Closed sp1ritCS closed 3 years ago
It's great idea, I'll research that!
It seems that gnome-network-displays adds new firewalld zone automatically:
https://gitlab.gnome.org/GNOME/gnome-network-displays/-/issues/134 https://gitlab.gnome.org/GNOME/gnome-network-displays/-/commit/c2a81a501ec1eb231c05dd47416fe935d6573c13
But they are changing to that new zone at runtime if it isn't enabled. https://gitlab.gnome.org/GNOME/gnome-network-displays/-/commit/fed0e1311e89f229cc683abb5c3f9a996fbeb0a3
Yeah, I see what they are doing there. They indeed expect the zone to be there and in case it is not, they create it. It seems that they operate on fixed port.
The interface they use to communicate with the firewalld is D-Bus. We could do the same, since there are pretty good D-Bus bindings for Rust, however there are is a gotcha here:
G_DBUS_CALL_FLAGS_ALLOW_INTERACTIVE_AUTHORIZATION
flag. We should be smart here and prompt user only if this is absolutely necessary, so when there are rules that would block libp2p or mdns traffic. Having said that, I'll run some tests with my local firewalld and see if there are any potential problems.
there are pretty good D-Bus bindings for Rust
if you're talking about zbus, absolutely. dbus-rs not so much :D
We should clearly explain why Dragit demands those privileges and what it will do to the user's computer.
well, if I remember correctly, gnome-network-displays shows a similar polkit authentication dialog as firewall-config itself: I think it should be fairly obvious with that message that dragit needs to modify the firewall zone.
In context of Flatpak application - maybe it's not an issue, but using D-Bus to change settings of the host system is yet another hole in the sandbox. Docs don't say it's bad, but you know
well, I guess it's better than not working at all ¯\_(ツ)_/¯
@sp1ritCS I'm not quite done with the code yet, but it would be great if you could take a look at this PR and particularly firewall module. I implemented adding mdns service and fixed Dragit port in case it's not available in runtime config.
Closing the issue. The next release (including Flatpak) will contain the change!
Potential follow-up idea in issue #32, in case @sp1ritCS is interested.
Is it possible for dragit to automatically punch holes into firewalld, if it has to listen to a specific port?
I know that gnome-network-displays are doing something like this, might be a good idea to look at them and how they do it.