Flatpak office suites sensible filesystems permissions

I’ve installed LibreOffice, WPS Office as well as OnlyOffice from Flathub. Turns out each of them has different default filesystem access settings:

$ flatpak info --show-permissions org.libreoffice.LibreOffice | grep filesystems
filesystems=xdg-run/dconf;host;

$ flatpak info --show-permissions org.onlyoffice.desktopeditors | grep filesystems
filesystems=xdg-download;xdg-documents;xdg-videos;xdg-pictures;xdg-desktop;

$ flatpak info --show-permissions com.wps.Office | grep filesystems
filesystems=xdg-download;/media;xdg-videos;xdg-documents;/run/media;xdg-pictures;

So it seems to me like LibreOffice might have too broad permissions, while the other two are too strict. A major pain with OnlyOffice and WPS is that I can’t access the Dropbox folder inside my home directory, or any network shares. I also find it highly confusing as a user that these similar applications have different permissions.

I checked out the Flatpak filesystem permission documentation to figure out what would be appropriate, but it doens’t seem that straight foward. For now I’ve resorted to sudo flatpak override org.onlyoffice.desktopeditors --filesystem=host; sudo flatpak override com.wps.Office --filesystem=host to “fix” this, but I was wondering:

What would be proper permissions for an office application?

Seems like the office applications should be using the portals API to access the filesystem. If that is the case, then the permissions should be set as strictly as possible IMO. I am not an expert on Flatpaks so this could be wrong, I am still learning about Flatpak and sandbox permissions.

1 Like

Same thing here.

Being restricted to the XDG folders is too restrictive while the whole host filesystem definitely seems like a security risk!

I would think you merely have to give the permission for access to your home dropbox dir, or am I mistaken in this? ie… flatpak override <app> --filesystem=xdg-run/dconf. I don’t use dropbox, or the other office suites you mention aside from LibreOffice, and on my system when I use flatpak info --show-permissions org.openoffice.OpenOffice I get the following …

[Context]
    shared=network;ipc;
    sockets=x11;wayland;pulseaudio;
    devices=dri;
    filesystems=xdg-run/dconf;host;

    [Session Bus Policy]
    org.gtk.vfs.*=talk
    org.libreoffice.LibreOfficeIpc0=own
    ca.desrt.dconf=talk

    [Environment]
    GIO_EXTRA_MODULES=/app/lib/gio/modules
    JAVA_HOME=/app/jre
    LIBO_FLATPAK=1
    DCONF_USER_CONFIG_DIR=.config/dconf

I was just thinking the environment should be compared as well, just to be certain.