tracker-miners: enable landlock

Landlock is a method of unprivileged sandboxing to restrict, for example, fs access for certian processes. It requires linux5.13+ along with landlock being enabled in the kernel. The latter has been the case since 2020 661f17ea74 however, those using older kernels will no longer be able to use tracker-miners. This will make the gnome-music and gnome-photos unusable on such kernels.
2024-04-15 01:01:21 -07:00 · 2024-04-15 01:01:21 -07:00 · 5c633c231e
commit 5c633c231e
parent cbe68c01e0
2 changed files with 34 additions and 5 deletions
--- a/srcpkgs/tracker-miners/patches/fix-musl-missing-include.patch
+++ b/srcpkgs/tracker-miners/patches/fix-musl-missing-include.patch
@ -0,0 +1,10 @@
+--- a/src/libtracker-miners-common/tracker-landlock.c
+++ b/src/libtracker-miners-common/tracker-landlock.c
+@@ -28,6 +28,7 @@
+ #include <linux/landlock.h>
+ #include <sys/prctl.h>
+ #include <sys/syscall.h>
+#include <unistd.h>
+ 
+ #include "tracker-debug.h"
+ 
--- a/srcpkgs/tracker-miners/template
+++ b/srcpkgs/tracker-miners/template
@ -1,19 +1,18 @@
 # Template file for 'tracker-miners'
 pkgname=tracker-miners
 version=3.7.1
-revision=1
+revision=2
 build_style=meson
 build_helper=qemu
 # missing libgrss for miner_rss
-configure_args="-Dtracker_core=system -Dextract=true
- -Dfunctional_tests=false -Dcue=enabled -Dexif=enabled
+configure_args="-Dtracker_core=system -Dextract=true -Dcue=enabled -Dexif=enabled
 -Dgif=enabled -Dgsf=enabled -Diptc=enabled -Diso=enabled -Djpeg=enabled
 -Dpdf=enabled -Dplaylist=enabled -Dpng=enabled -Draw=enabled
 -Dtiff=enabled -Dxml=enabled -Dxmp=enabled -Dxps=enabled
 -Dminer_rss=false -Dbattery_detection=upower -Dcharset_detection=icu
 -Dgeneric_media_extractor=gstreamer -Dgstreamer_backend=discoverer
 -Dsystemd_user_services=false -Dnetwork_manager=enabled
- -Dlandlock=disabled"
+ $(vopt_feature landlock)"
 hostmakedepends="pkg-config glib-devel intltool asciidoc"
 makedepends="tracker-devel ffmpeg-devel dbus-devel exempi-devel
 libglib-devel libgexiv2-devel gstreamer1-devel icu-devel libcue-devel
@ -22,6 +21,7 @@ makedepends="tracker-devel ffmpeg-devel dbus-devel exempi-devel
 poppler-glib-devel totem-pl-parser-devel
 upower-devel zlib-devel gst-plugins-base1-devel giflib-devel
 NetworkManager-devel libharfbuzz"
+checkdepends="python3-gobject tracker dbus gst-plugins-good1 gst-plugins-bad1"
 short_desc="Data miners for tracker"
 maintainer="Orphaned <orphan@voidlinux.org>"
 license="GPL-2.0-or-later"
@ -29,7 +29,26 @@ homepage="https://tracker.gnome.org/"
 changelog="https://gitlab.gnome.org/GNOME/tracker-miners/-/raw/master/NEWS"
 distfiles="${GNOME_SITE}/tracker-miners/${version%.*}/tracker-miners-${version}.tar.xz"
 checksum=50a3abe40cfb0b35ced43ec716dbf1368992e444ef7a0babf202c7ac6ab2f6f4
-make_check=no # relies on unsupported ops in chroot
+make_check_pre="dbus-run-session"
+make_check=ci-skip # TODO: d-bus tests timeout ci
+
+build_options="landlock"
+desc_option_landlock="Enable enhanced sandboxing (requires linux5.13+ kernel support)"
+build_options_default="landlock"
+
+if [ "$XBPS_TARGET_LIBC" = "musl" ]; then
+	CFLAGS+=" -DSYS_landlock_create_ruleset=444 -DSYS_landlock_add_rule=445 -DSYS_landlock_restrict_self=446"
+fi
+
+pre_check() {
+	# Tests must run inside of home directory for changes to be tracked
+	oldhome="$HOME"
+	HOME="${wrksrc}"
+}
+
+post_check() {
+	HOME="$oldhome"
+}

 tracker3-miners_package() {
 	depends="${sourcepkg}>=${version}_${revision}"