[tracker] libtracker-common: Handle mlock*/munlock* syscalls

[Carlos Garnacho <carlosg src gnome org>]

commit c9acfe0e3a3ee5b809860845b856a876c7d42eb0
Author: Carlos Garnacho <carlosg gnome org>
Date:   Wed Dec 21 17:02:51 2016 +0100

    libtracker-common: Handle mlock*/munlock* syscalls
    
    Disallow pinning memory on RAM, but make it softly fail with EPERM.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=776117

 src/libtracker-common/tracker-seccomp.c |    7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)
---
diff --git a/src/libtracker-common/tracker-seccomp.c b/src/libtracker-common/tracker-seccomp.c
index 2d4cfcd..3054e73 100644
--- a/src/libtracker-common/tracker-seccomp.c
+++ b/src/libtracker-common/tracker-seccomp.c
@@ -40,6 +40,8 @@
 
 #define ALLOW_RULE(call) G_STMT_START { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) 
goto out; } G_STMT_END
 
+#define ERROR_RULE(call, error) G_STMT_START { if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (error), 
SCMP_SYS(call), 0) < 0) goto out; } G_STMT_END
+
 gboolean
 tracker_seccomp_init (void)
 {
@@ -57,6 +59,11 @@ tracker_seccomp_init (void)
        ALLOW_RULE (mremap);
        ALLOW_RULE (mprotect);
        ALLOW_RULE (madvise);
+       ERROR_RULE (mlock, EPERM);
+       ERROR_RULE (mlock2, EPERM);
+       ERROR_RULE (munlock, EPERM);
+       ERROR_RULE (mlockall, EPERM);
+       ERROR_RULE (munlockall, EPERM);
        /* Process management */
        ALLOW_RULE (exit_group);
        ALLOW_RULE (getuid);