Landlock is a relatively recent kernel API (since 5.3) that allows
setting up high level access rules to specific portions of the
filesystem. Use this API if available when spawning tracker-extract-3,
in order to avoid any possible extraneous access outside of our
specified locations.

The following locations have some form of read permissions:

- The indexed folders, as the source of all file data extracted.
  The metadata extractor not only opens files directly, it also may
  wants to open "indirect" files like CUE sheets, XMP sidecar files,
  etc. Thus access to full directories is allowed.
- The library locations, in the installed prefix, extended to /usr
  if the prefixes mismatch, and LD_LIBRARY_PATH if set
- The data locations, in the installed prefix, extended to /usr
  if the prefixes mismatch.
- Some misc specific files (/etc/passwd, /proc/mounts) for correct
  GIO volume monitor behavior.

With all other operations supported by Landlock being disallowed,
plus read operations in other directories outside this set.

This is a protection layer meant to complement seccomp, which is
still the primary form of protection since it restricts all write
access to the filesystem, besides other things like opening sockets.
Anyhow, there's still some chance that read only access might cause
some mischief (e.g. fiddling in /proc).

Still, treat this as a nicety, and don't warn if the feature is
disabled (e.g. old kernels), like we do with seccomp.