[tracker] libtracker-common: Be more lenient with dup2/dup3

[Carlos Garnacho <carlosg src gnome org>]

commit 55ddbde2905af2cc0aa3712b197f8d1c5ef9b575
Author: Carlos Garnacho <carlosg gnome org>
Date:   Thu Feb 23 11:08:51 2017 +0100

    libtracker-common: Be more lenient with dup2/dup3
    
    And allow these to manipulate stdin/out/err. They may close file
    descriptors, but they don't grant access to anything the process
    wouldn't have already access for, anyway.

 src/libtracker-common/tracker-seccomp.c |   10 ++--------
 1 files changed, 2 insertions(+), 8 deletions(-)
---
diff --git a/src/libtracker-common/tracker-seccomp.c b/src/libtracker-common/tracker-seccomp.c
index 9ab4fb4..1af380c 100644
--- a/src/libtracker-common/tracker-seccomp.c
+++ b/src/libtracker-common/tracker-seccomp.c
@@ -143,6 +143,8 @@ tracker_seccomp_init (void)
        ALLOW_RULE (write);
        ALLOW_RULE (writev);
        ALLOW_RULE (dup);
+       ALLOW_RULE (dup2);
+       ALLOW_RULE (dup3);
        /* Needed by some GStreamer modules doing crazy stuff, less
         * scary thanks to the restriction below about sockets being
         * local.
@@ -193,14 +195,6 @@ tracker_seccomp_init (void)
                              SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0)
                goto out;
 
-       /* Special requirements for dup2/dup3, no fiddling with stdin/out/err */
-       if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(dup2), 1,
-                             SCMP_CMP(1, SCMP_CMP_GT, 2)) < 0)
-               goto out;
-       if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(dup3), 1,
-                             SCMP_CMP(1, SCMP_CMP_GT, 2)) < 0)
-               goto out;
-
        g_debug ("Loading seccomp rules.");
 
        if (seccomp_load (ctx) >= 0)