From 8523cc78c18d13f1b2f278ac86a5031b95bc739e Mon Sep 17 00:00:00 2001
From: technology208 <technology@208suo.com>
Date: Mon, 20 May 2024 16:32:52 +0800
Subject: [PATCH] CreatePatch

---
 .../tracker-seccomp.c                         | 23 +++++++++++++++++++
 src/tracker-extract/tracker-extract.c         |  5 ----
 src/tracker-extract/tracker-main.c            | 19 +++++++++++----
 3 files changed, 38 insertions(+), 9 deletions(-)

diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
index 01887e8..a2b7ed9 100644
--- a/src/libtracker-miners-common/tracker-seccomp.c
+++ b/src/libtracker-miners-common/tracker-seccomp.c
@@ -100,6 +100,7 @@ tracker_seccomp_init (void)
 	ALLOW_RULE (lstat);
 	ALLOW_RULE (lstat64);
 	ALLOW_RULE (statx);
+        ALLOW_RULE (fstatfs);
 	ALLOW_RULE (access);
 	ALLOW_RULE (getdents);
 	ALLOW_RULE (getdents64);
@@ -168,6 +169,23 @@ tracker_seccomp_init (void)
 	ALLOW_RULE (getpeername);
 	ALLOW_RULE (shutdown);
 
+       ERROR_RULE (inotify_init1, EINVAL);
+       ERROR_RULE (inotify_init, EINVAL);
+
+       ERROR_RULE (mkdir, EPERM);
+       ERROR_RULE (rename, EPERM);
+       ERROR_RULE (unlink, EPERM);
+       ERROR_RULE (ioctl, EBADF);
+       ERROR_RULE (bind, EACCES);
+       ERROR_RULE (setsockopt, EBADF);
+       ERROR_RULE (sched_getattr, EPERM);
+
+       /* Allow prlimit64, only if no new limits are being set */
+       if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(prlimit64), 1,
+                             SCMP_CMP(2, SCMP_CMP_EQ, 0)) < 0)
+               goto out;
+
+
 	/* Special requirements for socket/socketpair, only on AF_UNIX/AF_LOCAL */
 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
@@ -175,6 +193,11 @@ tracker_seccomp_init (void)
 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) < 0)
 		goto out;
+
+       if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(socket), 1,
+                             SCMP_CMP(0, SCMP_CMP_EQ, AF_NETLINK)) < 0)
+               goto out;
+
 	if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 1,
 	                      SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
 		goto out;
diff --git a/src/tracker-extract/tracker-extract.c b/src/tracker-extract/tracker-extract.c
index 3406164..209c76b 100644
--- a/src/tracker-extract/tracker-extract.c
+++ b/src/tracker-extract/tracker-extract.c
@@ -30,8 +30,6 @@
 #include <gio/gunixinputstream.h>
 #include <gio/gunixfdlist.h>
 
-#include <libtracker-miners-common/tracker-common.h>
-
 #include <libtracker-extract/tracker-extract.h>
 
 #include "tracker-extract.h"
@@ -523,9 +521,6 @@ get_metadata (TrackerExtractTask *task)
 static gpointer
 single_thread_get_metadata (GAsyncQueue *queue)
 {
-	if (!tracker_seccomp_init ())
-		g_assert_not_reached ();
-
 	while (TRUE) {
 		TrackerExtractTask *task;
 
diff --git a/src/tracker-extract/tracker-main.c b/src/tracker-extract/tracker-main.c
index 2a646cc..484be22 100644
--- a/src/tracker-extract/tracker-main.c
+++ b/src/tracker-extract/tracker-main.c
@@ -292,7 +292,7 @@ get_cache_dir (TrackerDomainOntology *domain_ontology)
 }
 
 int
-main (int argc, char *argv[])
+do_main (int argc, char *argv[])
 {
 	GOptionContext *context;
 	GError *error = NULL;
@@ -311,9 +311,6 @@ main (int argc, char *argv[])
 	bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
 	textdomain (GETTEXT_PACKAGE);
 
-	/* This makes sure we don't steal all the system's resources */
-	initialize_priority_and_scheduling ();
-
 	/* Translators: this message will appear immediately after the  */
 	/* usage string - Usage: COMMAND [OPTION]... <THIS_MESSAGE>     */
 	context = g_option_context_new (_("— Extract file meta data"));
@@ -487,3 +484,17 @@ main (int argc, char *argv[])
 
 	return EXIT_SUCCESS;
 }
+
+int
+main (int argc, char *argv[])
+{
+       /* This function is untouchable! Add things to do_main() */
+
+       /* This makes sure we don't steal all the system's resources */
+       initialize_priority_and_scheduling ();
+
+       if (!tracker_seccomp_init ())
+               g_assert_not_reached ();
+
+       return do_main (argc, argv);
+}
-- 
2.33.0