libtracker-common: Handle mlock*/munlock* syscalls

Disallow pinning memory on RAM, but make it softly fail with EPERM. https://bugzilla.gnome.org/show_bug.cgi?id=776117
author: Carlos Garnacho <carlosg@gnome.org> 2016-12-21 17:02:51 +0100
committer: Carlos Garnacho <carlosg@gnome.org> 2017-01-19 11:34:54 +0100
commit: 6436936eba67b999ece0af063f62c539f6383f80 (patch)
tree: 1a1d311f9cb3be80041180d692996b21538515ac
parent: 38e6ef17a537f3a9b24997b8f2fc8315f625528a (diff)
download: tracker-6436936eba67b999ece0af063f62c539f6383f80.tar.gz
1 files changed, 7 insertions, 0 deletions
diff --git a/src/libtracker-common/tracker-seccomp.c b/src/libtracker-common/tracker-seccomp.c
index 9906a6a54..37316c199 100644
--- a/src/libtracker-common/tracker-seccomp.c
+++ b/src/libtracker-common/tracker-seccomp.c
@@ -40,6 +40,8 @@
 
 #define ALLOW_RULE(call) G_STMT_START { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; } G_STMT_END
 
+#define ERROR_RULE(call, error) G_STMT_START { if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (error), SCMP_SYS(call), 0) < 0) goto out; } G_STMT_END
+
 gboolean
 tracker_seccomp_init (void)
 {
@@ -57,6 +59,11 @@ tracker_seccomp_init (void)
 	ALLOW_RULE (mremap);
 	ALLOW_RULE (mprotect);
 	ALLOW_RULE (madvise);
+	ERROR_RULE (mlock, EPERM);
+	ERROR_RULE (mlock2, EPERM);
+	ERROR_RULE (munlock, EPERM);
+	ERROR_RULE (mlockall, EPERM);
+	ERROR_RULE (munlockall, EPERM);
 	/* Process management */
 	ALLOW_RULE (exit_group);
 	ALLOW_RULE (getuid);
author	Carlos Garnacho <carlosg@gnome.org>	2016-12-21 17:02:51 +0100
committer	Carlos Garnacho <carlosg@gnome.org>	2017-01-19 11:34:54 +0100
commit	6436936eba67b999ece0af063f62c539f6383f80 (patch)
tree	1a1d311f9cb3be80041180d692996b21538515ac
parent	38e6ef17a537f3a9b24997b8f2fc8315f625528a (diff)
download	tracker-6436936eba67b999ece0af063f62c539f6383f80.tar.gz