Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: pkg-gnome-maintain...@lists.alioth.debian.org
Please unblock package tracker-miners [ Reason ] The filesystem miner crashes repeatedly on (at least) arm64 and linux 5.11 or later kernels. See #983637. Due to a missing syscall whitelist of the miner's sandbox the filesystem tracker crashes repeatedly on startup. This doesn't happen on bullseye amd64 and linux 5.10 but can be reproduced on amd64 and (at least) kernel 5.11 or later. [ Impact ] Makes the miner unusable but also drains the battery quickly since systemd restarts the miner unconditionally and endlessly. This is especially bad if core files are enabled since the writing of those over and over drains battery even quicker. [ Tests ] Whether the service is up can be checked via systemctl start --user tracker-miner-fs.service [ Risks ] The proposed fix is a backport of an upstream fix so the risk seems minimal. Theoretically allowing more syscalls in the sandbox could open a security hole. unblock tracker-miners/2.3.5-2.1
diff --git a/debian/changelog b/debian/changelog index 353d69ddf..4fa33a6bd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,13 @@ +tracker-miners (2.3.5-2.1) unstable; urgency=medium + + * Non-maintainer upload. + * libtracker-miners-common: Add newstatat/statat64 syscalls. + Backport upstream commit b3fdbaf to avoid constant crashes every 2s. + Thanks Julian Andres Klode for forwarding this initially. + (Closes: #983637) + + -- Guido Günther <a...@sigxcpu.org> Mon, 05 Jul 2021 12:40:50 +0200 + tracker-miners (2.3.5-2) unstable; urgency=medium * Make the 'audio' tests non-fatal on powerpc and sparc64 as well diff --git a/debian/patches/libtracker-miners-common-Add-newstatat-statat64-syscalls.patch b/debian/patches/libtracker-miners-common-Add-newstatat-statat64-syscalls.patch new file mode 100644 index 000000000..832386d2c --- /dev/null +++ b/debian/patches/libtracker-miners-common-Add-newstatat-statat64-syscalls.patch @@ -0,0 +1,24 @@ +From: Carlos Garnacho <carl...@gnome.org> +Date: Sun, 25 Oct 2020 15:37:13 +0100 +Subject: libtracker-miners-common: Add newstatat/statat64 syscalls + +These are done in recent glib versions, should be observed here. + +(cherry picked from commit b3fdbaf1ab23ce7191ace6db79575dfce5f90881) +--- + src/libtracker-miners-common/tracker-seccomp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/libtracker-miners-common/tracker-seccomp.c b/src/libtracker-miners-common/tracker-seccomp.c +index c0327eb..01887e8 100644 +--- a/src/libtracker-miners-common/tracker-seccomp.c ++++ b/src/libtracker-miners-common/tracker-seccomp.c +@@ -91,6 +91,8 @@ tracker_seccomp_init (void) + /* Basic filesystem access */ + ALLOW_RULE (fstat); + ALLOW_RULE (fstat64); ++ ALLOW_RULE (fstatat64); ++ ALLOW_RULE (newfstatat); + ALLOW_RULE (stat); + ALLOW_RULE (stat64); + ALLOW_RULE (statfs); diff --git a/debian/patches/series b/debian/patches/series index a9bd2953d..f56af3a1f 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -5,3 +5,4 @@ prefer_systemd_activation.patch dont_start_for_root.patch Don-t-immediately-restart-tracker-extract-on-SIGSYS.patch debian/Revert-build-Include-libdir-in-rpath.patch +libtracker-miners-common-Add-newstatat-statat64-syscalls.patch
