Bug 503901

Summary: Turning on device access does not also check the checkbox for "Direct graphic rendering", despite the fact that this gets enabled under the hood
Product: [Applications] systemsettings Reporter: Claire <accounts>
Component: kcm_flatpakAssignee: Plasma Bugs List <plasma-bugs-null>
Status: CONFIRMED ---    
Severity: normal CC: joshiesuhaas0, nate
Priority: NOR    
Version First Reported In: 6.3.4   
Target Milestone: ---   
Platform: Fedora RPMs   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:
Attachments: Image demonstrating the two settings I am referring to, as well as the spec for reference.

Description Claire 2025-05-08 01:50:13 UTC 
Created attachment 181050 [details]
Image demonstrating the two settings I am referring to, as well as the spec for reference.

SUMMARY
According to the [flatpak spec](https://docs.flatpak.org/en/latest/sandbox-permissions.html), "device permissions" being checked (ie device=all) implies that *all* devices are permitted except for hosting dev/shm, which needs to be checked desperately. This creates a UX issue where a user can have their device access granted to a flatpak program, and when there's performance issues, go into permissions and see that "direct graphics rendering" is unchecked. They may then check it, and then when they continue to have issues, become frustrated as they erroneously believed access to the GPU was the issue, despite access *already being granted*. I myself was in this situation, and only learned that device=all implies device=dri after reading the spec. This is not user friendly. While I'm unsure if it's a bug per se, I think this is more severe than a simple request; it is, in my opinion, a critical UX issue.

STEPS TO REPRODUCE
1. Open Flatpak perms
2. Enable device access
3. Check advanced perms

OBSERVED RESULT
With device access checked, "direct graphics" is still "unchecked"

EXPECTED RESULT
There should be some communication to the end user that "device access" implies access to direct graphics already.

SOFTWARE/OS VERSIONS
Operating System: Fedora Linux 42
KDE Plasma Version: 6.3.4
KDE Frameworks Version: 6.13.0
Qt Version: 6.9.0
Kernel Version: 6.14.5-300.fc42.x86_64 (64-bit)
Graphics Platform: Wayland
Processors: 16 × AMD Ryzen 7 5800X3D 8-Core Processor
Memory: 31.2 GiB of RAM
Graphics Processor: AMD Radeon RX 7800 XT

ADDITIONAL INFORMATION
As I said, this was something that frustrated me for weeks on end. I was unsure if I needed the direct graphics rendering checked or not, leading to me assuming I was having graphics issues, etc. I had to find the flatpak sandboxing spec for myself to see that checking or unchecking direct rendering when device access is granted is pointless.
Comment 1 Claire 2025-05-08 02:15:19 UTC 
(In reply to Claire from comment #0)
> Created attachment 181050 [details]
> Image demonstrating the two settings I am referring to, as well as the spec
> for reference.
> 
> SUMMARY
> According to the [flatpak
> spec](https://docs.flatpak.org/en/latest/sandbox-permissions.html), "device
> permissions" being checked (ie device=all) implies that *all* devices are
> permitted except for hosting dev/shm, which needs to be checked desperately.
> This creates a UX issue where a user can have their device access granted to
> a flatpak program, and when there's performance issues, go into permissions
> and see that "direct graphics rendering" is unchecked. They may then check
> it, and then when they continue to have issues, become frustrated as they
> erroneously believed access to the GPU was the issue, despite access
> *already being granted*. I myself was in this situation, and only learned
> that device=all implies device=dri after reading the spec. This is not user
> friendly. While I'm unsure if it's a bug per se, I think this is more severe
> than a simple request; it is, in my opinion, a critical UX issue.
> 
> STEPS TO REPRODUCE
> 1. Open Flatpak perms
> 2. Enable device access
> 3. Check advanced perms
> 
> OBSERVED RESULT
> With device access checked, "direct graphics" is still "unchecked"
> 
> EXPECTED RESULT
> There should be some communication to the end user that "device access"
> implies access to direct graphics already.
> 
> SOFTWARE/OS VERSIONS
> Operating System: Fedora Linux 42
> KDE Plasma Version: 6.3.4
> KDE Frameworks Version: 6.13.0
> Qt Version: 6.9.0
> Kernel Version: 6.14.5-300.fc42.x86_64 (64-bit)
> Graphics Platform: Wayland
> Processors: 16 × AMD Ryzen 7 5800X3D 8-Core Processor
> Memory: 31.2 GiB of RAM
> Graphics Processor: AMD Radeon RX 7800 XT
> 
> ADDITIONAL INFORMATION
> As I said, this was something that frustrated me for weeks on end. I was
> unsure if I needed the direct graphics rendering checked or not, leading to
> me assuming I was having graphics issues, etc. I had to find the flatpak
> sandboxing spec for myself to see that checking or unchecking direct
> rendering when device access is granted is pointless.

Separately, not desperately. Not sure what happened there.
Comment 2 Claire 2025-05-08 19:21:04 UTC 
As an aside, it should also imply KVM access from my understanding.