diff options
author | Philip Withnall <withnall@endlessm.com> | 2017-01-23 13:30:03 +0000 |
---|---|---|
committer | Philip Withnall <withnall@endlessm.com> | 2017-01-23 13:30:58 +0000 |
commit | 0eb74c11554bc44e75cf31788bbef804941f17d3 (patch) | |
tree | 3accff660d8ef4c15638c8708244f25c09043f9c | |
parent | bb65466fedd39b4c34deed6d0b92955f8281523d (diff) | |
download | tracker-0eb74c11554bc44e75cf31788bbef804941f17d3.tar.gz |
tracker-seccomp: Check syscall availability at runtime not compile time
This makes our seccomp() protection independent of the exact kernel
version Tracker is built against.
https://bugzilla.gnome.org/show_bug.cgi?id=777591
-rw-r--r-- | src/libtracker-common/tracker-seccomp.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/src/libtracker-common/tracker-seccomp.c b/src/libtracker-common/tracker-seccomp.c index ea1808595..9ab4fb4d3 100644 --- a/src/libtracker-common/tracker-seccomp.c +++ b/src/libtracker-common/tracker-seccomp.c @@ -39,12 +39,16 @@ #include <seccomp.h> #define ALLOW_RULE(call) G_STMT_START { \ - if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(call), 0) < 0) \ + int allow_rule_syscall_number = seccomp_syscall_resolve_name (G_STRINGIFY (call)); \ + if (allow_rule_syscall_number == __NR_SCMP_ERROR || \ + seccomp_rule_add (ctx, SCMP_ACT_ALLOW, allow_rule_syscall_number, 0) < 0) \ goto out; \ } G_STMT_END #define ERROR_RULE(call, error) G_STMT_START { \ - if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (error), SCMP_SYS(call), 0) < 0) \ + int error_rule_syscall_number = seccomp_syscall_resolve_name (G_STRINGIFY (call)); \ + if (error_rule_syscall_number == __NR_SCMP_ERROR || \ + seccomp_rule_add (ctx, SCMP_ACT_ERRNO (error), error_rule_syscall_number, 0) < 0) \ goto out; \ } G_STMT_END @@ -66,9 +70,7 @@ tracker_seccomp_init (void) ALLOW_RULE (mprotect); ALLOW_RULE (madvise); ERROR_RULE (mlock, EPERM); -#ifdef __NR_mlock2 ERROR_RULE (mlock2, EPERM); -#endif ERROR_RULE (munlock, EPERM); ERROR_RULE (mlockall, EPERM); ERROR_RULE (munlockall, EPERM); @@ -127,9 +129,7 @@ tracker_seccomp_init (void) ALLOW_RULE (uname); ALLOW_RULE (sysinfo); ALLOW_RULE (prctl); -#ifdef __NR_getrandom ALLOW_RULE (getrandom); -#endif ALLOW_RULE (clock_gettime); ALLOW_RULE (clock_getres); ALLOW_RULE (gettimeofday); |