rpms/tracker-miners
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Backport seccomp rules

Browse Source 
Resolves: RHEL-33587
This commit is contained in:
Carlos Garnacho 2024-11-20 02:27:25 +01:00
parent 10148dbe44
commit 3ff0fed367
2 changed files with 36 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
0001-seccomp-Disallow-fchown.patch Normal file
View File

@ -0,0 +1,30 @@
From cdf284962357abf5521670470e3239e92c4e4a31 Mon Sep 17 00:00:00 2001
From: Carlos Garnacho <carlosg@gnome.org>
Date: Tue, 4 Oct 2022 17:38:28 +0200
Subject: [PATCH] seccomp: Disallow fchown
This is needed by SQLite on some circumstances, but these mostly
apply to databases being opened with other users. This is something
that happens on CI, but is not expected to happen in real circumstances.
Anyhow, SQLite does not check for fchown return value, so just error
out softly if that happens.
---
src/libtracker-miners-common/tracker-seccomp.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
index 2f9cb8176..3102d0997 100644
--- a/src/libtracker-miners-common/tracker-seccomp.c
+++ b/src/libtracker-miners-common/tracker-seccomp.c
@@ -155,6 +155,7 @@ tracker_seccomp_init (void)
ALLOW_RULE (time);
ALLOW_RULE (fsync);
ALLOW_RULE (umask);
+ ERROR_RULE (fchown, EPERM);
/* Processes and threads */
ALLOW_RULE (clone);
ALLOW_RULE (clone3);
--
2.47.0

7
tracker-miners.spec
View File

@ -14,7 +14,7 @@
Name: tracker-miners Name: tracker-miners
Version: 2.1.5 Version: 2.1.5
Release: 2%{?dist} Release: 3%{?dist}
Summary: Tracker miners and metadata extractors Summary: Tracker miners and metadata extractors
# libtracker-extract is LGPLv2+; the miners are a mix of GPLv2+ and LGPLv2+ code # libtracker-extract is LGPLv2+; the miners are a mix of GPLv2+ and LGPLv2+ code
@ -23,6 +23,7 @@ URL: https://wiki.gnome.org/Projects/Tracker
Source0: https://download.gnome.org/sources/%{name}/2.1/%{name}-%{version}.tar.xz Source0: https://download.gnome.org/sources/%{name}/2.1/%{name}-%{version}.tar.xz
Patch1: backport-seccomp-improvements.diff Patch1: backport-seccomp-improvements.diff
Patch2: 0001-seccomp-Disallow-fchown.patch
BuildRequires: giflib-devel BuildRequires: giflib-devel
BuildRequires: intltool BuildRequires: intltool
@ -129,6 +130,10 @@ rm -f %{buildroot}%{_libdir}/tracker-miners-2.0/*.so
%changelog %changelog
* Wed Nov 20 2024 Carlos Garnacho <cgarnach@redhat.com> - 2.1.5-3
- Backport seccomp rules
Resolves: RHEL-33587
* Tue Dec 05 2023 Carlos Garnacho <cgarnach@redhat.com> - 2.1.5-2 * Tue Dec 05 2023 Carlos Garnacho <cgarnach@redhat.com> - 2.1.5-2
- Backport stricter seccomp jail - Backport stricter seccomp jail
Resolves: RHEL-12466 Resolves: RHEL-12466