GtkRecentManager and recently used files in sandboxed applications


#1

GTK has a GtkRecentManager API that allows applications to advertise recently used files (for unconfined applications the API writes to $HOME/.local/share/recently-used.xbel).

When running confined, the API writes to $HOME/snap/<snapName>/current/.local/share/recently-used.xbel instead.

Unconfined applications such as nautilus (or the shell) can display a list of recently used files, but they’re not aware of those opened by confined applications. That seems reasonable to me, as exposing which files were opened by a sandboxed application for the entire system (and every unsandboxed application out there) to see seems like an important information leak.

However this can also be seen as a regression by end users who are expecting to see their recently used files show up there, when they start using the snap version of an application. This was recently reported as a bug against the libreoffice snap.

Not really sure what to do about that, or if we want to do something at all, but I thought I’d open a discussion here to get people’s input and opinions.


#2

I personally think that exposing the recently opened file is reasonable.


#3

This is essentially covered by xdg-desktop-portal bug #215. I don’t think there has been any action taken on it yet though.

It definitely doesn’t look safe to give a confined application access to ~/.local/share/recently-used.xbel. The <bookmark:application> element includes a command line to open the file. That could potentially be used to escape the sandbox. So I don’t think there is any quick fix outside of improving xdg-desktop-portal.