Created attachment 181050 [details] Image demonstrating the two settings I am referring to, as well as the spec for reference. SUMMARY According to the [flatpak spec](https://docs.flatpak.org/en/latest/sandbox-permissions.html), "device permissions" being checked (ie device=all) implies that *all* devices are permitted except for hosting dev/shm, which needs to be checked desperately. This creates a UX issue where a user can have their device access granted to a flatpak program, and when there's performance issues, go into permissions and see that "direct graphics rendering" is unchecked. They may then check it, and then when they continue to have issues, become frustrated as they erroneously believed access to the GPU was the issue, despite access *already being granted*. I myself was in this situation, and only learned that device=all implies device=dri after reading the spec. This is not user friendly. While I'm unsure if it's a bug per se, I think this is more severe than a simple request; it is, in my opinion, a critical UX issue. STEPS TO REPRODUCE 1. Open Flatpak perms 2. Enable device access 3. Check advanced perms OBSERVED RESULT With device access checked, "direct graphics" is still "unchecked" EXPECTED RESULT There should be some communication to the end user that "device access" implies access to direct graphics already. SOFTWARE/OS VERSIONS Operating System: Fedora Linux 42 KDE Plasma Version: 6.3.4 KDE Frameworks Version: 6.13.0 Qt Version: 6.9.0 Kernel Version: 6.14.5-300.fc42.x86_64 (64-bit) Graphics Platform: Wayland Processors: 16 × AMD Ryzen 7 5800X3D 8-Core Processor Memory: 31.2 GiB of RAM Graphics Processor: AMD Radeon RX 7800 XT ADDITIONAL INFORMATION As I said, this was something that frustrated me for weeks on end. I was unsure if I needed the direct graphics rendering checked or not, leading to me assuming I was having graphics issues, etc. I had to find the flatpak sandboxing spec for myself to see that checking or unchecking direct rendering when device access is granted is pointless.
(In reply to Claire from comment #0) > Created attachment 181050 [details] > Image demonstrating the two settings I am referring to, as well as the spec > for reference. > > SUMMARY > According to the [flatpak > spec](https://docs.flatpak.org/en/latest/sandbox-permissions.html), "device > permissions" being checked (ie device=all) implies that *all* devices are > permitted except for hosting dev/shm, which needs to be checked desperately. > This creates a UX issue where a user can have their device access granted to > a flatpak program, and when there's performance issues, go into permissions > and see that "direct graphics rendering" is unchecked. They may then check > it, and then when they continue to have issues, become frustrated as they > erroneously believed access to the GPU was the issue, despite access > *already being granted*. I myself was in this situation, and only learned > that device=all implies device=dri after reading the spec. This is not user > friendly. While I'm unsure if it's a bug per se, I think this is more severe > than a simple request; it is, in my opinion, a critical UX issue. > > STEPS TO REPRODUCE > 1. Open Flatpak perms > 2. Enable device access > 3. Check advanced perms > > OBSERVED RESULT > With device access checked, "direct graphics" is still "unchecked" > > EXPECTED RESULT > There should be some communication to the end user that "device access" > implies access to direct graphics already. > > SOFTWARE/OS VERSIONS > Operating System: Fedora Linux 42 > KDE Plasma Version: 6.3.4 > KDE Frameworks Version: 6.13.0 > Qt Version: 6.9.0 > Kernel Version: 6.14.5-300.fc42.x86_64 (64-bit) > Graphics Platform: Wayland > Processors: 16 × AMD Ryzen 7 5800X3D 8-Core Processor > Memory: 31.2 GiB of RAM > Graphics Processor: AMD Radeon RX 7800 XT > > ADDITIONAL INFORMATION > As I said, this was something that frustrated me for weeks on end. I was > unsure if I needed the direct graphics rendering checked or not, leading to > me assuming I was having graphics issues, etc. I had to find the flatpak > sandboxing spec for myself to see that checking or unchecking direct > rendering when device access is granted is pointless. Separately, not desperately. Not sure what happened there.
As an aside, it should also imply KVM access from my understanding.