31 lines
1.0 KiB
Diff
31 lines
1.0 KiB
Diff
From cdf284962357abf5521670470e3239e92c4e4a31 Mon Sep 17 00:00:00 2001
|
|
From: Carlos Garnacho <carlosg@gnome.org>
|
|
Date: Tue, 4 Oct 2022 17:38:28 +0200
|
|
Subject: [PATCH] seccomp: Disallow fchown
|
|
|
|
This is needed by SQLite on some circumstances, but these mostly
|
|
apply to databases being opened with other users. This is something
|
|
that happens on CI, but is not expected to happen in real circumstances.
|
|
|
|
Anyhow, SQLite does not check for fchown return value, so just error
|
|
out softly if that happens.
|
|
---
|
|
src/libtracker-miners-common/tracker-seccomp.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
|
|
index 2f9cb8176..3102d0997 100644
|
|
--- a/src/libtracker-miners-common/tracker-seccomp.c
|
|
+++ b/src/libtracker-miners-common/tracker-seccomp.c
|
|
@@ -155,6 +155,7 @@ tracker_seccomp_init (void)
|
|
ALLOW_RULE (time);
|
|
ALLOW_RULE (fsync);
|
|
ALLOW_RULE (umask);
|
|
+ ERROR_RULE (fchown, EPERM);
|
|
/* Processes and threads */
|
|
ALLOW_RULE (clone);
|
|
ALLOW_RULE (clone3);
|
|
--
|
|
2.47.0
|
|
|