Invoking xdg-open from a non-Flatpak sandbox
Simon McVittie
smcv at debian.org
Tue Jan 16 12:51:08 UTC 2024
On Mon, 15 Jan 2024 at 12:54:14 +0100, Aziz Ben Ali wrote:
> After finding out that nested sandboxes are an exercise in futility, I
> learned about xdg-desktop-portal and quickly wrote a function that takes
> an input URI and passes it onto org.freedesktop.portal.OpenURI.
If you prefer an executable entry point,
https://github.com/flatpak/flatpak-xdg-utils provides this sort of thing
as a drop-in replacement for (a large subset of) the reference xdg-open and
xdg-email scripts. Despite its name, most of it is non-Flatpak-specific,
and only needs D-Bus access to portals; it's only flatpak-spawn that is
genuinely Flatpak-specific.
> That's worked sufficiently well for following links but I've configured
> certain applications like the default viewer for .tex documents within
> Emacs to utilize xdg-open instead of hard coding anything specific.
>
> The question is, how should I go about launching potentially sandboxed
> target applications through xdg-open in a non-Flatpak setting?
You can call OpenFile() and use file descriptor passing, the same as in
https://github.com/flatpak/flatpak-xdg-utils/blob/main/src/xdg-open.c
(or just run flatpak-xdg-utils' xdg-open reimplementation as a subprocess,
if fd-passing over D-Bus is difficult to do in Emacs).
My understanding is that you can't generally say "open foo.tex in FooApp"
from inside a sandboxed Emacs, because a sufficiently creative attacker
could potentially use that to trick an application that didn't expect
to receive particular file types into executing arbitrary code.
You *can* say "open foo.tex in the default application", and configure
the default application at the desktop environment level (see
https://specifications.freedesktop.org/mime-apps-spec/mime-apps-spec-latest.html)
rather than in an Emacs-specific way. xdg-desktop-portal calls into
GLib's implementation of the mimeapps spec, so it has behaviour similar
to a typical mimeapps-spec-compliant desktop environment like GNOME or
KDE Plasma.
When running under a mimeapps-spec-compliant desktop environment, the
reference xdg-open script *also* behaves according to the mimeapps spec
(modulo possible bugs), so that behaviour is something you might already
be relying on.
smcv
More information about the Flatpak
mailing list