This is a follow up to the xdg-desktop-portal discussions. I’ve put together a proof of concept for a snap confined application talking to the outside world via the portal.
This is definitely not production ready: it is fragile, and a number of the changes are not suitable for submission upstream.
Add the following PPA to your system (currently only contains packages for Artful):
(note: still waiting for Launchpad to build the -0jamesh4 version of snapd, which contains some AppArmor policy fixes)
With the PPA enabled, ensure you’ve got
/etc/fuse.conf and uncomment the line
user_allow_other. This is needed because
snap-confine runs as root, which by default won’t be able to see FUSE file systems owned by a regular user (as covered in this thread).
Download the following test package:
… then install it and connect up the
snap install --dangerous portal-test_1_amd64.snap snap connect portal-test:xdg-desktop-portal
Note that the snap is not connected to the home interface.
Running the test app
Since snapd does not support per-user mounts, my modified snapd package will only set up the document portal mounts correctly for the first user. So if your user ID is not
1000, switch to the that account first.
Next, ensure that the document portal service is running, so its FUSE file system (
/run/user/1000/doc) is mounted:
systemctl --user start xdg-document-portal.service
Now run the test application:
Not everything in the test app is hooked up, but enough is to show it talking to
Click on the button labelled “File Chooser”. A file open dialog should open that lets you see all of your files. This is possible because the dialog box is running outside of the sandbox. When you select a file, the path passed to the confined app will be something like
Click on the button labelled “Open”. You should get a similar file open dialog box, but with far more restricted access: this one is running in process within the sandbox.
Click the text “GNOME”. This should open a page in your default web browser.
Click the “Screenshot” button. A screenshot will be taken, and you will be asked whether you want to grant the application access. The screenshot will be provided via the document portal.
The network connectivity state is made available to the confined app without needing access to NetworkManager.
I had to modify a number of components to get this demo working:
This adds the
xdg-desktop-portalsnapd interface. The implementation currently assumes you’ll be running as uid 1000, since snapd doesn’t support per-user mounts.
The document portal daemon is part of the Flatpak tree, so I needed some changes here to get it to detect when it is speaking to a snap confined application.
I also changed the FUSE mount options to add
allow_root, so that
snap-confinecan see the file system in order to set up the bind mounts. This is obviously something we’d want to avoid, since it requires the change to
/etc/fuse.conf, and potentially opens up local security vulnerabilities.
Similar to the document portal, the desktop portal needed modifications to detect when it is speaking to a snap confined application.
The test application is https://github.com/matthiasclasen/portal-test built with a simple snapcraft.yaml. The only changes of note were to set the
GTK_USE_PORTAL environment variable, and ship with a new enough version of GTK.