avoid exposing the entire home directory

[anarcat]

when i install filmulator, i get prompted for:

anarcat@angela:~(main)$ flatpak install flathub org.filmulator.Filmulator
Looking for matches…

org.filmulator.Filmulator permissions:
    fallback-x11     wayland     x11    dri    file access [1]    dbus access [2]

    [1] home, xdg-config/kdeglobals:ro
    [2] com.canonical.AppMenu.Registrar

Most of this is fine, except "file access [home]": this gives filmulator access to my entire $HOME directory, including sensitive content like private SSH keys, my .bashrc and other executable code, effectively completely breaking the sandbox. A better approach is to use a portal like:

   "--filesystem=xdg-desktop", 
   "--filesystem=xdg-documents", 
   "--filesystem=xdg-download" 

Maybe Photos could be added to that list somehow.

[hfiguiere]

Feel free to override this with flatpak override or Flatseal https://flathub.org/apps/details/com.github.tchx84.Flatseal

[CarVac]

Filmulator only needs access to ~/.local/share/filmulator/ as well as wherever the photos you want to work with are.

I'm not at all familiar with the sandboxing in flatpak. Would I need to build in some UI for requesting permission to, for example, /media for working on external drives?

[hfiguiere]

Filmulator only needs access to ~/.local/share/filmulator/

not even, this is handled by using xdg-directories, so inside the sandbox is where it is supposed to be: ~/.var/app/org.filmulator.Filmulator/config/Filmulator (tl;dr Filmulator do the right thing)

as well as wherever the photos you want to work with are.

Which is why I suggested the OP to restrict as he sees fit.

TBF I haven't tested accessing external media. With glib/gio, gvfs permissions handle that. (but this is Qt)

[anarcat]

On 2021-04-04 12:02:40, Hubert Figuière wrote:

Feel free to override this with flatpak override or Flatseal https://flathub.org/apps/details/com.github.tchx84.Flatseal

I am aware of the existence of this, but they come into play only after the software has run, and is known only to power users. I think a better option would be to have a safe behavior by default.

There's no reason why filmulator should be able to read (or let alone write to) my ~/.ssh directory.

-- Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it.

• Brian W. Kernighan

[hfiguiere]

I am aware of the existence of this, but they come into play only after the software has run,

You don't need to have ever run it to do that. Just installed. Installing does what it does. Install. It doesn't run.

[anarcat]

On 2021-04-04 13:44:55, Hubert Figuière wrote:

I am aware of the existence of this, but they come into play only after the software has run,

You don't need to have ever run it to do that. Just installed. Installing does what it does. Install. It doesn't run.

True, I stand corrected on that part. I still think there should be better defaults. I don't see why the sandbox shouldn't be restricted by default. Power users can unlock it if they need to.

-- Everyone is a terrorist. You're just not pissed enough.