fusuma icon indicating copy to clipboard operation
fusuma copied to clipboard
verified publisher icon iberianpig

Can fusuma use flatpak: `device=input|all` permission instead of requiring `input` group?

Open KAGEYAM4 opened this issue 1 year ago • 4 comments

Is your feature request related to a problem? Please describe.

IMPORTANT: This makes /dev/input/ readable, so if that's an issue for you for some reason (like for privacy- or securityconcerns etc. or if it causes other parts of your OS to misbehave), consider this your heads-up.

Describe the solution you'd like Can flatpak solve this ? https://docs.flatpak.org/en/latest/sandbox-permissions.html#device-access

KAGEYAM4 avatar Jan 20 '25 10:01 KAGEYAM4

I'm not very familiar with Flatpak, but for Fusuma, if we can control access to /dev/input, we might not need the input group for libinput. Also, fusuma-plugin-remap uses /dev/uinput to create virtual devices, which needs extra permissions.

Projects that use Flatpak, like Steam or other key remappers, might be useful to look at.

It could also be useful to see if we can run without the input group by using systemd to run as root.

iberianpig avatar Jan 26 '25 06:01 iberianpig

a Flatpak app runs as your user, so at best it can do what your user can do. --device=input merely provides access to the device nodes.

I asked on flatpak-Matrix, and flatpak solution won't work.

KAGEYAM4 avatar Jan 26 '25 06:01 KAGEYAM4

@iberianpig found it on how steam-input works --> (TLDR: udev-rule granting tag:uaccess)

  • https://www.reddit.com/r/archlinux/comments/viss0k/having_steam_installed_gives_your_user_readwrite/
  • https://wiki.archlinux.org/title/Gamepad#Device_permissions
  • https://github.com/ValveSoftware/steam-devices/blob/master/60-steam-input.rules

Granting access to uinput and touchpad is better that being part of input group.

Here's an example of udev rule for touchpad that i am using.

  • Got the attributes by running sudo evtest and then selecting events which i though belong to touchpad, performing action on touchpad to see if output shows in evtest. Then using $ udevadm info --attribute-walk --name=/dev/input/<event-id> to get attributes.
  • Using udev rule from steaminput for uinput

KAGEYAM4 avatar Jan 28 '25 02:01 KAGEYAM4

Thanks for sharing your ideas!

I really think it’s better to give access to uinput and the touchpad instead of being part of the input group.

Making udev rules sounds like a good plan. It will help control which devices we can use. If we could also create a simple helper script for Fusuma users installation, that would make setting things up much easier.

Additionally, I'd like to know if there are alternative methods for getting device attributes besides using evtest for making helper script.

iberianpig avatar Feb 17 '25 17:02 iberianpig