From b1aa93a9d465b1f9a5fecfcec3f2d7dc0919f775 Mon Sep 17 00:00:00 2001
From: Alexander Larsson <alexl@redhat.com>
Date: Tue, 2 Jun 2015 11:14:27 +0200
Subject: Use seccomp to limit allowed syscalls

We disallow any network family but inet, inet6, unix and netlink
as the rest are generally weird old unused things.

We also have a blacklist of syscalls, some are just old unnecessary
things, some are things that are "risky", like NUMA/VM control, and
setting up custom sub-namespaces.
---
 Makefile.am | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'Makefile.am')

diff --git a/Makefile.am b/Makefile.am
index f593dd5..7e18e04 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -40,7 +40,8 @@ include libglnx/Makefile-libglnx.am.inc
 noinst_LTLIBRARIES = libglnx.la
 
 xdg_app_helper_SOURCES = xdg-app-helper.c
-xdg_app_helper_LDADD = -L/gnome/lib -lglib-2.0
+xdg_app_helper_LDADD = $(LIBSECCOMP_LIBS)
+xdg_app_helper_CFLAGS = $(LIBSECCOMP_CFLAGS)
 
 dbus_built_sources = xdg-app-dbus.c xdg-app-dbus.h
 systemd_dbus_built_sources = xdg-app-systemd-dbus.c xdg-app-systemd-dbus.h
-- 
cgit v1.2.1