Changeset 20be11f


Ignore:
Timestamp:
04/11/2024 07:08:39 AM (5 weeks ago)
Author:
Xi Ruoyao <xry111@…>
Branches:
lazarus, trunk
Children:
608e1de1
Parents:
e8b98762
git-author:
Xi Ruoyao <xry111@…> (04/11/2024 07:06:02 AM)
git-committer:
Xi Ruoyao <xry111@…> (04/11/2024 07:08:39 AM)
Message:

tracker3-miners: Enable Landlock, and document security implications about disabling seccomp or Landlock

Files:
2 added
1 edited

Legend:

Unmodified
Added
Removed

  • gnome/platform/tracker3-miners.xml

    re8b98762 r20be11f  
    121121  </sect2>
    122122
     123  <sect2 role="kernel" id="tracker3-miners-kernel">
     124    <title>Kernel Configuration</title>
     125
     126    <para>
     127      Enable the following options in the kernel configuration, then recompile
     128      the kernel and reboot if necessary:
     129    </para>
     130
     131    <xi:include xmlns:xi="http://www.w3.org/2001/XInclude"
     132      href="tracker3-miners-kernel.xml"/>
     133
     134    <indexterm zone="tracker3-miners tracker3-miners-kernel">
     135      <primary sortas="d-traker-miners">tracker-miners</primary>
     136    </indexterm>
     137  </sect2>
     138
    123139  <sect2 role="installation">
    124140    <title>Installation of Tracker-miners</title>
     
    163179            --buildtype=release \
    164180            -Dman=false         \
    165             -Dlandlock=disabled \
    166181            ..                  &amp;&amp;
    167182ninja</userinput></screen>
     
    174189            -Dsystemd_user_services=false \
    175190            -Dman=false                   \
    176             -Dlandlock=disabled           \
    177191            ..                            &amp;&amp;
    178192ninja</userinput></screen>
     
    215229    </para>
    216230
    217     <para>
    218       <parameter>-Dlandlock=disabled</parameter>: This switch disables the
    219       Landlock file access sandbox due to it requiring additional kernel
    220       configuration and packages such as selinux or AppArmor.
    221     </para>
    222 
    223231    <para revision="sysv">
    224232      <parameter>-Dsystemd_user_services=false</parameter>: This switch prevents
     
    231239      call filter. On some architectures, such as i686 and ARM, the functions
    232240      that tracker-miners uses are not guarded properly, and tracker-miners
    233       will get killed with a SIGSYS as a result.
     241      will get killed with a SIGSYS as a result.  Note that disabling
     242      seccomp might cause the system compromised more severely in case a
     243      security vulnerability in tracker-miners or its dependencies is
     244      exploited.
     245    </para>
     246
     247    <para>
     248      <option>-Dlandlock=disabled</option>: This switch disables the
     249      Landlock file access sandbox.  Use it if you don't want to build the
     250      kernel with Landlock support.  Note that disabling Landlock might
     251      cause the system compromised more severely in case a security
     252      vulnerability in tracker-miners or its dependencies is exploited.
    234253    </para>
    235254
Note: See TracChangeset for help on using the changeset viewer.