GNOME Bugzilla – Bug 785197
Apply seccomp syscall filtering
Last modified: 2017-09-22 12:26:59 UTC
Look for ENABLE_SECCOMP in https://github.com/flatpak/flatpak/blob/master/common/flatpak-run.c for an example of how to apply it.
Created attachment 356112 [details] [review] thumbnail: Restrict thumbnailer syscalls using seccomp Use seccomp code from flatpak to limit the system calls thumbnailers can make, reducing the attach surface.
Attachment 356112 [details] pushed as 5a4844b - thumbnail: Restrict thumbnailer syscalls using seccomp
checking for LIBSECCOMP... no configure: error: Package requirements (libseccomp) were not met: Package 'libseccomp', required by 'virtual:world', not found Is it possible to add an option to build without libseccomp?
libseccomp is a requirement on Linux. File a bug against jhbuild if it doesn't provide you with a way to get that dependency.
> libseccomp is a requirement on Linux. I don't have this library. I would not want to install it. > File a bug against jhbuild if it doesn't provide you with a way to get that dependency. I build gnome-desktop from tarball without jhbuild. In code present macros ENABLE_SECCOMP. Why don't add option in configure.ac to disable him?
It's not optional. Not. Optional. If you want to hack together something that might or might not work, go for it. The upstream requires libseccomp for sandboxing. If that's still a problem, file a bug against jhbuild.
Ok, i see https://bugzilla.gnome.org/show_bug.cgi?id=784940#c3 . You don't like who want disable new functionality. You impose unnecessary functionality without leaving an opportunity to choose a minimum set of tools. It's hard, but i do it with patch. Have a nice day...