Doesn't use the xdg desktop portal

GeopJr · March 16, 2023, 1:20pm

Hey everyone,

I’m creating a snap package of a GTK4 app but it doesn’t seem to use the xdg desktop portal despite using Gtk FileChooserNative:

github.com

GeopJr/Tooth/blob/main/snapcraft.yaml

name: tooth
base: core22
version: git
adopt-info: tooth

grade: devel
confinement: strict
license: GPL-3.0-only
compression: lzo

slots:
  tooth:
    interface: dbus
    bus: session
    name: dev.geopjr.Tooth

apps:
  tooth:
    command: usr/bin/dev.geopjr.Tooth
    desktop: usr/share/applications/dev.geopjr.Tooth.desktop

This file has been truncated. show original

To test it if needed, login to an instance and try to upload or save media.

logs:

= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/3253/mountinfo" pid=3253 comm="gmain" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/etc/fstab" pid=3253 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/3253/mountinfo" pid=3253 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/3253/mounts" pid=3253 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/3253/mountinfo" pid=3253 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/3253/mounts" pid=3253 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/home/test/" pid=3253 comm="pool-dev.geopjr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

ogra · March 17, 2023, 12:19pm

try running the snappy-debug tool from the snappy-debug snap in a second terminal while launching your app and take a look at the interface plug suggestions it gives …

GeopJr · March 18, 2023, 4:59am

Thanks for the reply!

It only pointed me to process-control and hostname-control but even after adding and connecting them, nothing really changed:

= AppArmor =
Time: Mar 18 06:45:24
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/18357/usr/lib/snapd/snap-confine" pid=7299 comm="snap-confine" capability=12  capname="net_admin"

= AppArmor =
Time: Mar 18 06:45:24
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/18357/usr/lib/snapd/snap-confine" pid=7299 comm="snap-confine" capability=38  capname="perfmon"

= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/7299/mountinfo" pid=7299 comm="gmain" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/etc/fstab" pid=7299 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0

= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/7299/mountinfo" pid=7299 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/7299/mounts" pid=7299 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/7299/mountinfo" pid=7299 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/7299/mounts" pid=7299 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/home/test/Downloads/" pid=7299 comm="pool-dev.geopjr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000

soumyaDghosh · March 18, 2023, 6:35am

Trying adding this in the apps part.

GTK_USE_PORTAL: 1

The code would be like:

apps:
  tooth:
    command: usr/bin/dev.geopjr.Tooth
    desktop: usr/share/applications/dev.geopjr.Tooth.desktop
    environment:
      GTK_USE_PORTAL: 1

SamAlex · March 18, 2023, 7:05am

This should work [GTK_USE_PORTAL: 1 under environmnet], since it forces the app to use the portal other option are to use desktop plug but its automatically added if using latest gnome-extension (42-2204)

GeopJr · March 18, 2023, 8:08am

Unfortunately it still doesn’t work:

test@test-Standard-PC-Q35-ICH9-2009:~/Downloads$ snap run --shell tooth
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

test@test-Standard-PC-Q35-ICH9-2009:/home/test/Downloads$ echo $GTK_USE_PORTAL
1

Here’s a recording of what’s happening:

FWIW, the app logged:

(dev.geopjr.Tooth:6033): GLib-GIO-WARNING **: 10:00:26.741: Error creating IO channel for /proc/self/mountinfo: Permission denied (g-file-error-quark, 2)

soumyaDghosh · March 18, 2023, 8:47am

Man if your apps needs the access of home folder, you must give it na!

Add the home plug. Read this for more info Snapcraft Interfaces and Snapcraft Supported Interfaces

apps:
  tooth:
    command: usr/bin/dev.geopjr.Tooth
    desktop: usr/share/applications/dev.geopjr.Tooth.desktop
    environment:
      GTK_USE_PORTAL: 1
    plugs:
      - home
      - network
      - network-status

I guess your app needs internet also, in some cases, so the network and network-status plug will give it network access.

soumyaDghosh · March 18, 2023, 8:57am

Sent you a pull request. Check it.

GeopJr · March 18, 2023, 8:59am

I’ve already given it network and network-status but I don’t think I should give it home access when it can use the portal 🤷 (well… it should be able to)

soumyaDghosh · March 18, 2023, 9:09am

PORTAL doesn’t allow to write a new file (I guess). Check the XDG_DESKTOP_PORTAL for more details. I think that is the issue here.

GeopJr · March 18, 2023, 9:16am

I’m pretty sure portals can save files, but it occurs on open too anyway:

soumyaDghosh · March 18, 2023, 9:29am

Can you try this once.

GTK_USE_PORTAL: '1'

GeopJr · March 18, 2023, 9:38am

Nothing changed (& same snappy-debug logs)

soumyaDghosh · March 18, 2023, 9:39am

@ogra @alexmurray can you guys check this issue out?

GeopJr · March 18, 2023, 1:55pm

I’m either missing something or xdg-desktop-portal doesn’t work at all because even a minimal reproduction fails

ogra · March 18, 2023, 2:07pm

Is that home dir in the VM somehow mounted from the outside … i.e. via a network filesystem or some filesystem forwarding mechanism ?

does your user have normal access to the Downloads folder outside of snaps (can you do a “touch ~/Downloads/foo.txt”) … ?

to have the fstab and mountinfo denials go away you could try to define and connect mount-observe, that should give your app access to read fstab and call mountinfo and friends …

GeopJr · March 18, 2023, 2:29pm

No, but I do test both on host and in the vm

Yes (I’ve also added random images in all folders in home for the sake of testing)

(I tried it on the reproduction app)

nothing changed, same snappy-debug logs, no xdg-desktop-portal

snap connections xdgportaltest 
Interface               Plug                          Slot                            Notes
content[gnome-42-2204]  xdgportaltest:gnome-42-2204   gnome-42-2204:gnome-42-2204     -
content[gtk-3-themes]   xdgportaltest:gtk-3-themes    gtk-common-themes:gtk-3-themes  -
content[icon-themes]    xdgportaltest:icon-themes     gtk-common-themes:icon-themes   -
content[sound-themes]   xdgportaltest:sound-themes    gtk-common-themes:sound-themes  -
dbus                    -                             xdgportaltest:xdgportaltest     -
desktop                 xdgportaltest:desktop         :desktop                        -
desktop-legacy          xdgportaltest:desktop-legacy  :desktop-legacy                 -
gsettings               xdgportaltest:gsettings       :gsettings                      -
mount-observe           xdgportaltest:mount-observe   :mount-observe                  manual
opengl                  xdgportaltest:opengl          :opengl                         -
wayland                 xdgportaltest:wayland         :wayland                        -
x11                     xdgportaltest:x11             :x11                            -

The reproduction app is here: https://github.com/geopjr-forks/snap-xdg-dekstop-portal-test with both a snap and a flatpak config where the flatpak uses the xdg-desktop-portal while the snap has the previously mentioned behavior