Increase sandbox by not giving it access to filesystem=home

[rugk]

https://github.com/flathub/de.bund.ausweisapp.ausweisapp2/blob/4668eb2a3d0cd139dfe4c8e8d48b2ff621e0a408/de.bund.ausweisapp.ausweisapp2.yaml#L15

Why does it need/have access to home? One could use portals, but AFAIK this app does not even open any user files.

The thing is this makes GNOME Software label it as insecure:

In any case the app works fine without these permissions.

[rugk]

I found https://github.com/flathub/de.bund.ausweisapp.ausweisapp2/commit/e3080cadccb82e1f40310c52008b6973d3712fa2, but well… really just for log files?

1. The app should not store logs in home, but follow the XDG specification (see here too
2. Even if it did, I guess it could be limited to home/path-that-it-stores-stuff
3. If the application or upstream does not behave like that, would a patch be an idea?

[misery]

The app do store logs in home. It is to EXPORT the logs via the GUI to a user destination.

[rugk]

Okay but if the export would use a portal it would not need this permission, would it?👀

[jbruechert]

It seems like exporting logs already goes through the portal on my system. Additionally it still works after overriding the home permission.

[rugk]

You're right actually. Confirmed this and created PR in #34.

[misery]

Seems newest Qt fixes it.