From 18becd68b4f5b6ebb4024dcfaac1231647778f4b Mon Sep 17 00:00:00 2001 From: Carlos Garnacho Date: Tue, 1 Nov 2022 17:10:42 +0100 Subject: [PATCH] libtracker-common: Backport seccomp additions from 3.4.x --- src/libtracker-miners-common/tracker-seccomp.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c index f8be94924..6b1c35450 100644 --- a/src/libtracker-miners-common/tracker-seccomp.c +++ b/src/libtracker-miners-common/tracker-seccomp.c @@ -102,12 +102,15 @@ tracker_seccomp_init (void) /* Memory management */ ALLOW_RULE (brk); + ALLOW_RULE (get_mempolicy); + ALLOW_RULE (set_mempolicy); ALLOW_RULE (mmap); ALLOW_RULE (mmap2); ALLOW_RULE (munmap); ALLOW_RULE (mremap); ALLOW_RULE (mprotect); ALLOW_RULE (madvise); + ALLOW_RULE (mbind); ERROR_RULE (mlock, EPERM); ERROR_RULE (mlock2, EPERM); ERROR_RULE (munlock, EPERM); @@ -116,6 +119,7 @@ tracker_seccomp_init (void) /* Process management */ ALLOW_RULE (exit_group); ALLOW_RULE (getuid); + ALLOW_RULE (getgid); ALLOW_RULE (getuid32); ALLOW_RULE (getegid); ALLOW_RULE (getegid32); @@ -140,19 +144,25 @@ tracker_seccomp_init (void) ALLOW_RULE (lstat64); ALLOW_RULE (statx); ALLOW_RULE (access); + ALLOW_RULE (faccessat); + ALLOW_RULE (faccessat2); ALLOW_RULE (getdents); ALLOW_RULE (getdents64); + ALLOW_RULE (getcwd); ALLOW_RULE (readlink); ALLOW_RULE (readlinkat); ALLOW_RULE (utime); ALLOW_RULE (time); ALLOW_RULE (fsync); ALLOW_RULE (umask); + ERROR_RULE (fchown, EPERM); /* Processes and threads */ ALLOW_RULE (clone); + ALLOW_RULE (clone3); ALLOW_RULE (futex); ALLOW_RULE (futex_time64); ALLOW_RULE (set_robust_list); + ALLOW_RULE (rseq); ALLOW_RULE (rt_sigaction); ALLOW_RULE (rt_sigprocmask); ALLOW_RULE (sched_yield); @@ -175,6 +185,7 @@ tracker_seccomp_init (void) ALLOW_RULE (pipe); ALLOW_RULE (pipe2); ALLOW_RULE (epoll_create); + ALLOW_RULE (epoll_create1); ALLOW_RULE (epoll_ctl); /* System */ ALLOW_RULE (uname); -- 2.38.1