Closed Eonfge closed 3 years ago
Started test build 30130
@bellegarde-c In line with Flatpak specs, I made a special Lollypop branch that has the sandbox more restrictive. I hope you can take a look at it, because at the moment there are two issues:
I have no intention of releasing this in its current state, but I do want you and others to be able to test it.
Build 30130 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/29016/org.gnome.Lollypop.flatpakref
flatpak install --user https://dl.flathub.org/build-repo/29016/org.gnome.Lollypop.flatpakref
Done this but looks like Lollypop is not sandboxed here.
Weird. I previously had issues opening the portal browser. Well, I'll run it through a few more tests in that case.
The primary problem right now... is that this change is not backwards compatible. Users will have to re-select their music folders (other then dxg-music) to reimport their libraries. Is this worth the hassle?
Do you foresee any issues when we tighten up the sandbox permissions?
@bilelmoussaoui do you have any comments concerning the sandboxing of Lollypop?
Started test build 30498
Build 30498 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/29378/org.gnome.Lollypop.flatpakref
As lollypop allows the user to select their music folder/add new ones, the change in the permissions won't work for everyone. Although the portal does support selecting folders now, it won't work for users with older version :/ So I would prefer to wait a bit before merging this.
I actually ran into that myself. My version of Lollypop had a direct link to a non-xdg location. So over time, people will have to re-configure lollypop for the paths to properly migrate? I'll test that a few times, and we might have to hold off on it for a year or so, making sure that the fallout is not to big.
Started test build 30912
Build 30912 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/29778/org.gnome.Lollypop.flatpakref
Started test build 30979
Build 30979 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/29844/org.gnome.Lollypop.flatpakref
@bilelmoussaoui I've done some testing. As of right now, it will cause issues when we deploy this update, even for users who only downloaded Lollypop yesterday.
What I've tested:
I had to re-select my music library and I had to reimport it. The current version of Lollypop and GtkFileChooserNetive, don't use a a /var/run/ mount when selecting files, if they don't have to. As such, when updating lollypop it will be unable to access the files in ~/CustomMusicFolder/
So, what's the plan? I do want to improve the security in the future
@Eonfge Can I do something from Lollypop POV ?
Nothing can be done regarding the migration as the files/directories you grant an application the permission to open/read/write are stored in the flatpak documents store and are added once you open a file using the portal (the native file dialog). The directories has to be re-added so that Lollypop has actually the permission granted to open/read those files instead of "having permissions to everything"
@Eonfge Can I do something from Lollypop POV ?
what would be nice is to migrate all file choosers to native ones as a first step
@bellegarde-c I was thinking about that. Would it be possible to add a -DFlatpak=true
flag to meson?
You can then show a message that informs users about their folders and permissions when they start Lollypop and a folder is missing. If a folder is missing, you can tell users like like "Sandboxing good. Sandboxing WIP. Please re-import".
The comment of @bilelmoussaoui is certainly true, making sure all file choosers are up-to-date is important, but I think we can't escape the realization that enforcing sandboxing does require a minor action from the user.
@bellegarde-c Would it be possible to provide some user-notification when they start the Flatpak version first?
If you could include such a message, I can combine it with this change. Then, when users update Lollypop to a more sandboxed version, they'll be informed about the change. The flag and notification could be temporary, because as time progresses all people will migrate. After a few months, we could remove it.
Started test build 32608
Build 32608 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/31417/org.gnome.Lollypop.flatpakref
Started test build 32676
Build 32676 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/31475/org.gnome.Lollypop.flatpakref
Started test build 32822
Build 32822 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/31620/org.gnome.Lollypop.flatpakref
Started test build 33272
Build 33272 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/32046/org.gnome.Lollypop.flatpakref
Started test build 33889
Build 33889 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/32647/org.gnome.Lollypop.flatpakref
Started test build 34699
Build 34699 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/33410/org.gnome.Lollypop.flatpakref
@bellegarde-c Would such a one-time notice be possible? There is not really a way to migrate users, but I do want to remove the host-access from this Flatpak.
It should only show on startup when the project is build with '-DFlatpak=true' and it should be a one-time thing. After a few months, we can remove it again since then all users would have migrated. In the backend, we can use a simple g-schema bool to check if the user has ever clicked on continue, which would prevent it from showing ever again.
Started test build 35009
Build 35009 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/33708/org.gnome.Lollypop.flatpakref
Here we go: https://gitlab.gnome.org/World/lollypop/-/commit/d7bc69b67ffb045bde51dd3c57163113fcd23001
Don't want technical information. Sandboxing is not a user word :-)
It's a one time migration, so we need to test this before releasing on flathub ;)
To test again, in dconf-editor:
Started test build 35309
Build 35309 successful To test this build, install it from the testing repository:
flatpak install --user https://dl.flathub.org/build-repo/33982/org.gnome.Lollypop.flatpakref
Don't want technical information. Sandboxing is not a user word :-)
And that's why you make a kickass music player, and I bother packaging it :innocent:
I'll be doing some testing using this version and if all goes according to plan, then I'll change the sandboxing settings with the next release.
Well, first tests positive, works both with my existing player and in a VM.
Do have a few nit-picks though:
Unrelated:
The dialogue is not necessary for users who install Lollypop fresh
Does it mean that XDG music dir is available by default ?
The dialogue is not necessary for users who install Lollypop fresh
Does it mean that XDG music dir is available by default ?
That seems completely reasonable for a music player, so I've enabled it by default. Lollypop can also access GVFS in case that people host their music on a network.
Do you think there is a simple way to test wizard is needed ?
Do you think there is a simple way to test wizard is needed ?
Not sure... @bilelmoussaoui Do you know if it's possible to detect a dxg-music folder from the inside?
There is of cause a simple workaround: Only show the message if there is already music imported.
@bilelmoussaoui What I want is detecting configured folders in Lollypop with access denied by sandbox.
- The pop-up about 'Automatically download metadata?' doesn't actually enable network access, thus being non-functional
This one is working here. Do you mean that lollypop is not downloading artwork or that the setting is not updated ?
@bilelmoussaoui What I want is detecting configured folders in Lollypop with access denied by sandbox.
You can query the documents portal and see which permissions your app has for a specific folder/file
- The pop-up about 'Automatically download metadata?' doesn't actually enable network access, thus being non-functional
This one is working here. Do you mean that lollypop is not downloading artwork or that the setting is not updated ?
It would be the setting then. This is what I see after I click agree:
It modifies the background data, it's another issue :D
Updated Lollypop to handle migration only if needed.
Not functional at the moment, requires some upstream attention