[tracker] libtracker-common: Whitelist openat()
- From: Carlos Garnacho <carlosg src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [tracker] libtracker-common: Whitelist openat()
- Date: Thu, 11 May 2017 13:13:02 +0000 (UTC)
commit 20c715e249f6ea9a36ab09bbcda0c695c3062b79
Author: Carlos Garnacho <carlosg gnome org>
Date: Tue May 9 14:55:26 2017 +0200
libtracker-common: Whitelist openat()
With the same caveats than open().
https://bugzilla.gnome.org/show_bug.cgi?id=782514
src/libtracker-common/tracker-seccomp.c | 14 ++++++++++++--
1 files changed, 12 insertions(+), 2 deletions(-)
---
diff --git a/src/libtracker-common/tracker-seccomp.c b/src/libtracker-common/tracker-seccomp.c
index 1af380c..ec873f5 100644
--- a/src/libtracker-common/tracker-seccomp.c
+++ b/src/libtracker-common/tracker-seccomp.c
@@ -182,8 +182,8 @@ tracker_seccomp_init (void)
SCMP_CMP(0, SCMP_CMP_EQ, 2)) < 0)
goto out;
- /* Special requirements for open, allow O_RDONLY calls, but fail
- * if write permissions are requested.
+ /* Special requirements for open/openat, allow O_RDONLY calls,
+ * but fail if write permissions are requested.
*/
if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(open), 1,
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0)
@@ -195,6 +195,16 @@ tracker_seccomp_init (void)
SCMP_CMP(1, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0)
goto out;
+ if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(openat), 1,
+ SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY | O_RDWR, 0)) < 0)
+ goto out;
+ if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
+ SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_WRONLY, O_WRONLY)) < 0)
+ goto out;
+ if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(openat), 1,
+ SCMP_CMP(2, SCMP_CMP_MASKED_EQ, O_RDWR, O_RDWR)) < 0)
+ goto out;
+
g_debug ("Loading seccomp rules.");
if (seccomp_load (ctx) >= 0)
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
