USB portal #1238
USB portal #1238
Conversation
GeorgesStavracas
force-pushed
the
gbsneto/usb
branch
3 times, most recently
from
6b4af0f to
8f893ce
Compare
If you use that in
This is an important question, and an even more important one is how do you remove the authorisation for an app to talk to a device that it's already talking to. A particularly important test of the API would be to adapt libgusb or libusb to access USB devices through the portal rather than talking directly to the Linux kernel. |
How will this work in practice? If some Game has Controller support, it is very unlikely that this Game ships a list of all serial numbers of all Game Controllers in existence. |
Then the portal isn't needed but the portal exists so apps can drop |
First of all, this portal is not about input, joysticks and gamepads. Let's not get sidetracked here. Even then, yes, games or middleware ship with a list of all joysticks they support because you have to understand a specific joystick to actually use it. |
|
What is the scope of this portal, its targets? This could be clearer. Perhaps certain classes of devices could not be allowed in order to force, where possible, the use of the correct portal, such as for cameras (since this example was mentioned), and to offer additional protection. An exception, for many devices, is to access the firmware interface for upgrade purposes, which should ideally be separate from standard device use. This, if I'm not wrong, obviously. |
Seems like most questions are about this to begin with. The whole device declaration logic seems to be odd for me, seems like it's counterintuitive:
Doesn't the model established for virtual machines already make sense? It's essentially the same as plugging in a device just in software (when it actually works as there are some limitations). The enumeration permission just really doesn't seem to make sense, and overriding would be also tedious.
This is actually a really good mention of one of the worst cases I've seen without direct access. |
|
@GeorgesStavracas maybe make it clear what this portal is not trying to achieve, particularly:
|
Flatpak apps with I don't know if it's a good idea to look at this the devices flag from the portal. It may not be. It may be better to increase the expressiveness of
My honest opinion is that for v1 of the USB portal, it shouldn't try to escalate permissions, and e.g. GNOME Settings should say something like "You need to restart the app for this permission change to take effect". Otherwise it will be blocked on too many year-long changesets. But I guess you'll disagree with that :)
Yup it's on my list next. Sounds good, will update the commit and PR description soon.
I 100% agree that all firmware updates should go through fwupd, however, I think the portal, as it is right now, would allow for that, no? Apps can get raw USB access through the portal, and can monitor for devices unplugs and replugs, so technically it's possible? Is there anything else that apps need to do to manually update a firmware? (I wish we could distribute fwupd through Flatpak. It's probably not possible right now, and probably won't be possible with this portal either.) |
Probably for a lot of cases, yes. The point of saying we don't want to support firmware updates is that when some device comes up with a way to update the firmware which doesn't work with the portal we can say it's not an issue and they should use fwupd instead. |
|
That's not the case. If all of Proper support for hotplug in that situation requires jumping through some hoops, because libudev change-notification via netlink doesn't work across a container boundary, but you can get "good enough" change notification by using inotify on Similarly, if a whole subdirectory of What definitely doesn't work for monitoring/hotplug is if we bind-mount individual device nodes (like if we bind-mount In principle there would be nothing to stop Flatpak from bind-mounting all of |
... or, perhaps more relevant to this particular PR, since input devices are explicitly out-of-scope for this PR: if we bind-mount |
|
What does this mean? That the application can know all the devices we have and access them freely (without permission)? Or individual devices can be mounted, but then we forget about hotplugging? So the portal would just emit connected/disconnected signals so the app can tell the user to restart it? Still in relation to per-device access, I think mass storage is not a candidate either (if that is relevant for this portal). |
If it has |
The USB portal is the middleman between sandboxed apps, and the
devices connected and available to the host system. This is the
first version of the portal.
Device filtering
================
Sandboxed apps must declare which USB devices they support ahead
of time. This information is read by the XDG Desktop Portal and
used to determine which USB devices will be exposed to requesting
apps. On Flatpak, these allowed and blocked devices are set by the
"--usb" and "--no-usb" arguments against "flatpak build-finish"
and "flatpak run". "--devices=all" does not influence the portal.
Blocking a device always take precedence over allowing them, even
when a blanket permission ("--devices=all") is set.
Individual devices are assigned a unique identifier by the portal,
which is used for all further interactions. This unique identifier
is completely random and independent of the device. Permission
checks are in place to not allow apps to try and guess device ids
without having permission to access then.
Permissions
===========
There are 2 dynamic permissions managed by the USB portal in the
permission store:
1. Blanket USB permission: per-app permission to use any methods
of the USB portal. Without this permission, apps must not be
able to do anything - enumerate, monitor, or acquire - with
the USB portal. [1]
2. Specific device permission: per-app permission to acquire a
specific USB device, down to the serial number.
Enumerating devices
===================
There are 2 ways for apps to learn about devices:
- Apps can call the EnumerateDevices() method, which gives a
snapshot of the current devices to the app.
- Apps can create a device monitoring session with CreateSession()
which sends the list of available devices on creation, and also
notifies the app about connected and disconnected devices.
Only devices that the app is allowed to see are reported in both
cases.
The udev properties exposed by device enumeration is limited to a
well known subset of properties. [2]
Device acquisition & release
============================
Once an app has determined which devices it wants to access, the
app can call the AcquireDevices() method. This method may prompt
a dialog for the user to allow or deny the app from accessing
specific devices.
If permission is granted, XDG Desktop Portal tries to open the
device file on the behalf of the requesting app, and pass down
the file descriptor to that file. [3]
Co-Authored By: Georges Basile Stavracas Neto
<[email protected]>
---
[1] Exceptionally, apps can release previously acquired devices,
even when this permission is disabled. This is so because we
don't yet have kernel-sided USB revoking. With USB revoking in
place, it would be possible to hard-cut app access right when
the app permission changes.
[2] This patch uses a hardcoded list. There is no mechanism for
apps to influence which other udev properties are fetched. This
approach is open to suggestions - it may be necessary to expose
more information more liberally through the portal.
[3] This is clearly not ideal. The ideal approach is to go through
logind's TakeDevice() method. However, that will add significant
complexity to the portal, since this logind method can only be
called by the session controller (i.e. the only executable capable
of calling TakeControl() in the session - usually the compositor).
This can and probably should be implemented in a subsequent round
of improvements to the USB portal.
GeorgesStavracas
force-pushed
the
gbsneto/usb
branch
from
8f893ce to
40a0546
Compare
|
This latest push adjusts the portal code to match flatpak/flatpak#5620. It also addresses some comments.
I have removed this check. |
|
Since input devices are out of scope for this, are hidraw devices in scope for this? In particular, I'm interested in HID DJ controllers for Mixxx which are accessed through the hidapi library. In the past, Mixxx used the libusb backend of hidapi, but switched to the hidraw backend due to a bug with certain devices using the libusb backend. |
|
I think this can be closed now that #1354 has taken over. |
(This is a re-proposal of #559, but essentially rewritten)
The USB portal is the middleman between sandboxed apps, and the devices connected and available to the host system. This is the first version of the portal.
Device filtering
Sandboxed apps must declare which USB devices they support ahead of time. This information is read by the XDG Desktop Portal and used to determine which USB devices will be exposed to requesting apps. On Flatpak, these allowed and blocked devices are set by the "--usb" and "--no-usb" arguments against "flatpak build-finish" and "flatpak run". "--devices=all" does not influence the portal.
Blocking a device always take precedence over allowing them, even when a blanket permission ("--devices=all") is set.
Individual devices are assigned a unique identifier by the portal, which is used for all further interactions. This unique identifier is completely random and independent of the device. Permission checks are in place to not allow apps to try and guess device ids without having permission to access then.
Permissions
There are 2 dynamic permissions managed by the USB portal in the permission store:
Blanket USB permission: per-app permission to use any methods of the USB portal. Without this permission, apps must not be able to do anything - enumerate, monitor, or acquire - with the USB portal. [1]
Specific device permission: per-app permission to acquire a specific USB device, down to the serial number.
Enumerating devices
There are 2 ways for apps to learn about devices:
Apps can call the EnumerateDevices() method, which gives a snapshot of the current devices to the app.
Apps can create a device monitoring session with CreateSession() which sends the list of available devices on creation, and also notifies the app about connected and disconnected devices.
Only devices that the app is allowed to see are reported in both cases.
The udev properties exposed by device enumeration is limited to a well known subset of properties. [2]
Device acquisition & release
Once an app has determined which devices it wants to access, the app can call the AcquireDevices() method. This method may prompt a dialog for the user to allow or deny the app from accessing specific devices.
If permission is granted, XDG Desktop Portal tries to open the device file on the behalf of the requesting app, and pass down the file descriptor to that file. [3]
Open questions / TODOs
[1] Exceptionally, apps can release previously acquired devices, even when this permission is disabled. This is so because we don't yet have kernel-sided USB revoking. With USB revoking in place, it would be possible to hard-cut app access right when the app permission changes.
[2] This patch uses a hardcoded list. There is no mechanism for apps to influence which other udev properties are fetched. This approach is open to suggestions - it may be necessary to expose more information more liberally through the portal.
[3] This is clearly not ideal. The ideal approach is to go through logind's TakeDevice() method. However, that will add significant complexity to the portal, since this logind method can only be called by the session controller (i.e. the only executable capable of calling TakeControl() in the session - usually the compositor). This can and probably should be implemented in a subsequent round of improvements to the USB portal.