Disable Tracker (GNOME desktop search) by default

Tracker has several problems that make it ill-suited to Qubes OS:

- It parses untrusted email attachments downloaded to ~/Downloads, as
  well as the contents of several other directories.  The parsing code
  is written in C and so may have memory corruption vulnerabilities.  A
  remote code execution flaw in Tracker could be exploited by a
  malicious email attachment, even if the user would have only ever
  opened that attachment in a disposable VM.

- It uses a nontrivial amount of memory (61.8MB in one test).  This is
  significant when multiplied by the number of qubes running at a time.

- Tracker is normally used by GNOME Shell, GNOME Photos, and other GNOME
  applications, but (to the best of my knowledge) no application that
  uses Tracker is frequently used in Qubes OS.  This is very different
  from a default Fedora install, where Tracker provides desktop search
  in GNOME Shell and therefore provides a much larger benefit to the
  user.

For these reasons, disable Tracker by default.  It can be re-enabled via

$ qvm-service VMNAME enable tracker

where VMNAME is the name of the qube in which Tracker should run.

Fixes: QubesOS/qubes-issues#8372

Makefile

@@ -57,7 +57,13 @@ endif
 SYSTEM_DROPINS_NETWORKING := NetworkManager.service NetworkManager-wait-online.service
 SYSTEM_DROPINS_NETWORKING += tinyproxy.service
 
-USER_DROPINS :=
+USER_DROPINS := \
+	tracker-xdg-portal-3.service \
+	tracker-writeback-3.service \
+	tracker-miner-rss-3.service \
+	tracker-miner-fs-control-3.service \
+	tracker-miner-fs-3.service \
+	tracker-extract-3.service
 
 # Ubuntu Dropins
 ifeq ($(release),Ubuntu)

debian/qubes-core-agent.install

@@ -103,6 +103,12 @@ lib/systemd/system/[email protected]/30_qubes.conf
 lib/systemd/system/sysinit.target.requires
 lib/systemd/system/systemd-timesyncd.service.d/30_qubes.conf
 lib/systemd/system/systemd-logind.service.d/30_qubes.conf
+lib/systemd/user/tracker-extract-3.service.d/30_qubes.conf
+lib/systemd/user/tracker-miner-fs-3.service.d/30_qubes.conf
+lib/systemd/user/tracker-miner-fs-control-3.service.d/30_qubes.conf
+lib/systemd/user/tracker-miner-rss-3.service.d/30_qubes.conf
+lib/systemd/user/tracker-writeback-3.service.d/30_qubes.conf
+lib/systemd/user/tracker-xdg-portal-3.service.d/30_qubes.conf
 lib/udev/rules.d/50-qubes-mem-hotplug.rules
 usr/bin/qubes-desktop-run
 usr/bin/qubes-open

rpm_spec/core-agent.spec.in

@@ -1178,6 +1178,12 @@ The Qubes core startup configuration for SystemD init.
 %_unitdir/[email protected]/30_qubes.conf
 %_unitdir/tmp.mount.d/30_qubes.conf
 %_unitdir/sysinit.target.requires/systemd-random-seed.service
+%_userunitdir/tracker-extract-3.service.d/30_qubes.conf
+%_userunitdir/tracker-miner-fs-3.service.d/30_qubes.conf
+%_userunitdir/tracker-miner-fs-control-3.service.d/30_qubes.conf
+%_userunitdir/tracker-miner-rss-3.service.d/30_qubes.conf
+%_userunitdir/tracker-writeback-3.service.d/30_qubes.conf
+%_userunitdir/tracker-xdg-portal-3.service.d/30_qubes.conf
 
 %post systemd
 

vm-systemd/user/tracker-extract-3.service.d/30_qubes.conf

@@ -0,0 +1,2 @@
+[Unit]
+ConditionPathExists=/run/qubes-service/tracker

vm-systemd/user/tracker-miner-fs-3.service.d/30_qubes.conf

@@ -0,0 +1,2 @@
+[Unit]
+ConditionPathExists=/run/qubes-service/tracker

vm-systemd/user/tracker-miner-fs-control-3.service.d/30_qubes.conf

@@ -0,0 +1,2 @@
+[Unit]
+ConditionPathExists=/run/qubes-service/tracker

vm-systemd/user/tracker-miner-rss-3.service.d/30_qubes.conf

@@ -0,0 +1,2 @@
+[Unit]
+ConditionPathExists=/run/qubes-service/tracker

vm-systemd/user/tracker-writeback-3.service.d/30_qubes.conf

@@ -0,0 +1,2 @@
+[Unit]
+ConditionPathExists=/run/qubes-service/tracker

vm-systemd/user/tracker-xdg-portal-3.service.d/30_qubes.conf

@@ -0,0 +1,2 @@
+[Unit]
+ConditionPathExists=/run/qubes-service/tracker