rpms/tracker-miners
5
0
Fork 0
Code Issues Pull Requests Releases Activity
c9s
tracker-miners/0001-libtracker-common-Backport-seccomp-additions-from-3..patch
Carlos Garnacho 486307ddd3 Backport seccomp rules from recent releases 
Resolves: rhbz#2130143
2022-11-04 00:17:56 +01:00

75 lines
2.1 KiB
Diff
Raw Permalink Blame History

From 18becd68b4f5b6ebb4024dcfaac1231647778f4b Mon Sep 17 00:00:00 2001
From: Carlos Garnacho <carlosg@gnome.org>
Date: Tue, 1 Nov 2022 17:10:42 +0100
Subject: [PATCH] libtracker-common: Backport seccomp additions from 3.4.x
---
src/libtracker-miners-common/tracker-seccomp.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
index f8be94924..6b1c35450 100644
--- a/src/libtracker-miners-common/tracker-seccomp.c
+++ b/src/libtracker-miners-common/tracker-seccomp.c
@@ -102,12 +102,15 @@ tracker_seccomp_init (void)
/* Memory management */
ALLOW_RULE (brk);
+ ALLOW_RULE (get_mempolicy);
+ ALLOW_RULE (set_mempolicy);
ALLOW_RULE (mmap);
ALLOW_RULE (mmap2);
ALLOW_RULE (munmap);
ALLOW_RULE (mremap);
ALLOW_RULE (mprotect);
ALLOW_RULE (madvise);
+ ALLOW_RULE (mbind);
ERROR_RULE (mlock, EPERM);
ERROR_RULE (mlock2, EPERM);
ERROR_RULE (munlock, EPERM);
@@ -116,6 +119,7 @@ tracker_seccomp_init (void)
/* Process management */
ALLOW_RULE (exit_group);
ALLOW_RULE (getuid);
+ ALLOW_RULE (getgid);
ALLOW_RULE (getuid32);
ALLOW_RULE (getegid);
ALLOW_RULE (getegid32);
@@ -140,19 +144,25 @@ tracker_seccomp_init (void)
ALLOW_RULE (lstat64);
ALLOW_RULE (statx);
ALLOW_RULE (access);
+ ALLOW_RULE (faccessat);
+ ALLOW_RULE (faccessat2);
ALLOW_RULE (getdents);
ALLOW_RULE (getdents64);
+ ALLOW_RULE (getcwd);
ALLOW_RULE (readlink);
ALLOW_RULE (readlinkat);
ALLOW_RULE (utime);
ALLOW_RULE (time);
ALLOW_RULE (fsync);
ALLOW_RULE (umask);
+ ERROR_RULE (fchown, EPERM);
/* Processes and threads */
ALLOW_RULE (clone);
+ ALLOW_RULE (clone3);
ALLOW_RULE (futex);
ALLOW_RULE (futex_time64);
ALLOW_RULE (set_robust_list);
+ ALLOW_RULE (rseq);
ALLOW_RULE (rt_sigaction);
ALLOW_RULE (rt_sigprocmask);
ALLOW_RULE (sched_yield);
@@ -175,6 +185,7 @@ tracker_seccomp_init (void)
ALLOW_RULE (pipe);
ALLOW_RULE (pipe2);
ALLOW_RULE (epoll_create);
+ ALLOW_RULE (epoll_create1);
ALLOW_RULE (epoll_ctl);
/* System */
ALLOW_RULE (uname);
--
2.38.1
Reference in New Issue View Git Blame Copy Permalink