Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

portal impls have no way to tell what type of application is making requests #1499

Open
hsitter opened this issue Oct 30, 2024 · 8 comments
Open
Labels

Comments

@hsitter
Copy link
Contributor

hsitter commented Oct 30, 2024

Operating System

KDE Linux

XDG Desktop Portal version

1.18

XDG Desktop Portal version (Other)

No response

Desktop Environment

KDE

Desktop Environment (Other)

No response

Expected Behavior

Downstream in KDE there are some use cases for loosening the access controls for host applications. The trouble is we currently can't tell if an application is host or flatpak or snap. We obviously wouldn't want to change anything for the sandboxes. To that end maybe it'd make sense to somehow expose a kind field that describes host|flatpak|snap. Or possibly even more of the metadata collected in xdp_app_info_from_*?

Current Behavior

Currently we don't know if an application is host or not.

Steps to Reproduce

Not applicable

Anything else we should know?

e.g. Consider an advanced user who is SSHing into their home system and wants to setup RDP so they can get to their desktop. It makes little sense for the rdpserver that is already running with host access to require an interactive authorization prompt. A notification that someone has connected seems more appropriate.

Or a gaming application that is installed in host scope and uses the remote-desktop facilities to stream games. When you are on the couch and want to game, the auth prompt isn't necessarily interactable.

@hsitter hsitter added the bug label Oct 30, 2024
@github-project-automation github-project-automation bot moved this to Needs Triage in Triage Oct 30, 2024
@Mikenux
Copy link

Mikenux commented Oct 31, 2024

To be sure, what do you mean by "host" application? A "native" app like a deb or rpm package (a non-flatpak and non-snap packaged app)? An app with "host" access (e.g. a native app, a flatpak app with filesystem=host, snap equivalent)? An app installed on the host?

@hsitter
Copy link
Contributor Author

hsitter commented Oct 31, 2024

A "native" app like a deb or rpm package

^ this one :)

@Mikenux
Copy link

Mikenux commented Oct 31, 2024

Ok, thanks.

To respond to your general solution, it depends. If currently native apps aren't using any permission when using portals, then that make sense to not present any prompt. However, if a permission is stored for native apps, then it depends on the case and how reliably the app is identified.

Sadly, I can't tell more because I don't really know how remote desktop here works (as I never experienced it). However, if you can describe briefly how it works and/or how I can experience it, then I will certainly say more. My only reference is https://gitlab.gnome.org/Teams/Design/os-mockups/-/blob/master/portals/portals.png?ref_type=heads, and I don't even see in the relevant design how "Firefox" is identified if it is an app on another computer...

@jadahl
Copy link
Collaborator

jadahl commented Oct 31, 2024

If currently native apps aren't using any permission when using portals, then that make sense to not present any prompt. However, if a permission is stored for native apps, then it depends on the case and how reliably the app is identified.

They can if they are launched in a cgroup that is discovered correctly.

The trouble is we currently can't tell if an application is host or flatpak or snap.

You could look for X-Flatpak in the .desktop file to see if it's a flatpak.

Though, arguably, for the two use cases, it seems more sensible to make use of the token based session restore, that bypasses any dialog and just exposes it by default without any interaction.

Another approach that has been discussed (but I fail to find the issue / discussion) is how to allow pre-configure access to certain apps. The use case in mind for that has been e.g. pre-authorized remote assistance apps in corporate environments.

With that said, remote desktop servers using the portals are meant to be for "share my physically visible screen" use cases, and not when the primary method for accessing a machine is via a remote desktop protocol.

@Mikenux
Copy link

Mikenux commented Nov 1, 2024

@jadahl: Is the window to set the permissions comes from the app as being the server installed on the host machine? If that is that means we don't approve clients that are connecting. Is that correct?

@Mikenux
Copy link

Mikenux commented Nov 2, 2024

I've thought of other ideas, but they require other things. The best thing for now seems indeed to be able to pre-configure portal permissions.

Here are relevant issues:

@hsitter
Copy link
Contributor Author

hsitter commented Dec 19, 2024

What I was thinking is simply having a way to get to

xdp_app_info_is_host (XdpAppInfo *app_info)
from the portal-impl (or more generically perhaps a way to get the app info from outside xdp).

It'd allow us to tell host from sandboxed applications which in turn allows us to treat things slightly differently - a use case that keeps popping up e.g. I am reminded of https://invent.kde.org/plasma/xdg-desktop-portal-kde/-/merge_requests/297

@Mikenux
Copy link

Mikenux commented Dec 22, 2024

Keeping identification in common allows to have same permission model for all DE, I think.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: Needs Triage
Development

No branches or pull requests

3 participants