[tracker/tracker-1.10] tracker-seccomp: Check syscall availability at runtime not compile time

From: Carlos Garnacho <carlosg src gnome org>
To: commits-list gnome org
Cc:
Subject: [tracker/tracker-1.10] tracker-seccomp: Check syscall availability at runtime not compile time
Date: Thu, 23 Feb 2017 11:03:00 +0000 (UTC)

commit f0d93fbcfb24aeaad80bd7e569d179ef1ac3d864
Author: Philip Withnall <withnall endlessm com>
Date:   Mon Jan 23 13:30:03 2017 +0000

    tracker-seccomp: Check syscall availability at runtime not compile time
    
    This makes our seccomp() protection independent of the exact kernel
    version Tracker is built against.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=777591

 src/libtracker-common/tracker-seccomp.c |   12 ++++++------
 1 files changed, 6 insertions(+), 6 deletions(-)
---
diff --git a/src/libtracker-common/tracker-seccomp.c b/src/libtracker-common/tracker-seccomp.c
index ea18085..9ab4fb4 100644
--- a/src/libtracker-common/tracker-seccomp.c
+++ b/src/libtracker-common/tracker-seccomp.c
@@ -39,12 +39,16 @@
 #include <seccomp.h>
 
 #define ALLOW_RULE(call) G_STMT_START { \
-       if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) \
+       int allow_rule_syscall_number = seccomp_syscall_resolve_name (G_STRINGIFY (call)); \
+       if (allow_rule_syscall_number == __NR_SCMP_ERROR || \
+           seccomp_rule_add (ctx, SCMP_ACT_ALLOW, allow_rule_syscall_number, 0) < 0) \
                goto out; \
 } G_STMT_END
 
 #define ERROR_RULE(call, error) G_STMT_START { \
-       if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (error), SCMP_SYS(call), 0) < 0) \
+       int error_rule_syscall_number = seccomp_syscall_resolve_name (G_STRINGIFY (call)); \
+       if (error_rule_syscall_number == __NR_SCMP_ERROR || \
+           seccomp_rule_add (ctx, SCMP_ACT_ERRNO (error), error_rule_syscall_number, 0) < 0) \
                goto out; \
 } G_STMT_END
 
@@ -66,9 +70,7 @@ tracker_seccomp_init (void)
        ALLOW_RULE (mprotect);
        ALLOW_RULE (madvise);
        ERROR_RULE (mlock, EPERM);
-#ifdef __NR_mlock2
        ERROR_RULE (mlock2, EPERM);
-#endif
        ERROR_RULE (munlock, EPERM);
        ERROR_RULE (mlockall, EPERM);
        ERROR_RULE (munlockall, EPERM);
@@ -127,9 +129,7 @@ tracker_seccomp_init (void)
        ALLOW_RULE (uname);
        ALLOW_RULE (sysinfo);
        ALLOW_RULE (prctl);
-#ifdef __NR_getrandom
        ALLOW_RULE (getrandom);
-#endif
        ALLOW_RULE (clock_gettime);
        ALLOW_RULE (clock_getres);
        ALLOW_RULE (gettimeofday);

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]