Use seccomp to limit allowed syscalls

We disallow any network family but inet, inet6, unix and netlink as the rest are generally weird old unused things. We also have a blacklist of syscalls, some are just old unnecessary things, some are things that are "risky", like NUMA/VM control, and setting up custom sub-namespaces.
author: Alexander Larsson <alexl@redhat.com> 2015-06-02 11:14:27 +0200
committer: Alexander Larsson <alexl@redhat.com> 2015-06-02 11:14:27 +0200
commit: b1aa93a9d465b1f9a5fecfcec3f2d7dc0919f775 (patch)
tree: 948b7b1770d44c6b5f5d4d5c5b07344a2ab52a94 /Makefile.am
parent: 811c512e5694ae583a3fbe483b497155bf766d62 (diff)
download: xdg-app-b1aa93a9d465b1f9a5fecfcec3f2d7dc0919f775.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/Makefile.am b/Makefile.am
index f593dd5..7e18e04 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -40,7 +40,8 @@ include libglnx/Makefile-libglnx.am.inc
 noinst_LTLIBRARIES = libglnx.la
 
 xdg_app_helper_SOURCES = xdg-app-helper.c
-xdg_app_helper_LDADD = -L/gnome/lib -lglib-2.0
+xdg_app_helper_LDADD = $(LIBSECCOMP_LIBS)
+xdg_app_helper_CFLAGS = $(LIBSECCOMP_CFLAGS)
 
 dbus_built_sources = xdg-app-dbus.c xdg-app-dbus.h
 systemd_dbus_built_sources = xdg-app-systemd-dbus.c xdg-app-systemd-dbus.h
author	Alexander Larsson <alexl@redhat.com>	2015-06-02 11:14:27 +0200
committer	Alexander Larsson <alexl@redhat.com>	2015-06-02 11:14:27 +0200
commit	b1aa93a9d465b1f9a5fecfcec3f2d7dc0919f775 (patch)
tree	948b7b1770d44c6b5f5d4d5c5b07344a2ab52a94 /Makefile.am
parent	811c512e5694ae583a3fbe483b497155bf766d62 (diff)
download	xdg-app-b1aa93a9d465b1f9a5fecfcec3f2d7dc0919f775.tar.gz