On (perfect) Android Apps have no permissions by default.
GrapheneOS optimized this and even allows to block internet permission right on install.
In Linux we have a wonderfully clean workspace, which is why even with no containerization at all, it always went well all these years. I used OpenSnitch and there actually were nearly no connections!
But anyways, the current state of Flatpaks is not ready for MS Edge, Google Chrome and other “malware” that is not GIMP, Libreoffice or Krita.
Opt-in permissions with easy presets
Android should never be the model, as its security and privacy features are bypassed the moment they are invented.
- System apps (Equivalent to native apps on Linux)
- Unchangeable permissions, holes in the sandbox
- Install an app through Discover
- A dialog opens inside Discover, you see the preset flatpak permissions with checkmarks
- You get the choice to uncheck every permission
This would be pretty much the Systemsettings page, but in a place they actually belong, and make it easy to actually check the settings for every app on install, not somewhere when (advanced) users find the settings page.
Having them opt-out would easily unbreak Flatpaks, as this currently is the explanation, why Inkscape should have whole root filesystem access, or any app should have internet access just to display some dialog or autoupdater.
What do you think? How should the permissions be handled? Should they all be opt-in, with more security but the possibility to break apps?
Is there the capability to halt an app from starting while settings these settings? To have it tighly shut until you were able to deny it for example internet access?
Can Flatpak apps on Linux even set themselves as autostart or similar bloatware fun stuff?
I’m happy to be corrected but installing a Flatpak doesn’t start anything at all. You can easily install one, go to the Flatpak KCM and tweak the settings to your desired level of security.
Though if you feel a flatpak from Flathub for instance has permissions it shouldn’t need you should report that issue to the authors of the flatpak as it may just be an oversight.
Just a note though I’d avoid calling software you simply don’t like malware, it’s not helpful to anyone.
The present Flatpak permission settings aren’t human readable like Android permission settings.
I’ll grant you the Advanced Permissions portion requires some pretty in-depth knowledge of how Flatpak works (more than what I have), but the main section seems pretty reasonable to me?
This is what it shows for the Apple Music streaming app I use (Cider):
The last xdg-run item is a bit funky-looking, but I don’t think anything here is unreasonable - I can see that this app can connect to the internet, use audio, and doesn’t have general access to my system or my files. All that seems OK to me?
It might be worth considering some way to link from Discover pages to those permissions pages, similarly to how Ubuntu handles Snap permissions:
but in a sense, aren’t all of these are steps really only required in the event of an expert user wanting to tweak app access levels, or a misconfigured Flatpak? In the former case, I’d think the current setup is pretty adequate (especially considering that a Flatpak isn’t going to automatically start after installation, as Justin mentioned), and in the latter case, that seems like it’d need addressed upstream at Flathub.
Purely an outsider POV, but I’ve poked around as a user in each of these enough (and have used both Android and iOS over the years), figured I’d offer my thoughts for whatever they’re worth!
Yeah, the naming in the Flatpak permissions does have a few items that aren’t clear to the average user. I’d suggest reporting that over on the flatpak-kcm on https://bugs.kde.org so it can be sorted out.
Proptietary Software with uncontrolled permissions should be possible to be called Malware, as it does bad things to you. Not destroy your PC, but possibly it could even do that.
Yes I guess too that on Linux in general Apps dont just start.
Thanks! Yes I agree Flatpaks often work like that.
For me though Goals would be
- apps having no access at all if they are not file managers, they can use portals
- users able to choose specific folders for every app, like storage scopes on GrapheneOS
Flatpak permissions may be hardened, but at the current state they are always focused on not breaking the app
On Android there are lots of hidden permissions that are active anyways, this is bad. The Flatpak equivalent currently is that you often dont change permissions at all.
And some apps are really strange, interestingly the most common ones like GIMP, Inkscape and so on. I tried to write a script to detect host access, and then override it with a set of directories or custom directories, not sure if it works though.
And again, having it pop up (I agree the form is very well readable) after installation would help with transparency and control.
I love KDE for the GUI control it gives me. And as I plan a nearly Flapak-only Desktop, the overrated security due to lack of hardened permissions should be visible directly after install
So don’t install it, not a problem that needs solving.
Wouldnt say I can just not install GIMP. These apps need fixes upstream for sure. But is this actually visible from Discover?
I have to be honest I dont even use Discover as its too buggy with rpm-ostree and always tries to update
or causes crashes when I just want a flatpak. But if that was solved, a good GUI appstore is necessary.
Edit: Discover deals with RPM-Ostree way better now! awesome, the diffs are shown and everything. I am very happy with it now. Still I would like a completely autonomous updater, as I always press yes anyways.