Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Device permission compatibility #5681

Open
2 tasks done
hfiguiere opened this issue Feb 11, 2024 · 6 comments · May be fixed by #5708
Open
2 tasks done

Device permission compatibility #5681

hfiguiere opened this issue Feb 11, 2024 · 6 comments · May be fixed by #5708
Assignees
@hfiguiere
Labels
enhancement needs triage

Comments

@hfiguiere
Copy link
Collaborator

hfiguiere commented Feb 11, 2024
edited

Checklist

  • I agree to follow the Code of Conduct that this project adheres to.
  • I have searched the issue tracker for a feature request that matches the one I want to file, without success.

Suggestion

Related issues #4405 (PR #5620) #5524 #5481

We want to add permissions for device categories.

As of now we have dri, kvm, shm, all, and the recently added input (see #5481). The latter is why I'm filing this.

Device all is used in a lot of situations when needed access to input devices (game controllers), USB (see #5620 for that part) etc.

input was added in #5481 but this mean that using --device=input is only when flatpak 1.15.6 or later, which seriously limit its use. The only way to have this work out of the box is to add --device=all which make the case of using --device=input moot.

Solution:

We should have a mechanism to allow the transition. Here is the proposal:

For compatibility purpose, the packager will indicate device=input, ignored by old flatpaks, device=all understood by old flatpak, and device=not-all,input to indicate newer flatpak that all should be ignored for input.

Later, we add support for usb, then we would indicate device=not-all,usb,input to disable the device all for both input and the just added usb.

The importan part is the forward looking mechanism. Support for device=not-all is implemented the following way:

device=not-all always followed by comma separated devices. Example: device=not-all,input,usb. The interpretation is: if for all the devices specified if flatpak knows about the device and it is specified the device=all is deselected.

The behaviour of dri, kvm, shm is unchanged, BUT sepecifying --device=not-all will require to specify them explicitely.

Example:

flatpak < 1.15.6 (most distro)

--device=all
--device=input
--device=not-all,input

Device: all ON, as it doesn't recognize anything but all.

flatpak know input but not usb:

--device=all
--device=input
--device=not-all,input

Device: all OFF

--device=all
--device=input
--device=not-all,input,usb

Device: all OFF, because usb is not specified.

--device=all
--device=input
--device=usb
--device=not-all,input,usb

Device: all ON, because it doesn't know about USB devices so it needs to let them all.

flatpak know input and usb:

--device=all
--device=input
--device=usb
--device=not-all,input,usb

Device: all OFF. This is the forward compatibility.

Using --device should allow to not require to add anything to flatpak-builder.

While the options are presented as finish-args from the manifest the metadata form would luke this:

[Context]
devices=all;input;usb;not-all,input,usb;

About the syntax

The choice of comma , as a separator fits as the keyfile uses the semi-colon ;. So there is no conflict. It's a free form string because it allow just ignoring it if the flatpak version is too old.

The choice of not-all seems to be clear. Someone suggested not-all-if. It can be considered if clearer.
@hfiguiere hfiguiere self-assigned this Feb 11, 2024
@hfiguiere hfiguiere changed the title Device compatibility Device permission compatibility Feb 11, 2024
@TingPing
Copy link
Member

I agree with the concept, I think that would help moving forward.

I might bikeshed the syntax but I'm not sure of anything better offhand.

@hfiguiere
Copy link
Collaborator Author

Added a small section about the syntax at the end of the description.

@smcv
Copy link
Collaborator

smcv commented Feb 15, 2024

--socket=fallback-x11 is prior art for this, sort of (it's effectively not-x11-if,wayland in the syntax proposed here).

In particular, anyone looking at implementing this should look at the implementation of fallback-x11, and how Flatpak special-cases it so that moving from --socket=x11 --socket=wayland to --socket=x11 --socket=fallback-x11 --socket=wayland is not considered to be a permissions increase that requires prompting. --device=not-all-if,... should behave similarly.

@smcv
Copy link
Collaborator

smcv commented Feb 15, 2024
edited

Would it perhaps be better to design a syntax for which any app with a Flatpak >= 1.16.0 dependency will be able to stop specifying --device=all, so that eventually (maybe in 5 or 10 years) that can go away?

For example I could imagine that in future, we might want something like:

--device=fallback:gamepad,input,all --device=fallback:usb,all --socket=fallback:wayland,x11

with the semantics being:

  • ignore any --device=all or --device=input or --socket=x11 that were specified at the same level of precedence
  • do not ignore those if specified at a higher level of precedence (so users can still flatpak override --device=all if they want to)
  • if --device=gamepad (a hypothetical future option) is implemented in this Flatpak, then behave as if --device=gamepad had been used
  • else if --device=input is implemented in this Flatpak, then behave as if --device=input had been used
  • else if --device=all is implemented, then behave as if --device=all had been used
  • if --device=usb (another hypothetical future option) is implemented in this Flatpak, then behave as if --device=usb had been used
  • else if --device=all is implemented, then behave as if --device=all had been used (which makes --device=input redundant, but that isn't a problem)
  • similar logic for Wayland and X11

That way, as soon as an app is comfortable with adding a dependency on a Flatpak that is new enough to understand the fallback: syntax, it can stop adding the confusing --device=all.

@hfiguiere
Copy link
Collaborator Author

--socket=fallback-x11 is implemented by adding x11 into the permissions, and then flatpak check the fallback first. It's not a very complex case.
Technically, --socket=fallback-x11 and ``--socket=x11` is valid, and lead to the exact same result: x11 is only available as a fallback.

That way, as soon as an app is comfortable with adding a dependency on a Flatpak that is new enough to understand the fallback: syntax, it can stop adding the confusing --device=all.

The goal here is to not have to wait for "being comfortable to depend on a flatpak new enough". The policy of certain distros lead to a too long wait time to get newer version. The goal is that it works, albeit with broader permissions, with today flatpak, without user intervention.

I like this idea of this fallback syntax, but I don't think the complexity is worth to have more than one fallback per device. It feels more verbose, but clearer of intent than my proposal.

However the following:

--device=fallback:gamepad,input,all --device=fallback:usb,all

wouldn't work on an old flatpak: it wouldn't know about any of the device and there would be none exposed. Now we could make it so that:

--device=fallback:gamepad,input,all --device=fallback:usb,all --device=all

would do the same as above, but, because all is in any fallback, all gets ignored alone, living the permission thight.

An older flatpak that doesn't understand the fallback syntax would just use all. One that to understand the fallback syntax but doesn't know the device would use the fallback as needed.

Further we could make it less verbose:

--device=input,all --device=usb,all --device=all

The difference with above is the lack of fallback: in the syntax, it works the same way.

@smcv
Copy link
Collaborator

smcv commented Feb 19, 2024

The goal here is to not have to wait for "being comfortable to depend on a flatpak new enough"

I understand that, but I also don't want to still be carrying around 2024 workarounds in 2044 because there was no exit strategy for removing them. There has to be some point in the distant future at which app authors can rely on a new enough Flatpak.

Now we could make it so that:

--device=fallback:gamepad,input,all --device=fallback:usb,all --device=all

would do the same as above, but, because all is in any fallback, all gets ignored alone, living the permission thight.

An older flatpak that doesn't understand the fallback syntax would just use all. One that to understand the fallback syntax but doesn't know the device would use the fallback as needed.

Yes, that's what I thought - and then, eventually, perhaps in 2029 or 2034, app maintainers can drop the confusing --device=all and just have the "new" fallback: syntax (which by then will be 5 or 10 years old).

Further we could make it less verbose:

--device=input,all --device=usb,all --device=all

I think the meaning of this is not clear enough to a reader: it looks like a strange way to spell --device=input --device=usb --device=all.

hfiguiere added a commit to hfiguiere/flatpak that referenced this issue Mar 1, 2024
@hfiguiere
context: Added fallback devices
b0e0f76 
This provide compatibility to disable all devices when there is new device option

Fixes flatpak#5681

Signed-off-by: Hubert Figuière <[email protected]>
@hfiguiere hfiguiere linked a pull request Mar 1, 2024 that will close this issue
Draft
2 tasks
hfiguiere added a commit to hfiguiere/flatpak that referenced this issue Mar 4, 2024
@hfiguiere
context: Added fallback devices
8d736e9 
This provide compatibility to disable all devices when there is new
device option.
A fallback device is specified like `input,all`. This mean that if it
knows about `input` this indicate that `all` as a separate device
will be removed to narrow down the permissions.

Fixes flatpak#5681

Signed-off-by: Hubert Figuière <[email protected]>
hfiguiere added a commit to hfiguiere/flatpak that referenced this issue Mar 4, 2024
@hfiguiere
context: Added fallback devices
9054557 
This provide compatibility to disable all devices when there is new
device option.
A fallback device is specified like `input,all`. This mean that if it
knows about `input` this indicate that `all` as a separate device
will be removed to narrow down the permissions.

Fixes flatpak#5681

Signed-off-by: Hubert Figuière <[email protected]>
hfiguiere added a commit to hfiguiere/flatpak that referenced this issue Mar 4, 2024
@hfiguiere
context: Added fallback devices
6456279 
This provide compatibility to disable all devices when there is new
device option.
A fallback device is specified like `input,all`. This mean that if it
knows about `input` this indicate that `all` as a separate device
will be removed to narrow down the permissions.

Fixes flatpak#5681

Signed-off-by: Hubert Figuière <[email protected]>
hfiguiere added a commit to hfiguiere/flatpak that referenced this issue Mar 4, 2024
@hfiguiere
context: Added fallback devices
5cf723a 
This provide compatibility to disable all devices when there is new
device option.
A fallback device is specified like `input,all`. This mean that if it
knows about `input` this indicate that `all` as a separate device
will be removed to narrow down the permissions.

Fixes flatpak#5681

Signed-off-by: Hubert Figuière <[email protected]>
hfiguiere added a commit to hfiguiere/flatpak that referenced this issue Mar 4, 2024
@hfiguiere
context: Added fallback devices
7058539 
This provide compatibility to disable all devices when there is new
device option.
A fallback device is specified like `input,all`. This mean that if it
knows about `input` this indicate that `all` as a separate device
will be removed to narrow down the permissions.

Fixes flatpak#5681

Signed-off-by: Hubert Figuière <[email protected]>
hfiguiere added a commit to hfiguiere/flatpak that referenced this issue Mar 4, 2024
@hfiguiere
context: Added fallback devices
eb529fe 
This provide compatibility to disable all devices when there is new
device option.
A fallback device is specified like `input,all`. This mean that if it
knows about `input` this indicate that `all` as a separate device
will be removed to narrow down the permissions.

Fixes flatpak#5681

Signed-off-by: Hubert Figuière <[email protected]>
hfiguiere added a commit to hfiguiere/flatpak that referenced this issue Mar 10, 2024
@hfiguiere
context: Added fallback devices
18f64df 
This provide compatibility to disable all devices when there is new
device option.
A fallback device is specified like `fallback:input,all`. This mean
that if it knows about `input` this indicate that `all` as a separate
device will be removed to narrow down the permissions.

Fixes flatpak#5681

Signed-off-by: Hubert Figuière <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hfiguiere hfiguiere

Labels
enhancement needs triage
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

context: Added fallback devices hfiguiere/flatpak
3 participants
@hfiguiere @TingPing @smcv