[Webkit-unassigned] [Bug 190619] [GTK][WPE] Fix xdg-desktop-portal permissions from a sandbox

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Oct 16 09:18:04 PDT 2018 

https://bugs.webkit.org/show_bug.cgi?id=190619

Michael Catanzaro <mcatanzaro at igalia.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mcatanzaro at igalia.com
 Attachment #352457|review?, commit-queue?      |review+, commit-queue-
              Flags|                            |

--- Comment #2 from Michael Catanzaro <mcatanzaro at igalia.com> ---
Comment on attachment 352457
  --> https://bugs.webkit.org/attachment.cgi?id=352457
[GTK][WPE] Fix xdg-desktop-portal permissions from a sandbox

View in context: https://bugs.webkit.org/attachment.cgi?id=352457&action=review

> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp:43
> +static int createSealedMemFdWithData(const char *name, gconstpointer data, size_t size)

const char* name

> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp:129
> +    void setPermissions(Vector<CString>& permissions)

Vector<CString>&&

> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp:132
> +        m_permissions = permissions;

WTFMove(permissions)

> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp:651
> +        g_warning("GApplication is required for portal access");

This warning message should be a bit more detailed, so users understand what is actually wrong:

"GApplication is required for xdg-desktop-portal access in the WebKit sandbox. Actions that require xdg-desktop-portal will be broken. To fix this, create a GApplication."

or something along those lines.

> Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp:738
> +    // xdg-desktop-portal defaults to assuming you are host application with
> +    // full permissions unless it can identify you as a snap or flatpak.
> +    // The easiest method is for us to pretend to be a flatpak and if that
> +    // fails just blocking portals entirely as it just becomes a sandbox escape.

Is Alex OK with supporting this hackery? It's OK for now, but seems like not a great long-term solution.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181016/520b9724/attachment.html>

More information about the webkit-unassigned mailing list