Access to system directories


I’ve started developing an app for the Pinephone, my app would be deployed with a flatpak.
My application needs access to system directories to read the device camera.
Doing some testing I’ve discovered that a native Pinephone application called megapixels doesn’t launch if I package it into a flatpak. The error is related to not being able to read a system directory /sys/firmware/devicetree/base
In order to diagnose the problem I’ve run a python terminal inside the container and I’ve verified that neither /sys/firmware nor /dev/video* are visible from within the container:

mobian@mobian:~$ /usr/bin/flatpak run --branch=master --arch=aarch64 --command=python3 com.lagrange.myapp
Python 3.11.4 (main, Jul 13 2023, 12:52:58) [GCC 12.2.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import os
>>> os.listdir('/sys')
['devices', 'dev', 'class', 'bus', 'block']
>>> os.listdir('/dev')
['console', 'ptmx', 'pts', 'shm', 'core', 'fd', 'stderr', 'stdout', 'stdin', 'tty', 'urandom', 'random', 'full', 'zero', 'null']
>>> exit()

they are there, just not visible from the container:

mobian@mobian:~$ ls /dev/video*
/dev/video0  /dev/video1  /dev/video2  /dev/video3
mobian@mobian:~$ ls /sys
block  bus  class  dev  devices  firmware  fs  kernel  module  power

Even though I’ve built the flatpak with "finish-args": ["--filesystem=host", "--filesystem=host-os"].

What am I missing?
Any help will be much appreciated.

I don’t think you should go via the file system. I’m not even sure if that’s supposed to work.

You should be using the camera portal, documented here Portal Documentation

There might be a convinience wrapper, depending on the language your app is in. For rust, for example there is GitHub - bilelmoussaoui/ashpd: A Rust wrapper around XDG portals DBus interfaces

Surely that’s what one SHOULD do to follow the good practices. But I am just hacking around.
Also, it would be faster for the time being to override all the default flatpak protection of access to filesystem than change the code in Megapixels app to use the camera portal.

Furthermore, the camera in the Pinephone is a very complicated beast. I am not sure that the cameral portal API would be able to handle it.

So in order to use the portal the device would need to be supported by libcamera, which is then used by Pipewire as camera backend. This is the case for the Pinephone Pro but not the OG Pinephone (even though there are some patches to make at least one of the cameras work).

Megapixels in turn uses device specific kernel APIs directly, AFAIK even from non-upstream kernel drivers, and supports features for which we don’t have system APIs yet (like flashlight, which will take a while to plump through libcamera and PW).

In other words: the main point of Megapixels is to manage things directly, on a per-device basis.

This arguably makes shipping it on flathub a bit mood: the distros of the supported devices most likely have it already - and they have the advantage of knowing the kernel in use. Yes, kernel upgrades often break Megapixels.

Coming back to the original question: you can get acces to /dev/video* by adding --device=all.

I don’t think there’s a way to add /sys/firmware and also assume that any app needing that is likely so device specific that it makes little sense to distribute it independently.

1 Like