A way to bypass Background portal
Simon McVittie
smcv at collabora.com
Thu Nov 21 11:16:24 UTC 2024
On Tue, 12 Nov 2024 at 10:38:25 +0000, VI-MCMXCV wrote:
> I apologise, in advance, if this isn't really a security issue or it has
> already been reported, but I feel I should report it, anyway.
This is a public mailing list. Did you intend to report this privately
as a possible security vulnerability? The place to do that is
flatpak-security at lists.freedesktop.org which only goes to project
maintainers.
(If you did intend this to be private: sorry, but the cat is already
out of the bag now!)
> It's possible to autostart and daemonize a flatpak app (Easy Effects, in my
> case), without giving it access to org.freedesktop.Background portal, by simply
> adding flatpak run com.github.wwmm.easyeffects --gapplication-service to a wm/
> compositor/de autostart config. After being added, it's possible to access and
> exit the app interface without killing the daemon process. However, if I open
> Easy effects settings - a pop-up notification about lacking
> 'org.freedesktop.Background' access pop-ups and the background process will be
> killed any time, I open and close Easy Effects interface.
I'm not entirely clear on what the intended security model is for
the Background portal, or whether this would be considered to be a
vulnerability. Perhaps the xdg-desktop-portal maintainers could comment
on this?
The Background portal is a somewhat complicated interaction between
Flatpak, x-d-p and your desktop environment, rather than something
that is a feature of Flatpak on its own. If I'm reading correctly,
newly-installed apps also receive the "run in background" permission by
default, to avoid annoying users by too much prompting.
And, if I'm reading correctly, the Background portal doesn't have
any effect unless your desktop environment provides a suitable
desktop-specific portal backend (GNOME does, KDE Plasma might, other
environments probably don't), so this is more of a best-effort thing
than a hard security boundary.
> by simply
> adding flatpak run com.github.wwmm.easyeffects --gapplication-service to a
> wm/compositor/de autostart config
This is action that *you* have taken, not an action that the app has taken,
so I don't think it implies that there is a problem.
If you-the-user take an action, then it's reasonable for the system
to behave as if "the user is always right" and allow it. The situation
that Flatpak and x-d-p potentially want to avoid is if a malicious or
compromised app that does not have elevated permissions would be able to
do something unwanted (like perhaps setting itself up to run automatically
in the background after each reboot) without your knowledge or control.
Since this is now public information anyway, perhaps it would be better
reported as an issue (probably to xdg-desktop-portal rather than flatpak,
at least initially) with at least the information that is included in the
typical issue report template:
* general system information
* steps to reproduce (what you did)
* what you expected to happen
* what actually happened
"What you expected to happen" is a key thing here, particularly in
situations where it isn't necessarily obvious, because it lets a maintainer
distinguish between the situation where something is working as-designed
but you thought the design was something different, and the situation where
it is not working in the intended way.
Thanks,
smcv
More information about the Flatpak
mailing list