Flatpak office suites sensible filesystems permissions

Project Discussion
1

I’ve installed LibreOffice, WPS Office as well as OnlyOffice from Flathub. Turns out each of them has different default filesystem access settings:

$ flatpak info --show-permissions org.libreoffice.LibreOffice | grep filesystems
filesystems=xdg-run/dconf;host;

$ flatpak info --show-permissions org.onlyoffice.desktopeditors | grep filesystems
filesystems=xdg-download;xdg-documents;xdg-videos;xdg-pictures;xdg-desktop;

$ flatpak info --show-permissions com.wps.Office | grep filesystems
filesystems=xdg-download;/media;xdg-videos;xdg-documents;/run/media;xdg-pictures;

So it seems to me like LibreOffice might have too broad permissions, while the other two are too strict. A major pain with OnlyOffice and WPS is that I can’t access the Dropbox folder inside my home directory, or any network shares. I also find it highly confusing as a user that these similar applications have different permissions.

I checked out the Flatpak filesystem permission documentation to figure out what would be appropriate, but it doens’t seem that straight foward. For now I’ve resorted to sudo flatpak override org.onlyoffice.desktopeditors --filesystem=host; sudo flatpak override com.wps.Office --filesystem=host to “fix” this, but I was wondering:

What would be proper permissions for an office application?

2

Seems like the office applications should be using the portals API to access the filesystem. If that is the case, then the permissions should be set as strictly as possible IMO. I am not an expert on Flatpaks so this could be wrong, I am still learning about Flatpak and sandbox permissions.

1 Like
3

Same thing here.

Being restricted to the XDG folders is too restrictive while the whole host filesystem definitely seems like a security risk!

4

I would think you merely have to give the permission for access to your home dropbox dir, or am I mistaken in this? ie… flatpak override <app> --filesystem=xdg-run/dconf. I don’t use dropbox, or the other office suites you mention aside from LibreOffice, and on my system when I use flatpak info --show-permissions org.openoffice.OpenOffice I get the following …

[Context]
    shared=network;ipc;
    sockets=x11;wayland;pulseaudio;
    devices=dri;
    filesystems=xdg-run/dconf;host;

    [Session Bus Policy]
    org.gtk.vfs.*=talk
    org.libreoffice.LibreOfficeIpc0=own
    ca.desrt.dconf=talk

    [Environment]
    GIO_EXTRA_MODULES=/app/lib/gio/modules
    JAVA_HOME=/app/jre
    LIBO_FLATPAK=1
    DCONF_USER_CONFIG_DIR=.config/dconf

I was just thinking the environment should be compared as well, just to be certain.

5

Interesting thread!

So xdg-host doesnt actually allow access to everything. But it is still way to broad, and I would like your help to identify the actually needed directories.

Afaik its

  • /run/media/$USER or /var/media/$USER
  • /mnt or /var/mnt
  • /home/ or /var/home/

Please add the ones that may be used on any distro with flatpak support, to store media. Because that is what 80% of flatpaks with that host permission actually need.

What more? I once escalated a bit, forked all Flatpaks I knew with this horrible permission and changed every access to those instead, as I think its less and it makes more sense to specifically mention what is needed.

Lol they told me it was spam and makes no sense as its “security theatre” and the solution is portals.

Well yes of course, but its still better than nothing? Idk