Change filesystem access to xdg-music only #108
Conversation
|
Started test build 30130 |
|
@bellegarde-c In line with Flatpak specs, I made a special Lollypop branch that has the sandbox more restrictive. I hope you can take a look at it, because at the moment there are two issues:
I have no intention of releasing this in its current state, but I do want you and others to be able to test it. |
|
Build 30130 successful |
|
flatpak install --user https://dl.flathub.org/build-repo/29016/org.gnome.Lollypop.flatpakref Done this but looks like Lollypop is not sandboxed here. |
|
|
|
Weird. I previously had issues opening the portal browser. Well, I'll run it through a few more tests in that case. The primary problem right now... is that this change is not backwards compatible. Users will have to re-select their music folders (other then dxg-music) to reimport their libraries. Is this worth the hassle? Do you foresee any issues when we tighten up the sandbox permissions? @bilelmoussaoui do you have any comments concerning the sandboxing of Lollypop? |
|
Started test build 30498 |
|
Build 30498 successful |
|
As lollypop allows the user to select their music folder/add new ones, the change in the permissions won't work for everyone. Although the portal does support selecting folders now, it won't work for users with older version :/ So I would prefer to wait a bit before merging this. |
|
I actually ran into that myself. My version of Lollypop had a direct link to a non-xdg location. So over time, people will have to re-configure lollypop for the paths to properly migrate? I'll test that a few times, and we might have to hold off on it for a year or so, making sure that the fallout is not to big. |
|
Started test build 30912 |
|
Build 30912 successful |
|
Started test build 30979 |
|
Build 30979 successful |
|
@bilelmoussaoui I've done some testing. As of right now, it will cause issues when we deploy this update, even for users who only downloaded Lollypop yesterday. What I've tested:
I had to re-select my music library and I had to reimport it. The current version of Lollypop and GtkFileChooserNetive, don't use a a /var/run/ mount when selecting files, if they don't have to. As such, when updating lollypop it will be unable to access the files in ~/CustomMusicFolder/ So, what's the plan? I do want to improve the security in the future |
|
@Eonfge Can I do something from Lollypop POV ? |
|
Nothing can be done regarding the migration as the files/directories you grant an application the permission to open/read/write are stored in the flatpak documents store and are added once you open a file using the portal (the native file dialog). The directories has to be re-added so that Lollypop has actually the permission granted to open/read those files instead of "having permissions to everything" |
what would be nice is to migrate all file choosers to native ones as a first step |
|
@bellegarde-c I was thinking about that. Would it be possible to add a You can then show a message that informs users about their folders and permissions when they start Lollypop and a folder is missing. If a folder is missing, you can tell users like like "Sandboxing good. Sandboxing WIP. Please re-import". The comment of @bilelmoussaoui is certainly true, making sure all file choosers are up-to-date is important, but I think we can't escape the realization that enforcing sandboxing does require a minor action from the user. |
|
@bellegarde-c Would it be possible to provide some user-notification when they start the Flatpak version first? If you could include such a message, I can combine it with this change. Then, when users update Lollypop to a more sandboxed version, they'll be informed about the change. The flag and notification could be temporary, because as time progresses all people will migrate. After a few months, we could remove it. |
|
Started test build 32608 |
|
Build 32608 successful |
|
Started test build 32676 |
|
Build 32676 successful |
You can query the documents portal and see which permissions your app has for a specific folder/file |
It would be the setting then. This is what I see after I click agree: |
|
It modifies the background data, it's another issue :D |
|
Updated Lollypop to handle migration only if needed. |
|
Started test build 35501 |
|
Build 35501 successful |
|
I've successfully tested the following scenarios:
Bugs
In summaryI think we have this fully working 😄 I would invite others to try it, but I haven't found any issues. |
|
UI bug was a Lollypop bug, fixed ;) |
|
Started test build 35514 |
|
Build 35514 successful |
|
Well, all seems well. Let me know when there is a new Lollypop release and I'll release it with the improved sandboxing. |
Not functional at the moment, requires some upstream attention
|
Started test build 35572 |
|
Build 35572 failed |
|
Started test build 35573 |
|
Started test build 35574 |
|
Build 35573 successful |
|
Build 35574 successful |
|
Time to merge this, 1.4.8 is out. |
|
Closing this branch in favour of #122 so we don't have a whole series of surplus comments on Git |
Not functional at the moment, requires some upstream attention