Add FileAccess portal
#1737
Add FileAccess portal
#1737
Conversation
|
For portal, a case is generally targeted, and UI is made such that the user understands the request. Here, what you are proposing allows apps to request any path or file without providing understanding to the user. Also, it will not help apps. If a cautious user does not understand the request, then they cannot use the useful feature. For case 1, that’s having a portal that requests access to app launchers. The access is selective (i.e. the user can choose which app launchers to give). Restrictions like not launching an app with custom command may apply. For case 2, one solution is the same as for case 1, but requires the other app to expose its launchers in .desktop files. Another solution is to have the app requesting this file (so, no static permission here), but then the locations will be presented to the user (however this solution is not the best, because the user may not know what this file is about). Another one is to request access to game libraries, and the user will have to select all of them (there is a discussion on a library portal). |
|
Correction for case 2, the "another solution": The user is selecting the file to open, then the app can request the locations. This is the fileset request (from my neighboring files proposals). However, in the UI for this, I wanted to say something like "project" file to provide a hint to users about what this portal is about. |
The Portal is pretty clear: It ask the user to access a given path. Why should this a problem to understand?
That' correct. A Portal would be better in this case. This is just an example to illustrate a use case.
Steam does not create .desktop files. Only when the user requests it. Also
There is currently no portal for this, only a discussion. This portal would make the libraries portal mostly obsolete.
Why should the user be forces to select a file for which the app already knows the exact path. |
The problem is the path. With your proposal, you are giving apps the power to ask for anything. So what happens if the app asks for access to a path that the user doesn't know what it is or what feature it serves? What will the user do? If they choose "allow" because "the app asks for it", they are giving something without knowing what it is. If they deny because they don't understand, and it turns out to be useful for the app and the user, they will not be able to take advantage of the app feature (they can change the permission, but that would be like denying anything and then changing the permission once they know what the path is for).
No. The Library Portal does not allow an app to request access to specific locations. It allows the user to select multiple locations representing a library. In my vision for this portal, it would allow an app to request access to a specific type of location (e.g., a music library). The user would have to select these as well. An exception is made for xdg user directories: the user can select a known directory directly in the interface (but the app does not request access to it). Furthermore, it is not pleasant in terms of user experience to present the user one by one each location to allow or deny access to (although this gives the user the power to not give all locations; however, we may find it reasonable to request access to all locations on the basis that these locations come from a single file that the user opened).
Again, the understanding of the request. Also, the fact that users select the file proves (somewhat) that they know what they are doing. In any case, be aware that there is no portal that is a solution for covering multiple different cases. Portals are designed based on a case or group of cases with similarities and for which we know exactly what "object" they want to access. This object is as precise as possible and is directly understood by the user. |
|
On the one hand, we should be pragmatic and add portals that applications require to function. On the other hand, the portals have been very careful to avoid confusing yes/no allow/deny dialogs thus far. Tying permissions to concrete user action (e.g. drag and drop, open file chooser) has been a core design tenant, and this has worked out very well thus far. I'm afraid I don't see any plausible path to square your proposal with our existing security model, where permission request dialogs are expected to be thoughtfully designed and not ask the user confusing questions. If we add this portal, or any similar portal, we'll just train application developers to create unlimited requests, and train users to always accept any request. So I suggest we reject this. Let's focus on your use cases instead:
If the application needs direct access to /usr/share/applications, then it's just not sandboxed. Might as well use a static permission?
That's just not ever going to work. Apps do require some changes when being packaged as a Flatpak. This is one of them. Accessing ~/.stream is unacceptable. The config file should simply move to Steam's xdg-config dir so that Steam always has permission to read it. Trying to share config between Flatpak vs. non-Flatpak Steam is a fool's errand. Then Steam can use file choosers to request the user select directories where games might be stored. Selecting the directory once is enough; that provides permission to access it forevermore. Do this once before adding the directory to the config file; if the directory is already specified and Steam doesn't have permission to access it, try opening a file chooser one level above it to give the user a chance to grant poermission. |
|
Globally:
For game saves, only the file chooser can be used, the user selecting the relevant folder. That said, this isn’t easy if they are in the hidden folders (.var/...). Logically, unless an app has a good reason to do so, its libraries shouldn’t be in their space, but in user space. |
|
I agree with @mcatanzaro. This doesn't look like a direction that we should go towards. I will close the PR in a few days if there are no objections. |
If you don't know, why a permission is needed you can always reject.
That's the same with every feature.
So it's a completely different portal.
There are multiple examples of such dialog in xdg-desktop-portal.
Why is requesting access to a path a confusing question?
What would be the alternative? Use the file chooser portal and tell the user tom select this specific path? Or tell the user to open add a static permission to the Flatpak?
That's always the problem with permissions. In the end, it's the choice of the user if they want to grant a permission or not.
Why it's not sandboxed? The purpose of a sandbox is, that Apps just have the permissions they need to work and nothing else.
As already written in the starting post, the goal here is to avoid static permissions, is the access is only needed for a specific feature. This new portal would allows to request the path only when it's needed which allows Apps to ship with less static permissions by default. I try to give a better example than Steam, as it is not really understood: This new Portal would allow Apps to read
This is also a Portal I want, but keep in mind that I just presented a example. |
|
I've already explained why and I'm tired of giving the same explanations over and over again. That said, given the way GNOME and Red Hat are acting again, this is no longer my problem. |
Currently, there are two ways for Flatpak apps to access files:
Use a
--filesystempermission in the manifest. This gives the Flatpak constant access to a path, even if it's not always needed. It also requires the developer to know the exact path when building the app.Use the
FileChooserportal. This is great if you want to give the user the ability to select a file, but you have no control over which file the user selects.This new portal adds a third option: Flatpaks can now request access to a specific path at runtime. This new portal allows sandboxed applications to request access to a specific path at runtime. The user receives a yes/no dialog. If they choose yes, the Flatpak gains access to the path through the document portal.
I have two use cases in mind for this new portal:
Apps can use this portal if they need filesystem access only for a specific feature. For example, if an app provides a feature that requires it to see all installed apps on the system, it can now request access to /usr/share/applications only when needed.
The path is not known in advance. Take, for example, an app that works with Steam games. Steam allows storing games in different locations. You need to read the file
~/.steam/steam/config/libraryfolders.vdfto get a list of all locations where Steam saves games. An app that wants to work with your Steam games could read this file (with a--filesystempermission for~/.steam/steam) and then request access to all locations.TODO: