Flatseal icon indicating copy to clipboard operation
Flatseal copied to clipboard
verified publisher icon tchx84

Flatseal doesn't match flatpak semantics for user/system permission interactions

Open ssokolow opened this issue 2 years ago • 2 comments

I just noticed that I had an application (org.gottcode.FocusWriter) which Flatseal said was filesystem=!host, but it could still see xdg-documents. I only noticed this because I was trying to figure out how it was able to persist opened files across sessions when I didn't see any of the paths in the flatpak documents output.

I eventually discovered it was because of this configuration tweak I'd somehow set and forgotten about:

% flatpak override org.gottcode.FocusWriter --user --show                       
[Context]
filesystems=!home;
% flatpak override org.gottcode.FocusWriter --show                              
[Context]
filesystems=xdg-documents;!host;

This seems like an easy way for a Flatseal user to be lulled into thinking something isn't granted when it actually is.

ssokolow avatar Sep 08 '23 00:09 ssokolow

Hey @ssokolow , currently Flatseal only works with user overrides. If you mix with system-level manual overrides Flatseal won't be able to do reflect that.

tchx84 avatar Sep 08 '23 16:09 tchx84

I don't want to change system-level overrides. I just think it's dangerously misleading to not either acknowledge them or have a big warning that they're not ignored.

It makes it far too easy for the user to assume that Flatseal can be trusted as an overview of what permissions have been granted.

ssokolow avatar Sep 09 '23 14:09 ssokolow