[tracker-miners/wip/carlosg/cue-file-lookups] seccomp: Disallow fchown

From: Carlos Garnacho <carlosg src gnome org>
To: commits-list gnome org
Cc:
Subject: [tracker-miners/wip/carlosg/cue-file-lookups] seccomp: Disallow fchown
Date: Tue, 4 Oct 2022 15:40:18 +0000 (UTC)

commit cdf284962357abf5521670470e3239e92c4e4a31
Author: Carlos Garnacho <carlosg gnome org>
Date:   Tue Oct 4 17:38:28 2022 +0200

    seccomp: Disallow fchown
    
    This is needed by SQLite on some circumstances, but these mostly
    apply to databases being opened with other users. This is something
    that happens on CI, but is not expected to happen in real circumstances.
    
    Anyhow, SQLite does not check for fchown return value, so just error
    out softly if that happens.

 src/libtracker-miners-common/tracker-seccomp.c | 1 +
 1 file changed, 1 insertion(+)
---
diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
index 2f9cb8176..3102d0997 100644
--- a/src/libtracker-miners-common/tracker-seccomp.c
+++ b/src/libtracker-miners-common/tracker-seccomp.c
@@ -155,6 +155,7 @@ tracker_seccomp_init (void)
        ALLOW_RULE (time);
        ALLOW_RULE (fsync);
        ALLOW_RULE (umask);
+       ERROR_RULE (fchown, EPERM);
        /* Processes and threads */
        ALLOW_RULE (clone);
        ALLOW_RULE (clone3);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]