Backport seccomp rules from recent releases

Resolves: rhbz#2130143
This commit is contained in:
Carlos Garnacho 2022-11-01 17:05:16 +01:00
parent 0a49152f9f
commit 486307ddd3
2 changed files with 81 additions and 1 deletions

View File

@ -0,0 +1,74 @@
From 18becd68b4f5b6ebb4024dcfaac1231647778f4b Mon Sep 17 00:00:00 2001
From: Carlos Garnacho <carlosg@gnome.org>
Date: Tue, 1 Nov 2022 17:10:42 +0100
Subject: [PATCH] libtracker-common: Backport seccomp additions from 3.4.x
---
src/libtracker-miners-common/tracker-seccomp.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
index f8be94924..6b1c35450 100644
--- a/src/libtracker-miners-common/tracker-seccomp.c
+++ b/src/libtracker-miners-common/tracker-seccomp.c
@@ -102,12 +102,15 @@ tracker_seccomp_init (void)
/* Memory management */
ALLOW_RULE (brk);
+ ALLOW_RULE (get_mempolicy);
+ ALLOW_RULE (set_mempolicy);
ALLOW_RULE (mmap);
ALLOW_RULE (mmap2);
ALLOW_RULE (munmap);
ALLOW_RULE (mremap);
ALLOW_RULE (mprotect);
ALLOW_RULE (madvise);
+ ALLOW_RULE (mbind);
ERROR_RULE (mlock, EPERM);
ERROR_RULE (mlock2, EPERM);
ERROR_RULE (munlock, EPERM);
@@ -116,6 +119,7 @@ tracker_seccomp_init (void)
/* Process management */
ALLOW_RULE (exit_group);
ALLOW_RULE (getuid);
+ ALLOW_RULE (getgid);
ALLOW_RULE (getuid32);
ALLOW_RULE (getegid);
ALLOW_RULE (getegid32);
@@ -140,19 +144,25 @@ tracker_seccomp_init (void)
ALLOW_RULE (lstat64);
ALLOW_RULE (statx);
ALLOW_RULE (access);
+ ALLOW_RULE (faccessat);
+ ALLOW_RULE (faccessat2);
ALLOW_RULE (getdents);
ALLOW_RULE (getdents64);
+ ALLOW_RULE (getcwd);
ALLOW_RULE (readlink);
ALLOW_RULE (readlinkat);
ALLOW_RULE (utime);
ALLOW_RULE (time);
ALLOW_RULE (fsync);
ALLOW_RULE (umask);
+ ERROR_RULE (fchown, EPERM);
/* Processes and threads */
ALLOW_RULE (clone);
+ ALLOW_RULE (clone3);
ALLOW_RULE (futex);
ALLOW_RULE (futex_time64);
ALLOW_RULE (set_robust_list);
+ ALLOW_RULE (rseq);
ALLOW_RULE (rt_sigaction);
ALLOW_RULE (rt_sigprocmask);
ALLOW_RULE (sched_yield);
@@ -175,6 +185,7 @@ tracker_seccomp_init (void)
ALLOW_RULE (pipe);
ALLOW_RULE (pipe2);
ALLOW_RULE (epoll_create);
+ ALLOW_RULE (epoll_create1);
ALLOW_RULE (epoll_ctl);
/* System */
ALLOW_RULE (uname);
--
2.38.1

View File

@ -20,7 +20,7 @@
Name: tracker-miners
Version: 3.1.2
Release: 1%{?dist}
Release: 2%{?dist}
Summary: Tracker miners and metadata extractors
# libtracker-extract and libtracker-miner libraries are LGPLv2+; the miners are a mix of GPLv2+ and LGPLv2+ code
@ -28,6 +28,8 @@ License: GPLv2+ and LGPLv2+
URL: https://gnome.pages.gitlab.gnome.org/tracker/
Source0: https://download.gnome.org/sources/tracker-miners/3.1/tracker-miners-%{tarball_version}.tar.xz
Patch1: 0001-libtracker-common-Backport-seccomp-additions-from-3..patch
BuildRequires: asciidoc
BuildRequires: gcc
BuildRequires: giflib-devel
@ -138,6 +140,10 @@ This package contains various miners and metadata extractors for tracker.
%changelog
* Tue Nov 01 2022 Carlos Garnacho <cgarnach@redhat.com> - 3.1.2-2
- Backport seccomp rules from recent releases
Resolves: rhbz#2130143
* Wed Aug 25 2021 Kalev Lember <klember@redhat.com> - 3.1.2-1
- Update to 3.1.2