Created attachment 159141 [details] Flatpak KCM and Flatseal side-bi-side: xdg-pictures and xdg-music should both be set as 'OFF' SUMMARY Permissions that were changed before the most recent update to flatpak-kcm do not properly reflect the actual permission state shown in Flatseal (see attached image). STEPS TO REPRODUCE 1. Install some Flatpaks. 2. If on latest version of flatpak-kcm, downgrade it. 3. Open Flatpak KCM and pick a flatpak that has filesystem permissions 4. Uncheck a permission under 'Filesystem Access' and hit 'Apply' 5. Upgrade flatpak-kcm to latest version 6. Revisit the same flatpak in step 3 OBSERVED RESULT Flatpak KCM shows the permission in step 4 unchanged. EXPECTED RESULT With the new 'OFF' option for setting filesystem permissions, 'OFF' should be set for the aforementioned permission. SOFTWARE/OS VERSIONS Operating System: Fedora KDE Plasma Version: 5.27.5 KDE Frameworks Version: 5.106.0 Kernel Version: 6.2.15-300.fc38.x86_64 (64-bit) Graphics Platform: Wayland
Can you please attach your relevant override files? They are in /home/ratijas/.local/share/flatpak/overrides/ (global and com.valvesoftware.Steam) and maybe also system ones in /var/lib/flatpak/overrides/ Also please paste the output of $ flatpak info -M com.valvesoftware.Steam The thing is, before the last upgrade all this was fairly broken, so unchecking those boxes might have led to unpredictable bad configurations. Not sure how it got picked by FlatSeal vs flatpak-kcm after all these fixes. We are preserving any unknown entries loaded from user overrides, even (currently) clearly invalid ones, for future compatibility reasons. Although the ones shown on the screenshot don't look broken at all. With a fresh install I see all three folders in both apps (flatpak-kcm and FlatSeal). And if I set them to OFF in flatpak-kcm, they disappear from FlatSeal (which arguably kinda makes sense, even if is confusing to power users).
Created attachment 159153 [details] Steam override file in /home/user/.local/share/flatpak/overrides/
(In reply to ratijas from comment #1) > Can you please attach your relevant override files? They are in > /home/ratijas/.local/share/flatpak/overrides/ (global and > com.valvesoftware.Steam) and maybe also system ones in > /var/lib/flatpak/overrides/ > > Also please paste the output of > > $ flatpak info -M com.valvesoftware.Steam > > The thing is, before the last upgrade all this was fairly broken, so > unchecking those boxes might have led to unpredictable bad configurations. > Not sure how it got picked by FlatSeal vs flatpak-kcm after all these fixes. > We are preserving any unknown entries loaded from user overrides, even > (currently) clearly invalid ones, for future compatibility reasons. Although > the ones shown on the screenshot don't look broken at all. > > With a fresh install I see all three folders in both apps (flatpak-kcm and > FlatSeal). And if I set them to OFF in flatpak-kcm, they disappear from > FlatSeal (which arguably kinda makes sense, even if is confusing to power > users). See above for the Steam override file. I have not set any global overrides. Also, I don't think I have any system overrides since there isn't an 'overrides' folder in the /var/lib/flatpak/ directory. Finally, here's the output you requested: [user@fedora ~]$ flatpak info -M com.valvesoftware.Steam F: Filesystem suffix "ro" is not applicable for --nofilesystem F: Filesystem suffix "ro" is not applicable for --nofilesystem [Context] shared=network;ipc; sockets=x11;wayland;pulseaudio; devices=dri; features=devel;multiarch;per-app-dev-shm; filesystems=xdg-run/app/com.discordapp.Discord:create; persistent=.; unset-environment=ALSA_CONFIG_PATH;TZ;STEAM_RUNTIME_PREFER_HOST_LIBRARIES;STEAM_RUNTIME;SDL_VIDEODRIVER;MESA_GLSL_CACHE_DIR; [Session Bus Policy] org.kde.StatusNotifierWatcher=talk org.freedesktop.Notifications=talk org.gnome.SettingsDaemon.MediaKeys=talk org.freedesktop.ScreenSaver=talk org.freedesktop.PowerManagement=talk [System Bus Policy] org.freedesktop.UPower=talk org.freedesktop.UDisks2=talk [Environment] ALSA_CONFIG_PATH= TZ= STEAM_EXTRA_COMPAT_TOOLS_PATHS=/app/share/steam/compatibilitytools.d:/app/utils/share/steam/compatibilitytools.d PYTHONPATH=/app/utils/lib/python3.10/site-packages LC_NUMERIC=C LC_MONETARY=C FLATPAK_STEAM_UPDATE_SYMLINKS=0 DBUS_FATAL_WARNINGS=0 STEAM_RUNTIME_PREFER_HOST_LIBRARIES= FLATPAK_STEAM_XDG_DIRS_PREFIX=~/.var/app/com.valvesoftware.Steam LC_TELEPHONE=C SSL_CERT_DIR=/etc/ssl/certs STEAM_RUNTIME= LC_MEASUREMENT=C XDG_DATA_DIRS=/app/share:/usr/lib/extensions/vulkan/share:/usr/share:/usr/share/runtime/share:/run/host/user-share:/run/host/share LC_NAME=C XDG_CONFIG_DIRS=/etc/xdg:/usr/lib/x86_64-linux-gnu/GL:/usr/lib/i386-linux-gnu/GL LC_COLLATE=C SDL_VIDEODRIVER= GST_PLUGIN_SYSTEM_PATH=/app/lib/gstreamer-1.0:/app/lib32/gstreamer-1.0:/usr/lib/extensions/gstreamer-1.0:/usr/lib/x86_64-linux-gnu/gstreamer-1.0:/usr/lib/i386-linux-gnu/gstreamer-1.0 MESA_GLSL_CACHE_DIR= LC_ADDRESS=C PATH=/app/bin:/app/utils/bin:/usr/bin PROTON_DEBUG_DIR=/var/tmp
OK, so the error message from flatpak CLI is a bit misleading (it "thinks" that you are trying to set permissions with command arguments like `--nofilesystem` when in fact you are just requesting printing them out), but what matter is that flatpak rightfully fails to parse this: filesystems=!xdg-music:ro;!xdg-pictures:ro because mixing negation `!` and any of the :suffix modes is not well-defined. This is most likely a leftover from our previous buggy version. In this broken case it doesn't matter how FlatSeal interprets it. It's just plainly invalid. There's only so much we could do about it now. I suggest dropping that overrides file and start from scratch. (not sure how to classify this bug report, but I guess it's RESOLVED/FIXED since we *did fix* generator of override files, so things like this should never happen again)
(In reply to ratijas from comment #4) > OK, so the error message from flatpak CLI is a bit misleading (it "thinks" > that you are trying to set permissions with command arguments like > `--nofilesystem` when in fact you are just requesting printing them out), > but what matter is that flatpak rightfully fails to parse this: > > filesystems=!xdg-music:ro;!xdg-pictures:ro > > because mixing negation `!` and any of the :suffix modes is not > well-defined. This is most likely a leftover from our previous buggy version. > > In this broken case it doesn't matter how FlatSeal interprets it. It's just > plainly invalid. There's only so much we could do about it now. I suggest > dropping that overrides file and start from scratch. > > (not sure how to classify this bug report, but I guess it's RESOLVED/FIXED > since we *did fix* generator of override files, so things like this should > never happen again) Thank you for looking into this. Yes, shortly after I submitted the bug report, I realized that I can "work around" this bug by simply resetting the modified permissions using the 'Default' button in Flatpak KCM or the 'Reset' button in Flatseal. The result would be as if the bug I reported did not occur. Again, thanks for looking into this and for your contributions to making an intuitive GUI for managing Flatpak permissions natively on KDE!