I have a problem with gPodder that’s probably easy to solve.
I have gPodder 3.11.5 running on flatpak-1.16.0 and openSUSE 15.6.
Unfortunately, I’m not familiar with the permissions system in Flatpak, where gPodder runs.
gPodder can’t find any media players. I’ve tried Audacious and VLC, which are located in /usr/bin.
Error output: “Cannot find /usr/bin/audacious. File not found”
I ran “flatpak run --command=sh org.gpodder.gpodder”.
When I then run “ls /usr/bin” in the flatpak terminal, many programs are listed, but vlc and audacious are indeed not.
flatpak knows /usr/bin/xdg-open, so I can use it as player for gPodder. xdg-open opens URL with webbrowser, but I want a playlist like VLC or Audacious.
That’s because what GPodder sees as a filesystem is limited by the sandbox. It can, by default, only see the files of the runtime under /usr, and its own files under /app. Anything else is restricted, unless additional permissions are granted.
So the /usr/bin the Flatpak sees is not the one of your system, but that of the runtime.
Now, the normal expectation would be that apps would use the OpenURI portal. This is what xdg-open uses in a Flatpak: it asks the system to determine what handles the file from the app. The portal has an ask option. With this, the system would then provide a dialog to choose the app.
So, the best course of action would be that the app uses this portal.
If this is not an option, you could grant the app the permission to the org.freedesktop.Flatpak DBus. With this enabled, you could use the command flatpak-spawn --host to launch a command from the sandbox into the host system. That being said, this would be a massive weakening of the sandbox, as this would allow the app to run anything on your host system.
The problem is http://server/file.mp3 is opened by webbrowser. How to change Program for x-scheme-handler/http only for gpodder or for flatpak? I don’t want to change this setting for my whole system.
I run “flatpak run --command=sh org.gpodder.gpodder”
When I then run “ls /usr/bin” in the flatpak terminal, many programs installed on my system are listed, but vlc and audacious are not. Which programs are visible for gPodder and which are not? Where is the config file for that? Is there a config command or GUI?
Obviously, xdg-open is not the only portal to the programs installed on the system. Or do I understand something wrong?
Like I mentioned previously, inside the sandbox you will only see what the runtime provides. This is more or less completely separate from your system. So GPodder can only see the programs of the runtime, unless you use flatpak-spawn to escape the sandbox.
There is no configuration for this, that’s the basic design of Flatpak.
xdg-open itself is not a portal itself, it uses the portal. The portals itself are often provided by your system in a xdg-desktop-portal-* package, with a base package and an additional desktop package which provides the desktop integration.
To clarify: The portals are software on the system, which the programs in the Flatpak like xdg-open call over a secure channel. The portal itself then acts on the system and provides apps with access to certain resources they normally can’t reach.
So, to summarize:
Inside of the Flatpak, GPodder can only see its own files and programs and that of the runtime, not your system. Because of that, it can’t execute an program on your host system, as it isn’t aware of it. This is by design, as Flatpak is designed to separate apps and host from each other.
By using xdg-open in the sandbox, the app ask the system to open a resource on the system. On the system, the portal takes the request and handles it, by in this case opening the resource according to its mime type. xdg-open can open other apps, because it sends a request to the system, which has access to the host filesystem.
If you need to run something on the host from the sandbox, you need to escape the sandbox, like with using flatpak-spawn --host, which would require the talk permission to org.freedesktop.Flatpak. Otherwise, anything an app in a Flatpak can do is limited to what’s been in the runtime and what it itself provides.
I thought the programs Flatpak sees in /usr/bin were my system programs. There are quite a few of them, and I didn’t even notice when Flatpak installed them all.
flatpak-spawn --hostwould be a massive weakening of the sandbox, as you said. So I want to avoid this.
In the KDE settings, there’s a module called “Flatpak Permissions.” With it, I can grant the three programs I installed via Flatpak permissions to various system functions and file system paths. I can manually grant gPodder permission to read /usr/bin/audacious, but unfortunately, this has no effect. There’s no permission to execute /usr/bin/audacious.
I’ve now cobbled together a working solution.
I granted gPodder Flatpak permission to read /home/id1402/.local/bin/gpod_audacious and/tmp/Downloads/gpodder/gpodder.m3u. That works. gpod_audacious is a small Bash script that I wrote myself. I set this script as the audio player in gPod’s settings: /home/id1402/.local/bin/gpod_audacious %f
Gpodder passes the mp3 URL to this Bash script. The script creates an m3u playlist file with the URL and opens the m3u fie using xdg-open. The MP3 URL is then added to Audacious, as Audacious is the program for m3u files in the mime type system.
Just granting the permission to the binary wouldn’t be a good solution anyway. In this case, the binary would be run inside the Flatpak sandbox, and would then miss important libraries, data files, etc.
I think the script you’ve made is a good solution. It makes it a proper mime type the system can handle and you don’t break a lot of holes into the sandbox.
The first Bash script above can only process 1 element (sending as an mp3 URL) at a time.
Here’s an update to the Bash script for multiple URL communication between gPodder and Audacious.
New: gPodder now allows you to select and play multiple shows at once. A playlist file containing all selected shows is created and then added to the Audacious playlist using xdg-open.
––––––––––––––––––––––––––––
#!/bin/bash # Creates m3u playlist of multiple mp3 URLs and adds them to Audacious. TARGET_M3U=“/tmp/Downloads/gpodder/gpodder.m3u” echo “#EXTM3U” > $TARGET_M3U for i in “$@”; do echo “$i” >> $TARGET_M3U done xdg-open $TARGET_M3U
––––––––––––––––––––––––––––
Set this script as the audio player in gPodder’s settings:
/home/id1402/.local/bin/gpod_audacious %U
%U is necessary for processing multiple elements.
Change user-directory of course. ~ as home-directory doesn’t work.
Just a reminder: This approach is only useful in environments where gPodder is running in the flatpak sandbox and is intended to use players that are installed system-wide outside the sandbox.