GeopJr
March 16, 2023, 1:20pm
1
Hey everyone,
I’m creating a snap package of a GTK4 app but it doesn’t seem to use the xdg desktop portal despite using Gtk FileChooserNative:
To test it if needed, login to an instance and try to upload or save media.
logs:
= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/3253/mountinfo" pid=3253 comm="gmain" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/etc/fstab" pid=3253 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/3253/mountinfo" pid=3253 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/3253/mounts" pid=3253 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/3253/mountinfo" pid=3253 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/3253/mounts" pid=3253 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
= AppArmor =
Time: Mar 16 14:01:28
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/home/test/" pid=3253 comm="pool-dev.geopjr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
ogra
March 17, 2023, 12:19pm
2
try running the snappy-debug tool from the snappy-debug snap in a second terminal while launching your app and take a look at the interface plug suggestions it gives …
GeopJr
March 18, 2023, 4:59am
3
Thanks for the reply!
It only pointed me to process-control and hostname-control but even after adding and connecting them, nothing really changed:
= AppArmor =
Time: Mar 18 06:45:24
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/18357/usr/lib/snapd/snap-confine" pid=7299 comm="snap-confine" capability=12 capname="net_admin"
= AppArmor =
Time: Mar 18 06:45:24
Log: apparmor="DENIED" operation="capable" class="cap" profile="/snap/snapd/18357/usr/lib/snapd/snap-confine" pid=7299 comm="snap-confine" capability=38 capname="perfmon"
= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/7299/mountinfo" pid=7299 comm="gmain" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/etc/fstab" pid=7299 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/7299/mountinfo" pid=7299 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/7299/mounts" pid=7299 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/7299/mountinfo" pid=7299 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/proc/7299/mounts" pid=7299 comm="dev.geopjr.Toot" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
= AppArmor =
Time: Mar 18 06:45:33
Log: apparmor="DENIED" operation="open" class="file" profile="snap.tooth.tooth" name="/home/test/Downloads/" pid=7299 comm="pool-dev.geopjr" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Trying adding this in the apps part.
GTK_USE_PORTAL: 1
The code would be like:
apps:
tooth:
command: usr/bin/dev.geopjr.Tooth
desktop: usr/share/applications/dev.geopjr.Tooth.desktop
environment:
GTK_USE_PORTAL: 1
1 Like
This should work [GTK_USE_PORTAL: 1 under environmnet], since it forces the app to use the portal other option are to use desktop plug but its automatically added if using latest gnome-extension (42-2204)
GeopJr
March 18, 2023, 8:08am
6
Unfortunately it still doesn’t work:
test@test-Standard-PC-Q35-ICH9-2009:~/Downloads$ snap run --shell tooth
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
test@test-Standard-PC-Q35-ICH9-2009:/home/test/Downloads$ echo $GTK_USE_PORTAL
1
Here’s a recording of what’s happening:
FWIW, the app logged:
(dev.geopjr.Tooth:6033): GLib-GIO-WARNING **: 10:00:26.741: Error creating IO channel for /proc/self/mountinfo: Permission denied (g-file-error-quark, 2)
Man if your apps needs the access of home folder, you must give it na!
Add the home plug. Read this for more info Snapcraft Interfaces
and Snapcraft Supported Interfaces
apps:
tooth:
command: usr/bin/dev.geopjr.Tooth
desktop: usr/share/applications/dev.geopjr.Tooth.desktop
environment:
GTK_USE_PORTAL: 1
plugs:
- home
- network
- network-status
I guess your app needs internet also, in some cases, so the network and network-status plug will give it network access.
Sent you a pull request. Check it.
GeopJr
March 18, 2023, 8:59am
9
I’ve already given it network and network-status but I don’t think I should give it home access when it can use the portal 🤷 (well… it should be able to)
PORTAL doesn’t allow to write a new file (I guess). Check the XDG_DESKTOP_PORTAL for more details. I think that is the issue here.
1 Like
GeopJr
March 18, 2023, 9:16am
11
I’m pretty sure portals can save files , but it occurs on open too anyway:
GeopJr
March 18, 2023, 9:38am
13
Nothing changed (& same snappy-debug logs)
@ogra @alexmurray can you guys check this issue out?
GeopJr
March 18, 2023, 1:55pm
15
I’m either missing something or xdg-desktop-portal doesn’t work at all because even a minimal reproduction fails
ogra
March 18, 2023, 2:07pm
16
Is that home dir in the VM somehow mounted from the outside … i.e. via a network filesystem or some filesystem forwarding mechanism ?
does your user have normal access to the Downloads folder outside of snaps (can you do a “touch ~/Downloads/foo.txt”) … ?
to have the fstab and mountinfo denials go away you could try to define and connect mount-observe, that should give your app access to read fstab and call mountinfo and friends …
GeopJr
March 18, 2023, 2:29pm
17
No, but I do test both on host and in the vm
Yes (I’ve also added random images in all folders in home for the sake of testing)
(I tried it on the reproduction app)
nothing changed, same snappy-debug logs, no xdg-desktop-portal
snap connections xdgportaltest
Interface Plug Slot Notes
content[gnome-42-2204] xdgportaltest:gnome-42-2204 gnome-42-2204:gnome-42-2204 -
content[gtk-3-themes] xdgportaltest:gtk-3-themes gtk-common-themes:gtk-3-themes -
content[icon-themes] xdgportaltest:icon-themes gtk-common-themes:icon-themes -
content[sound-themes] xdgportaltest:sound-themes gtk-common-themes:sound-themes -
dbus - xdgportaltest:xdgportaltest -
desktop xdgportaltest:desktop :desktop -
desktop-legacy xdgportaltest:desktop-legacy :desktop-legacy -
gsettings xdgportaltest:gsettings :gsettings -
mount-observe xdgportaltest:mount-observe :mount-observe manual
opengl xdgportaltest:opengl :opengl -
wayland xdgportaltest:wayland :wayland -
x11 xdgportaltest:x11 :x11 -
The reproduction app is here: https://github.com/geopjr-forks/snap-xdg-dekstop-portal-test
with both a snap and a flatpak config where the flatpak uses the xdg-desktop-portal while the snap has the previously mentioned behavior
GeopJr
March 27, 2023, 8:07pm
18
FWIW, the furthest I can limit the portal issue to is core22 + gtk4.
1 Like
I just published an app named paper yesterday to the snap store. It uses the portal perfectly. You can give it a try an check.
GeopJr
March 28, 2023, 9:02pm
20
I don’t think it does. Maybe because it’s on devmode but the portal is not being used. For starters the accented filechooser button is a giveaway but also the paths. Here’s a comparison
Paper flatpak (with the host permission manually denied (it comes with it by default)):
Notice the toast path, it’s from the portal /run/...
Notice that it knows the full path to the export - which it wouldn’t be able to if it used the portal
