Make sandboxing more clear

Hello,
I see again and again for new Linux users, that they think apps are glitched because Flatpaks’ sandboxing is mostly just silent. Example: Discord. If you install it from Flatpak, it will just seem like some folders in the home directory are missing; without any kind of errors people will think it’s a bug or something like that.
My suggestion would be, if its possible: popups, like in macOS, if an application wants to access a folder or use a feature it doesn’t have permission for. I’m aware that could be complicated with the vast amounts of desktop environments out there, but the silent failures/restrictions from my experience just keep confusing users.
I originally talked about this on reddit, so here’s the thread!

3 Likes

if its possible: popups, like in macOS, if an application wants to access a folder or use a feature it doesn’t have permission for.

That sounds like unnecessary work for an already (mostly) solved problem. I don’t know how mac os does it, but I can’t think of how that could be reasonably implemented here without still needing to update apps. The portal APIs exist, apps/toolkits just need to use them.

The issue is discord. I’d recommend reading blogs like this as this sort of question has been asked before.

Discord does not yet use the file chooser portal, since they use an outdated version of electron.

The way the file chooser portal works is the app asks the host to create a file chooser. When the user selects a file, that specific file is made available in the sandbox and the URI is passed back to the app.

This means the user does not need to allow or disallow access with permission prompts, which is good since users tend to ignore and dislike being prompted. But a file chooser only implicitly asks for permission so it doesn’t appear like a permission prompt.

The file transfer portal is used for drag and dropping files, unfortunately that has not been implemented in chromium/electron yet.

1 Like

Expecting developers to use the portal APIs seems to not work, Steam will probably keep using their weird custom file chooser, Discord probably won’t update their version of Electron too soon either. And if you aren’t aware of Flatpaks’ sandboxing it’ll just appear like apps are broken on Linux or something like that, and if you don’t know what to look for, you have to be really lucky in my experience to even find a solution mentioning Flatpak.

This is a good point, and it really makes a huge impact on perceived usability! Maybe file access portals could by default have pop ups warning that this software’s access to your files is limited?

It’s not ideal, but unfortunately there is just no easy practical way to improve the non portal behaviour. Apps need to support APIs to make things work on Linux. It’s the same thing with supporting things like Wayland or notification APIs and such. There is only so much the Flatpak developers can do, they can’t fix proprietary apps.

Maybe file access portals could by default have pop ups warning that this software’s access to your files is limited?

The file chooser portal has normal permissions as your user, the issue is that discord doesn’t implement it, so a warning in the portal would never be shown with discord.

1 Like

I think it’s a valid point and it’s not just Discord. I was surprised myself installing Librewolf as a browser and I couldn’t upload a new picture to gitlab as it seemed like I didn’t have any files left in my home directory. So I went to write an email (webmail) and attach a file, but same thing, I couldn’t browse for any of my files. Took some google skills to find out what I had to do and I’m certain most normal user wouldn’t go through that to do something that has worked for so long before.

See, here’s the problem. You’re telling Flatpak app maintainers to fix other people’s problems. Why should we punch more holes in the sandbox and let untrusted and/or sketchy applications access more directories when, really, application developers are too lazy to implement these standards and not cause these problems?

If you really want to help Flatpak, then I suggest opening threads in official forums, issue trackers, etc. and ask the devs to actually implement modern standards.

I think that to some degree, the onus is on Flatpak maintainers when you have a policy of repacking third-party software into Flatpak. Not designing a way to intercept and trigger portals correctly for those things is a clear failure that should be thought about and worked on.

Since you control the runtime these applications run on, you could adjust things so that you can trigger portals when you attempt to navigate beyond allowed stuff (a la action-based intent triggers). Same goes for accessing devices (cameras, printers, etc.).

Since you control the runtime these applications run on.

Indeed it’s technically feasible to configure discord to use a different electron build. However, discord seemingly did not answer a question about if they’d allow that. So the electron version used is under discord’s control unless discord formally allows/wants flathub to change it.

That wasn’t what I meant at all. I mean changing the runtime itself. That is, the Flatpak runtime so that attempts to access things by any means triggers a portal request. Fundamentally, I’m talking about a design that assumes you cannot modify the application code at all.

Ah, I apologize for misreading. I am not sure how you’d reliably detect non portal file system access requests. Or other permissions for that matter. How can the Flatpak runtime know when an app/user is looking for a file? It seems more straightforward, and ultimately a better user experience, to just implement portal support in toolkits/apps.

It would be nice if some of these apps worked better until portals are implemented. So suggestions on how to reliably improve non portal behaviour are perhaps worth suggesting somewhere.

That’s not what I’m saying. I’m saying that we need to educate people about this and help them fix such things if they decide to do so. Instead of them trying an app, not working, and then dump the whole idea of flatpaks entirely. A simple instruction or wiki on flathub.org could perhaps make a much easier transition for not-so-advanced-users.

Sorry for giving you the impression that I was replying to you. I was directly replying to the OP.

You can see next to the commenter’s username to whom they were replying:
image

1 Like

Quick side note since you mentioned Steam: Steam can now use the ScreenCast portal to screencast on Wayland.

Zoom seems to have some portal integration scheduled for a future release too.

The portal-based future is slowly but surely materializing.