127 lines
4.2 KiB
Diff
127 lines
4.2 KiB
Diff
From 8523cc78c18d13f1b2f278ac86a5031b95bc739e Mon Sep 17 00:00:00 2001
|
|
From: technology208 <technology@208suo.com>
|
|
Date: Mon, 20 May 2024 16:32:52 +0800
|
|
Subject: [PATCH] CreatePatch
|
|
|
|
---
|
|
.../tracker-seccomp.c | 23 +++++++++++++++++++
|
|
src/tracker-extract/tracker-extract.c | 5 ----
|
|
src/tracker-extract/tracker-main.c | 19 +++++++++++----
|
|
3 files changed, 38 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
|
|
index 01887e8..a2b7ed9 100644
|
|
--- a/src/libtracker-miners-common/tracker-seccomp.c
|
|
+++ b/src/libtracker-miners-common/tracker-seccomp.c
|
|
@@ -100,6 +100,7 @@ tracker_seccomp_init (void)
|
|
ALLOW_RULE (lstat);
|
|
ALLOW_RULE (lstat64);
|
|
ALLOW_RULE (statx);
|
|
+ ALLOW_RULE (fstatfs);
|
|
ALLOW_RULE (access);
|
|
ALLOW_RULE (getdents);
|
|
ALLOW_RULE (getdents64);
|
|
@@ -168,6 +169,23 @@ tracker_seccomp_init (void)
|
|
ALLOW_RULE (getpeername);
|
|
ALLOW_RULE (shutdown);
|
|
|
|
+ ERROR_RULE (inotify_init1, EINVAL);
|
|
+ ERROR_RULE (inotify_init, EINVAL);
|
|
+
|
|
+ ERROR_RULE (mkdir, EPERM);
|
|
+ ERROR_RULE (rename, EPERM);
|
|
+ ERROR_RULE (unlink, EPERM);
|
|
+ ERROR_RULE (ioctl, EBADF);
|
|
+ ERROR_RULE (bind, EACCES);
|
|
+ ERROR_RULE (setsockopt, EBADF);
|
|
+ ERROR_RULE (sched_getattr, EPERM);
|
|
+
|
|
+ /* Allow prlimit64, only if no new limits are being set */
|
|
+ if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(prlimit64), 1,
|
|
+ SCMP_CMP(2, SCMP_CMP_EQ, 0)) < 0)
|
|
+ goto out;
|
|
+
|
|
+
|
|
/* Special requirements for socket/socketpair, only on AF_UNIX/AF_LOCAL */
|
|
if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
|
|
SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
|
|
@@ -175,6 +193,11 @@ tracker_seccomp_init (void)
|
|
if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socket), 1,
|
|
SCMP_CMP(0, SCMP_CMP_EQ, AF_LOCAL)) < 0)
|
|
goto out;
|
|
+
|
|
+ if (seccomp_rule_add (ctx, SCMP_ACT_ERRNO (EACCES), SCMP_SYS(socket), 1,
|
|
+ SCMP_CMP(0, SCMP_CMP_EQ, AF_NETLINK)) < 0)
|
|
+ goto out;
|
|
+
|
|
if (seccomp_rule_add (ctx, SCMP_ACT_ALLOW, SCMP_SYS(socketpair), 1,
|
|
SCMP_CMP(0, SCMP_CMP_EQ, AF_UNIX)) < 0)
|
|
goto out;
|
|
diff --git a/src/tracker-extract/tracker-extract.c b/src/tracker-extract/tracker-extract.c
|
|
index 3406164..209c76b 100644
|
|
--- a/src/tracker-extract/tracker-extract.c
|
|
+++ b/src/tracker-extract/tracker-extract.c
|
|
@@ -30,8 +30,6 @@
|
|
#include <gio/gunixinputstream.h>
|
|
#include <gio/gunixfdlist.h>
|
|
|
|
-#include <libtracker-miners-common/tracker-common.h>
|
|
-
|
|
#include <libtracker-extract/tracker-extract.h>
|
|
|
|
#include "tracker-extract.h"
|
|
@@ -523,9 +521,6 @@ get_metadata (TrackerExtractTask *task)
|
|
static gpointer
|
|
single_thread_get_metadata (GAsyncQueue *queue)
|
|
{
|
|
- if (!tracker_seccomp_init ())
|
|
- g_assert_not_reached ();
|
|
-
|
|
while (TRUE) {
|
|
TrackerExtractTask *task;
|
|
|
|
diff --git a/src/tracker-extract/tracker-main.c b/src/tracker-extract/tracker-main.c
|
|
index 2a646cc..484be22 100644
|
|
--- a/src/tracker-extract/tracker-main.c
|
|
+++ b/src/tracker-extract/tracker-main.c
|
|
@@ -292,7 +292,7 @@ get_cache_dir (TrackerDomainOntology *domain_ontology)
|
|
}
|
|
|
|
int
|
|
-main (int argc, char *argv[])
|
|
+do_main (int argc, char *argv[])
|
|
{
|
|
GOptionContext *context;
|
|
GError *error = NULL;
|
|
@@ -311,9 +311,6 @@ main (int argc, char *argv[])
|
|
bind_textdomain_codeset (GETTEXT_PACKAGE, "UTF-8");
|
|
textdomain (GETTEXT_PACKAGE);
|
|
|
|
- /* This makes sure we don't steal all the system's resources */
|
|
- initialize_priority_and_scheduling ();
|
|
-
|
|
/* Translators: this message will appear immediately after the */
|
|
/* usage string - Usage: COMMAND [OPTION]... <THIS_MESSAGE> */
|
|
context = g_option_context_new (_("— Extract file meta data"));
|
|
@@ -487,3 +484,17 @@ main (int argc, char *argv[])
|
|
|
|
return EXIT_SUCCESS;
|
|
}
|
|
+
|
|
+int
|
|
+main (int argc, char *argv[])
|
|
+{
|
|
+ /* This function is untouchable! Add things to do_main() */
|
|
+
|
|
+ /* This makes sure we don't steal all the system's resources */
|
|
+ initialize_priority_and_scheduling ();
|
|
+
|
|
+ if (!tracker_seccomp_init ())
|
|
+ g_assert_not_reached ();
|
|
+
|
|
+ return do_main (argc, argv);
|
|
+}
|
|
--
|
|
2.33.0
|
|
|