Permission for individual files appearing in Flatpak permissions?

navras · December 28, 2023, 11:06pm

$ flatpak permissions
Table      Object     App                     Permissions                  Data
documents  aa2eef9f   org.mozilla.firefox     read,write,grant-permissions (b'/home/user/Pictures/Screenshots/Screenshot from 2023-12-27 12-13-29.png', 38, 17993, 0)
documents  32f8808    org.mozilla.firefox     read,write,grant-permissions (b'/home/user/Pictures/Screenshots/Screenshot from 2023-12-27 12-13-21.png', 38, 17993, 0)
documents  96fe0a97   org.mozilla.firefox     read,write,grant-permissions (b'/home/user/Pictures/Screenshots/Screenshot from 2023-12-27 12-18-02.png', 38, 17993, 0)
documents  244648a7   org.mozilla.firefox     read,write,grant-permissions (b'/home/user/Pictures/Screenshots/Screenshot from 2023-12-27 12-16-46.png', 38, 17993, 0)

Those files are long gone but the permissions are permanent?
Why is this a thing… Do I need to be careful about where I select my files now, and check permission stores sometimes…?

navras · December 29, 2023, 1:54am

The permissions are requested by Firefox through portal^[1], and the files are exported^[2]. These are dynamic permissions.
They use to be unable to removed^[3], though I was able to remove them with flatpak permission-remove documents <ID>. (permission-reset just removes App and Permissions but leaves the entries there.)

However I think the more correct way as said in the GNOME blog, is to use flatpak document-unexport <ID>^[4]. (Will try next time…)

I suppose they indeed build up overtime. I don’t think I saw them in Flatseal. Or it’d be nice if the app can remove the permission afterwards.

https://www.reddit.com/r/flatpak/comments/jwh61z/permissions_on_firefox/ ↩︎
https://blogs.gnome.org/mclasen/2018/07/19/flatpak-a-look-behind-the-portal/ ↩︎
github.com/flatpak/flatpak

permission-reset doesn't remove document permissions

opened 07:33PM - 23 Jul 20 UTC

BryanQuigley

## Ubuntu 18.04 / Stock ## 1.6.3 ## flatpak permission-reset app appears to re…set permissions, but appears to do nothing. ## Steps to reproduce 1. Using Firefox flatpak Open /etc/passwd with Ctrl-O. 2. Note name file:///run/user/1000/doc/4fab1618/passwd 3. Close Firefox 4. Run flatpak permission-show org.mozilla.firefox (note how it exists) 5. Run flatpak permission-reset org.mozilla.firefox 6. Run flatpak permission-show org.mozilla.firefox (note how that permission is gone) 7. Try opening file:///run/user/1000/doc/4fab1618/passwd again. Note how it still works. (IMU this should not work anymore...). Try Ctrl-F5 to try a force refresh.

↩︎
https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak-document-unexport ↩︎

navras · March 8, 2024, 4:56am

flatpak document-unexport --doc-id <ID>
Works as expected.

navras · October 21, 2024, 2:14pm

The list really builds up over time to be quite long and full of dead files.
It’s an open discussion^[1], and currently no way to clear them so I use this:

$ for i in $(flatpak documents); do flatpak document-unexport --doc-id $i; done

Not sure if there is a better way (just delete the document table, perhaps?).

Once a file is opened with FileChooser, the permissions remain permanently in flatpak #1349 ↩︎

Topic		Replies	Views
Flatpaks can't seem to access most folders, including /home Ask Fedora	4	5019	March 25, 2024
Flatpak Apps Confined Ask Fedora flatpak , security , selinux	1	350	January 19, 2024
Apps unable to read/write to files on separate internal drive (Fedora 40) Ask Fedora flatpak	5	3133	June 8, 2024
Firefox external?, parental controls, new rawhide apps? Project Discussion workstation-wg	5	125	November 25, 2024
Flatpak office suites sensible filesystems permissions Project Discussion silverblue-team	4	1281	February 25, 2024

Permission for individual files appearing in Flatpak permissions?

Related topics