Create Task
Maniphest T8066

Fix Bug 390830 = Prevent indexing of Plasma vaults and other fuse filesystems
Open, HighPublic
Actions

Related Objects

michaelh created this task.Feb 23 2018, 7:31 PM
michaelh triaged this task as High priority.
michaelh moved this task from Backlog to Bugs on the Baloo board.Mar 2 2018, 4:40 PM
michaelh added a comment.Mar 9 2018, 11:56 PM

How does tracker handle file systems?

michaelh added a comment.Mar 16 2018, 9:52 PM

General strategy:

  1. Have a config with black- or white-listed filesystems (fuse.*)
  2. Connect to Solid to receive a signal when /etc/mtab changes
  3. On mounts add mountpoint to baloo's excludedFolders cache
  4. On unmounts do nothing

Status quo:

  • Failing unit test: Done (create a temporary vault and mount it)
  • Implementation: Lacking (Cannot receive appropiate signal yet)
michaelh renamed this task from Fix BUG:390830 to Fix Bug 390830 = Prevent indexing of Plasma vaults and other fuse filesystems.Mar 16 2018, 9:53 PM
michaelh claimed this task.
bruns added a subscriber: bruns.Mar 31 2018, 12:57 AM
smithjd added a subscriber: smithjd.Sep 25 2018, 10:38 PM

What's wrong with a .balooignore file in the root of the vault? Tracker uses .trackerignore.

bruns added a comment.Sep 25 2018, 10:42 PM

If you want a manual workaround, just add the vault path to excludeFolders.
If you want a proper fix, handle encfs etc. properly in baloo.

ngraham added a subscriber: ngraham.Sep 26 2018, 1:19 PM

The default path for vaults to be mounted to is ~/Vaults; a naive solution would be to ship Baloo with an exclude rule for ~/Vaults. A slightly smarter approach would be for Plasma Vaults itself to add such a rule for whatever mountpoint is chosen during new vault creation.

bruns added a comment.Sep 26 2018, 1:23 PM

As a stopgap measure blacklisting ~/Vaults is probably ok.
Long term, blacklisting *all* encrypted file systems IMHO is the way to go, as this is an information leakage.
Of course, if the complete home is encrypted, i.e. content and index reside in the same encrypted volume, home should still be indexed.

ngraham added a comment.Sep 26 2018, 1:30 PM
In T8066#161715, @bruns wrote:

As a stopgap measure blacklisting ~/Vaults is probably ok.
Long term, blacklisting *all* encrypted file systems IMHO is the way to go, as this is an information leakage.
Of course, if the complete home is encrypted, i.e. content and index reside in the same encrypted volume, home should still be indexed.

+1, this all sounds sane to me.

ngraham added a comment.Sep 26 2018, 2:40 PM

@smithjd, since I know you expressed interest in interested in fixing this issue, would you like to become the assignee of this task and implement the following:

  • Short-term: by default, ship an exclude entry for ~/Vaults
  • Long-term: don't index anything in an encrypted volume that doesn't have the index located in it
  • Super long term: split the index so that it can live in multiple locations, and store an encrypted disk's index inside that disk, then allow the contents to be indexed again

Does this sound sane?

smithjd added a comment.Sep 27 2018, 11:49 PM

A slightly smarter approach would be for Plasma Vaults itself to add such a rule for whatever mountpoint is chosen during new vault creation.

What about exposing these config options on dbus? ("includeFolders"),("excludeFolders")

That would make for 4 new entries (add/remove for each) on the org.kde.baloo.main interface.

ngraham added a comment.Sep 28 2018, 8:18 PM
In T8066#161913, @smithjd wrote:

A slightly smarter approach would be for Plasma Vaults itself to add such a rule for whatever mountpoint is chosen during new vault creation.

What about exposing these config options on dbus? ("includeFolders"),("excludeFolders")

That would make for 4 new entries (add/remove for each) on the org.kde.baloo.main interface.

I'm not technically knowledgeable to offer an opinion on that, so I will defer to @bruns.