From 6436936eba67b999ece0af063f62c539f6383f80 Mon Sep 17 00:00:00 2001
From: Carlos Garnacho <carlosg@gnome.org>
Date: Wed, 21 Dec 2016 17:02:51 +0100
Subject: libtracker-common: Handle mlock*/munlock* syscalls

Disallow pinning memory on RAM, but make it softly fail with EPERM.

https://bugzilla.gnome.org/show_bug.cgi?id=776117
---
 src/libtracker-common/tracker-seccomp.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/libtracker-common/tracker-seccomp.c b/src/libtracker-common/tracker-seccomp.c
index 9906a6a54..37316c199 100644
--- a/src/libtracker-common/tracker-seccomp.c
+++ b/src/libtracker-common/tracker-seccomp.c
@@ -40,6 +40,8 @@
 
 #define ALLOW_RULE(call) G_STMT_START { if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) goto out; } G_STMT_END
 
+#define ERROR_RULE(call, error) G_STMT_START { if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (error), SCMP_SYS(call), 0) < 0) goto out; } G_STMT_END
+
 gboolean
 tracker_seccomp_init (void)
 {
@@ -57,6 +59,11 @@ tracker_seccomp_init (void)
 	ALLOW_RULE (mremap);
 	ALLOW_RULE (mprotect);
 	ALLOW_RULE (madvise);
+	ERROR_RULE (mlock, EPERM);
+	ERROR_RULE (mlock2, EPERM);
+	ERROR_RULE (munlock, EPERM);
+	ERROR_RULE (mlockall, EPERM);
+	ERROR_RULE (munlockall, EPERM);
 	/* Process management */
 	ALLOW_RULE (exit_group);
 	ALLOW_RULE (getuid);
-- 
cgit v1.2.1