fvogt added a comment.
In D8532#478224 <https://phabricator.kde.org/D8532#478224>, @bruns wrote: > I totally agree with fvogt here - the extractors should just receive a readonly file descriptor. > > For this, there are several steps required: > > 1. let the extractors work with file descriptors (KFileMetaData) > 2. make sure the extractor plugins are fully initialized before receiving file descriptors > 3. actually feed file descriptors to the extractor > > (1.) is trivial for some extractors (e.g. taglib), for others it may be hard. (2.) depends on several things - the plugins must be instantiated early (which clashes with the lazy loading), and the plugin may not load any external resources later on. > > Using file descriptors has another benefit - currently, the file is stat'ed and so on, and then the corresponding path is fed to the extractor. It would be much better to open the file, use fstatat and friends, run the extractor and close the file again. What could also be done as an intermediate step is to whitelist opening read-only fds for metadata extractions. That way something like plugin loading is also covered and not many changes are required. The sandbox could be opt-in for plugins which just specify that they support sandboxing using the specified whitelist, with plugins which don't support sandboxing disabled by default. I used this approach in a (private so far) branch for sandboxing the thumbnail kio slave and it works well. REPOSITORY R293 Baloo REVISION DETAIL https://phabricator.kde.org/D8532 To: davidk, apol, ossi, #frameworks, smithjd, bruns Cc: fvogt, mgallien, kde-frameworks-devel, michaelh, #baloo, detlefe, ngraham, nicolasfella, LeGast00n, domson, ashaposhnikov, astippich, spoorun, bruns, abrahams
