-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change filesystem access to xdg-music only #108
Conversation
Started test build 30130 |
@bellegarde-c In line with Flatpak specs, I made a special Lollypop branch that has the sandbox more restrictive. I hope you can take a look at it, because at the moment there are two issues:
I have no intention of releasing this in its current state, but I do want you and others to be able to test it. |
Build 30130 successful
|
flatpak install --user https://dl.flathub.org/build-repo/29016/org.gnome.Lollypop.flatpakref Done this but looks like Lollypop is not sandboxed here. |
Weird. I previously had issues opening the portal browser. Well, I'll run it through a few more tests in that case. The primary problem right now... is that this change is not backwards compatible. Users will have to re-select their music folders (other then dxg-music) to reimport their libraries. Is this worth the hassle? Do you foresee any issues when we tighten up the sandbox permissions? @bilelmoussaoui do you have any comments concerning the sandboxing of Lollypop? |
Started test build 30498 |
Build 30498 successful
|
As lollypop allows the user to select their music folder/add new ones, the change in the permissions won't work for everyone. Although the portal does support selecting folders now, it won't work for users with older version :/ So I would prefer to wait a bit before merging this. |
I actually ran into that myself. My version of Lollypop had a direct link to a non-xdg location. So over time, people will have to re-configure lollypop for the paths to properly migrate? I'll test that a few times, and we might have to hold off on it for a year or so, making sure that the fallout is not to big. |
Started test build 30912 |
Build 30912 successful
|
Started test build 30979 |
Build 30979 successful
|
@bilelmoussaoui I've done some testing. As of right now, it will cause issues when we deploy this update, even for users who only downloaded Lollypop yesterday. What I've tested:
I had to re-select my music library and I had to reimport it. The current version of Lollypop and GtkFileChooserNetive, don't use a a /var/run/ mount when selecting files, if they don't have to. As such, when updating lollypop it will be unable to access the files in ~/CustomMusicFolder/ So, what's the plan? I do want to improve the security in the future |
@Eonfge Can I do something from Lollypop POV ? |
Nothing can be done regarding the migration as the files/directories you grant an application the permission to open/read/write are stored in the flatpak documents store and are added once you open a file using the portal (the native file dialog). The directories has to be re-added so that Lollypop has actually the permission granted to open/read those files instead of "having permissions to everything" |
what would be nice is to migrate all file choosers to native ones as a first step |
@bellegarde-c I was thinking about that. Would it be possible to add a You can then show a message that informs users about their folders and permissions when they start Lollypop and a folder is missing. If a folder is missing, you can tell users like like "Sandboxing good. Sandboxing WIP. Please re-import". The comment of @bilelmoussaoui is certainly true, making sure all file choosers are up-to-date is important, but I think we can't escape the realization that enforcing sandboxing does require a minor action from the user. |
@bellegarde-c Would it be possible to provide some user-notification when they start the Flatpak version first? If you could include such a message, I can combine it with this change. Then, when users update Lollypop to a more sandboxed version, they'll be informed about the change. The flag and notification could be temporary, because as time progresses all people will migrate. After a few months, we could remove it. |
Started test build 32608 |
Build 32608 successful
|
Started test build 32676 |
Build 32676 successful
|
You can query the documents portal and see which permissions your app has for a specific folder/file |
It modifies the background data, it's another issue :D |
Updated Lollypop to handle migration only if needed. |
Started test build 35501 |
Build 35501 successful
|
I've successfully tested the following scenarios:
Bugs
In summaryI think we have this fully working 😄 I would invite others to try it, but I haven't found any issues. |
UI bug was a Lollypop bug, fixed ;) |
Started test build 35514 |
Build 35514 successful
|
Well, all seems well. Let me know when there is a new Lollypop release and I'll release it with the improved sandboxing. |
Not functional at the moment, requires some upstream attention
Started test build 35572 |
Build 35572 failed |
Started test build 35573 |
Started test build 35574 |
Build 35573 successful
|
Build 35574 successful
|
Time to merge this, 1.4.8 is out. |
Closing this branch in favour of #122 so we don't have a whole series of surplus comments on Git |
Not functional at the moment, requires some upstream attention