Bug#990719: unblock: tracker-miners/2.3.5-2.1
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: pkg-gnome-maintainers@lists.alioth.debian.org
Please unblock package tracker-miners
[ Reason ]
The filesystem miner crashes repeatedly on (at least) arm64 and linux
5.11 or later kernels. See #983637.
Due to a missing syscall whitelist of the miner's sandbox the filesystem
tracker crashes repeatedly on startup. This doesn't happen on bullseye
amd64 and linux 5.10 but can be reproduced on amd64 and (at least)
kernel 5.11 or later.
[ Impact ]
Makes the miner unusable but also drains the battery quickly since
systemd restarts the miner unconditionally and endlessly. This is
especially bad if core files are enabled since the writing of those
over and over drains battery even quicker.
[ Tests ]
Whether the service is up can be checked via
systemctl start --user tracker-miner-fs.service
[ Risks ]
The proposed fix is a backport of an upstream fix so
the risk seems minimal. Theoretically allowing more
syscalls in the sandbox could open a security hole.
unblock tracker-miners/2.3.5-2.1
diff --git a/debian/changelog b/debian/changelog
index 353d69ddf..4fa33a6bd 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,13 @@
+tracker-miners (2.3.5-2.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * libtracker-miners-common: Add newstatat/statat64 syscalls.
+ Backport upstream commit b3fdbaf to avoid constant crashes every 2s.
+ Thanks Julian Andres Klode for forwarding this initially.
+ (Closes: #983637)
+
+ -- Guido Günther <agx@sigxcpu.org> Mon, 05 Jul 2021 12:40:50 +0200
+
tracker-miners (2.3.5-2) unstable; urgency=medium
* Make the 'audio' tests non-fatal on powerpc and sparc64 as well
diff --git a/debian/patches/libtracker-miners-common-Add-newstatat-statat64-syscalls.patch b/debian/patches/libtracker-miners-common-Add-newstatat-statat64-syscalls.patch
new file mode 100644
index 000000000..832386d2c
--- /dev/null
+++ b/debian/patches/libtracker-miners-common-Add-newstatat-statat64-syscalls.patch
@@ -0,0 +1,24 @@
+From: Carlos Garnacho <carlosg@gnome.org>
+Date: Sun, 25 Oct 2020 15:37:13 +0100
+Subject: libtracker-miners-common: Add newstatat/statat64 syscalls
+
+These are done in recent glib versions, should be observed here.
+
+(cherry picked from commit b3fdbaf1ab23ce7191ace6db79575dfce5f90881)
+---
+ src/libtracker-miners-common/tracker-seccomp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c
+index c0327eb..01887e8 100644
+--- a/src/libtracker-miners-common/tracker-seccomp.c
++++ b/src/libtracker-miners-common/tracker-seccomp.c
+@@ -91,6 +91,8 @@ tracker_seccomp_init (void)
+ /* Basic filesystem access */
+ ALLOW_RULE (fstat);
+ ALLOW_RULE (fstat64);
++ ALLOW_RULE (fstatat64);
++ ALLOW_RULE (newfstatat);
+ ALLOW_RULE (stat);
+ ALLOW_RULE (stat64);
+ ALLOW_RULE (statfs);
diff --git a/debian/patches/series b/debian/patches/series
index a9bd2953d..f56af3a1f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -5,3 +5,4 @@ prefer_systemd_activation.patch
dont_start_for_root.patch
Don-t-immediately-restart-tracker-extract-on-SIGSYS.patch
debian/Revert-build-Include-libdir-in-rpath.patch
+libtracker-miners-common-Add-newstatat-statat64-syscalls.patch
Reply to: