From 3ff0fed3671ed5e8aae5eab0286b8f1429814a32 Mon Sep 17 00:00:00 2001
From: Carlos Garnacho <carlosg@gnome.org>
Date: Wed, 20 Nov 2024 02:27:25 +0100
Subject: [PATCH] Backport seccomp rules

Resolves: RHEL-33587
---
 0001-seccomp-Disallow-fchown.patch | 30 ++++++++++++++++++++++++++++++
 tracker-miners.spec                |  7 ++++++-
 2 files changed, 36 insertions(+), 1 deletion(-)
 create mode 100644 0001-seccomp-Disallow-fchown.patch

diff --git a/0001-seccomp-Disallow-fchown.patch b/0001-seccomp-Disallow-fchown.patch
new file mode 100644
index 0000000..7e7cded
--- /dev/null
+++ b/0001-seccomp-Disallow-fchown.patch
@@ -0,0 +1,30 @@
+From cdf284962357abf5521670470e3239e92c4e4a31 Mon Sep 17 00:00:00 2001
+From: Carlos Garnacho <carlosg@gnome.org>
+Date: Tue, 4 Oct 2022 17:38:28 +0200
+Subject: [PATCH] seccomp: Disallow fchown
+
+This is needed by SQLite on some circumstances, but these mostly
+apply to databases being opened with other users. This is something
+that happens on CI, but is not expected to happen in real circumstances.
+
+Anyhow, SQLite does not check for fchown return value, so just error
+out softly if that happens.
+---
+ src/libtracker-miners-common/tracker-seccomp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
+index 2f9cb8176..3102d0997 100644
+--- a/src/libtracker-miners-common/tracker-seccomp.c
++++ b/src/libtracker-miners-common/tracker-seccomp.c
+@@ -155,6 +155,7 @@ tracker_seccomp_init (void)
+ 	ALLOW_RULE (time);
+ 	ALLOW_RULE (fsync);
+ 	ALLOW_RULE (umask);
++	ERROR_RULE (fchown, EPERM);
+ 	/* Processes and threads */
+ 	ALLOW_RULE (clone);
+ 	ALLOW_RULE (clone3);
+-- 
+2.47.0
+
diff --git a/tracker-miners.spec b/tracker-miners.spec
index d0bf958..d89f0c2 100644
--- a/tracker-miners.spec
+++ b/tracker-miners.spec
@@ -14,7 +14,7 @@
 
 Name:           tracker-miners
 Version:        2.1.5
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Tracker miners and metadata extractors
 
 # libtracker-extract is LGPLv2+; the miners are a mix of GPLv2+ and LGPLv2+ code
@@ -23,6 +23,7 @@ URL:            https://wiki.gnome.org/Projects/Tracker
 Source0:        https://download.gnome.org/sources/%{name}/2.1/%{name}-%{version}.tar.xz
 
 Patch1:         backport-seccomp-improvements.diff
+Patch2:         0001-seccomp-Disallow-fchown.patch
 
 BuildRequires:  giflib-devel
 BuildRequires:  intltool
@@ -129,6 +130,10 @@ rm -f %{buildroot}%{_libdir}/tracker-miners-2.0/*.so
 
 
 %changelog
+* Wed Nov 20 2024 Carlos Garnacho <cgarnach@redhat.com> - 2.1.5-3
+- Backport seccomp rules
+  Resolves: RHEL-33587
+
 * Tue Dec 05 2023 Carlos Garnacho <cgarnach@redhat.com> - 2.1.5-2
 - Backport stricter seccomp jail
   Resolves: RHEL-12466