When I performed an flatpak update the Brave browser version 1.78.94 i get permission request, one of the permissions is for Bluetooth which Brave does not require. Can anyone explain these permissions on my Debian system ?
New com.brave.Browser permissions:
bluetooth file access [1] dbus access [2] system dbus access [3]
[1] /tmp
[2] com.canonical.AppMenu.Registrar
[3] org.bluez
In general, it would be best to ask the Brave developers about this.
But here are a few guesses as to why:
The org.bluez permission for Bluetooth is most likely there to support the Web Bluetooth API, allowing web apps to communicate with Bluetooth devices.
com.canonical.AppMenu.Registrar is an legacy protocol for, I think, either system tray or global menu.
Now, as for /tmp: if I recall correctly, without an sandbox hole you cant transfer images to om.canonical.AppMenu.Registrar, so you couldn’t show an icon in the system tray. So, the /tmp permission is used to have a folder over which to share the icon file from app to host.
In short:
These permissions are required for some circumstances, but I wouldn’t call them completely necessary.
I am asking this forum because I have never seen permissions for updating an application furthermoore I do not see an option to deny a specific permission.
No browser needs permission to bluetooth.
If the permissions of an application change, Flatpak will inform you about the changes.
Denying them is not possible though. However, you can, after updating, remove the permissions using flatpak override.
Thanks for asking the question. It is important to keep an eye on this. Whenever I install an Android app on my phone I see a list of a dozen permissions all of which seem unnecessary, I shut my eyes and click ‘OK’ because I don’t feel I have any choice. Flatpaks mustn’t go the same way.