diff options
author | Carlos Garnacho <carlosg@gnome.org> | 2016-12-21 17:02:51 +0100 |
---|---|---|
committer | Carlos Garnacho <carlosg@gnome.org> | 2017-01-19 11:34:54 +0100 |
commit | 6436936eba67b999ece0af063f62c539f6383f80 (patch) | |
tree | 1a1d311f9cb3be80041180d692996b21538515ac | |
parent | 38e6ef17a537f3a9b24997b8f2fc8315f625528a (diff) | |
download | tracker-6436936eba67b999ece0af063f62c539f6383f80.tar.gz |
libtracker-common: Handle mlock*/munlock* syscalls
Disallow pinning memory on RAM, but make it softly fail with EPERM.
https://bugzilla.gnome.org/show_bug.cgi?id=776117
-rw-r--r-- | src/libtracker-common/tracker-seccomp.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/src/libtracker-common/tracker-seccomp.c b/src/libtracker-common/tracker-seccomp.c index 9906a6a54..37316c199 100644 --- a/src/libtracker-common/tracker-seccomp.c +++ b/src/libtracker-common/tracker-seccomp.c @@ -40,6 +40,8 @@ #define ALLOW_RULE(call) G_STMT_START { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; } G_STMT_END +#define ERROR_RULE(call, error) G_STMT_START { if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (error), SCMP_SYS(call), 0) < 0) goto out; } G_STMT_END + gboolean tracker_seccomp_init (void) { @@ -57,6 +59,11 @@ tracker_seccomp_init (void) ALLOW_RULE (mremap); ALLOW_RULE (mprotect); ALLOW_RULE (madvise); + ERROR_RULE (mlock, EPERM); + ERROR_RULE (mlock2, EPERM); + ERROR_RULE (munlock, EPERM); + ERROR_RULE (mlockall, EPERM); + ERROR_RULE (munlockall, EPERM); /* Process management */ ALLOW_RULE (exit_group); ALLOW_RULE (getuid); |