Skip to content

tracker-extract: Limit filesystem access through Landlock

Carlos Garnacho requested to merge carlosg/tracker-miners:wip/landlock into master

Landlock is a relatively recent kernel API (since 5.3) that allows setting up high level access rules to specific portions of the filesystem. Use this API if available in tracker-extract-3, in order to avoid any possible extraneous access outside of our specified locations.

The following locations have some form of read permissions:

  • The home directory, as the source of all files data extracted. The metadata extractor not only opens files directly, it also may wants to open "indirect" files like CUE sheets, XMP sidecar files, etc. Thus access to the full directory is allowed.
  • The library locations, in the installed prefix, extended to /usr if the prefixes mismatch.
  • The data locations, in the installed prefix, extended to /usr if the prefixes mismatch.
  • Some misc specific files (/etc/passwd, /proc/mounts) for correct GIO volume monitor behavior.

With all other operations supported by Landlock being disallowed, plus read operations in other directories outside this set.

This is a protection layer meant to complement seccomp, which is still the primary form of protection since it restricts all write access to the filesystem, besides other things like opening sockets. Anyhow, there's still some chance that read only access might cause some mischief (e.g. fiddling in /proc).

Still, treat this as a nicety, and don't warn if the feature is disabled (e.g. old kernels), like we do with seccomp.

Merge request reports