Disabling "all system files" for com.calibre_ebook.calibre doesn't work, program still has access to all files

[ell1e]

Disabling "all system files" for com.calibre_ebook.calibre doesn't work, the program still has access to all files after doing that.

Tested with flatseal 2.1.0, flatpak 1.15.6, calibre 7.1.0, with a gnome-shell 45.1 wayland desktop on openSUSE Slowroll.

[BigmenPixel0]

I don't know well but maybe this application uses portals?

[rusty-snake]

To 98% you did tested the view of your portal implementation rather than the view of calibre.

For the other 2% post the output of flatpak info -m <calibre app if>, flatpak info -M <calibre app if>, The override files for calibre and the global one in your user and system override directory and a screenshot of the filesystem permissions in flatseal.

[ell1e]

It does actually seem to be broken:

$ flatpak info -m com.calibre_ebook.calibre
[Application]
name=com.calibre_ebook.calibre
runtime=org.freedesktop.Platform/x86_64/23.08
sdk=org.freedesktop.Sdk/x86_64/23.08
command=calibre

[Context]
shared=network;ipc;
sockets=x11;wayland;fallback-x11;
devices=all;
filesystems=xdg-config/kdeglobals:ro;xdg-run/speech-dispatcher:ro;host;xdg-data/Trash;

[Session Bus Policy]
com.canonical.AppMenu.Registrar=talk
org.kde.StatusNotifierWatcher=talk

[System Bus Policy]
org.freedesktop.UDisks2=talk

[Environment]
OPENSSL_CONF=/dev/null
KDE_FORK_SLAVES=1
SSL_CERT_DIR=/etc/ssl/certs

[Extension com.calibre_ebook.calibre.Debug]
directory=lib/debug
autodelete=true
no-autodownload=true

[Build]
built-extensions=com.calibre_ebook.calibre.Debug;com.calibre_ebook.calibre.Sources;

...says host in the filesystem part. Also, it doesn't list the folder I added manually. Here is what flatseal says:

I also find it worrying that X11 windowing system and X11 fallback is still enabled for 99% of stuff on flathub by default, even the things claimed to be "sandboxed" (from my understanding not possible with Xwayland access), and even when using a Wayland session. That doesn't seem quite right behavior either, although I suppose that might not be flatseal's mistake.

[rusty-snake]

flatpak info -m com.calibre_ebook.calibre ... says host in the filesystem part.

Yes because that are the permissions defined in its manifest. The -M shows you the current permissions after applying all overrides.

I asked for two commands and the override files. Can you just post them all. And read about portals.

---

I also find it worrying that X11 windowing system and X11 fallback is still enabled for 99% of stuff on flathub by default,

Should it be broken for X11 users by default? Keep in mind that "the fallback-x11 option makes the X11 socket available only if there is no Wayland socket." So socket=x11;fallback-x11;wayland will not give it X11 access if it can give Wayland access.

[ell1e]

Oh oops, here's the other one:

$ flatpak info -M com.calibre_ebook.calibre
[Context]
shared=network;ipc;
sockets=x11;wayland;fallback-x11;
devices=all;
filesystems=~/Calibre Library;xdg-config/kdeglobals:ro;xdg-run/speech-dispatcher:ro;xdg-data/Trash;

[Session Bus Policy]
com.canonical.AppMenu.Registrar=talk
org.kde.StatusNotifierWatcher=talk

[System Bus Policy]
org.freedesktop.UDisks2=talk

[Environment]
OPENSSL_CONF=/dev/null
KDE_FORK_SLAVES=1
SSL_CERT_DIR=/etc/ssl/certs

So all in order then? I assume portals somehow magically make available only what I pick in the file dialog?

Anyway, sorry for the invalid ticket. I guess I would suggest some UI thing to make it clear the sandboxing is still working, but I can't actually think of a good way to do that, so I'm at a loss. Thanks so much for explaining it!

[rusty-snake]

I assume portals somehow magically make available only what I pick in the file dialog?

Almost, but the do it technically not magically 😁 .

I would suggest some UI thing to make it clear the sandboxing is still working, but I can't actually think of a good way to do that,

I think doing it at flatpak (actually the portal implementation frontends) would be the place to do this.

Anyway, sorry for the invalid ticket.

Not the first one, Not the last one.

[ell1e]

Should it be broken for X11 users by default?

I guess this should be adjusted on a per desktop level then, ideally? GNOME at least seems to be moving to a "broken for X11 users by default" future, so I'm assuming it's inevitable anyway. But if this fallback check happens outside the sandbox and makes it safe, then I assume my remark on this was also wrong. Sorry!

[rusty-snake]

GNOME at least seems to be moving to a "broken for X11 users by default" future

Not really, they have plans to drop the X11 session (could be added back by distros), drop support for X11 shell (XWayland continues to exists) and maybe to drop support for X11 apps (> 10 years I guess). So it's more a broken by default for X11 developers by moving the userbase.

But if this fallback check happens outside the sandbox and makes it safe

Yes, it happens while collecting all the arguments for the sandbox.

if has_wayland():
    sandbox.allow(Wayland)
else:
    sandbox.allow(X11)