search

haecker-felix / Gradio

GNU General Public License v3.0
326 stars 51 forks source link

Is full filesystem access really necessary to Gradio? #360

Closed Mikaela closed 5 years ago

Mikaela commented 5 years ago

I installed Gradio from Flathub thinking that it might be more suitable for my needs than VLC (which it is) and was surprised by sandboxing allowing file access to host.

file access: host, xdg-run/dconf, ~/.config/dconf:ro

Expected Behavior

Gradio had access only to files and directories that it actually needs.

Current Behavior

https://github.com/haecker-felix/Gradio/blob/9ab2f33a3c3fbc0e7682d733759c8272f08d754f/de.haeckerfelix.gradio.json#L17 allows very wide access to the filesystem

--filesystem=host - access normal files on the host, not including host os or system internals described below

As a general rule, Filesystem access should be limited as much as possible.

From Flatpak sandbox permissions

Steps to Reproduce

  1. flatpak install flathub de.haeckerfelix.gradio
  2. flatpak shows permissions including file access to host

Detailed Description

As I understood that Gradio is just for searching and listening from online radios, I propose removing --filesystem=host line (https://github.com/haecker-felix/Gradio/blob/9ab2f33a3c3fbc0e7682d733759c8272f08d754f/de.haeckerfelix.gradio.json#L17).

haecker-felix commented 5 years ago

duplicate of https://github.com/flathub/de.haeckerfelix.gradio/issues/8

Mikaela commented 5 years ago

Thanks, I didn't think of reading flathub as the file was here :)

That is also a funny timing that I would happen to encounter it not that many hours afterwards.