01 23:42:41 +00:00 · 2022-03-29 23:47:35 +02:00 · 2022-03-29 23:47:35 +02:00 · 8d85b6a99e
commit 8d85b6a99e
parent 37c228ada8
2 changed files with 3 additions and 1 deletions
--- a/README.md
+++ b/README.md
@ -288,7 +288,7 @@ speeding up local connections, and usually requiring NAT. _pasta_:
 * ✅ all capabilities dropped, other than `CAP_NET_BIND_SERVICE` (if granted)
 * ✅ with default options, user, mount, IPC, UTS, PID namespaces are detached
 * ✅ no external dependencies (other than a standard C library)
-* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 37 for
+* ✅ restrictive seccomp profiles (25 syscalls allowed for _passt_, 39 for
  _pasta_ on x86_64)
 * ✅ examples of [AppArmor](/passt/tree/contrib/apparmor) and
  [SELinux](/passt/tree/contrib/selinux) profiles available
--- a/tap.c
+++ b/tap.c
@ -873,6 +873,8 @@ static int tun_ns_fd = -1;
 * @c:		Execution context
 *
 * Return: 0
+ *
+ * #syscalls:pasta ioctl openat
 */
 static int tap_ns_tun(void *arg)
 {