Use desktop portals in Tor Browser
- Rationale
- Things outside of our control (upstream)
- Things under our control
- User-visible improvements
- FT-visible improvements
- Archive
Rationale
Using desktop portals in Tor Browser allows users to open files which Tor Browser usually doesn't have access to (#10422) and provides better integration into the desktop via other portal interfaces like the settings interface (see #19328).
We have a working PoC (actually two: one which fakes some things to make the portal service and Tor Browser think it's running in a flatpak and one which actually runs Tor Browser in a flatpak) to run Tor Browser with portals.
Things outside of our control (upstream)
Regressions
- Opening the file chooser dialog again opens it in
/run/user/1000/doc/${some hash}/
- Upstream ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1775497
Not regressions but unfortunately not fixed by portals (yet)
- drag&drop from directories other than the Tor Browser directories doesn't work. it's not implemented upstream.
- Implemented in GTK 4, will probably not be backported to GTK 3: https://github.com/flatpak/xdg-desktop-portal/issues/99#issuecomment-565264246
- If you try to save a page outside of Tor Browser, it will sometimes fail. If you retry, it will succeed. Not a regression, because we can't do that in Tails currently anyway.
- Reproducible with the official Firefox Flatpak.
- Filed upstream bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1814851
- Does not affect regular downloads, just "Save Page".
- Reproducible with the official Firefox Flatpak.
Things under our control
Regressions
-
Opening a web page via double-click on nautilus fails.- Works on
10422-portals-in-tor-browser
and10422-tor-browser-in-flatpak
as long as the file is accessible by Tor Browser. When it's not accessible by Tor Browser it's not a regression.- Firefox in Flatpak seems to use the document portal to access arbitrary files -> We might be able to get that to work in Tor Browser too
- Works on
-
Also/usr/local/bin/tails-documentation
-
tails-documentation
actually works as expected on10422-portals-in-tor-browser
and10422-tor-browser-in-flatpak
-
User-visible improvements
- They can now open/save file in every place of $HOME (saving might require retrying) (#10422)
- Settings like the window manager's button layout (minimize maximize buttons) are respected (#19328)
- Whatever other portals Tor Browser uses (not clear)
FT-visible improvements
- Less NIH: we will get rid of most our own code to sandbox applications (and still allow them access to the resources which they do need access to)
- Probably avoid bugs like #18485 (closed), which we suspect is caused by buggy D-Bus proxy handling on our side. Things like that would be taken over by Flatpak.
-
flatpak
has a nice debugging interface, much nicer than what we have now - In perspective, Flatpak will allow us to restrict AppArmor more → more security, but not now.
- In perspective, Flatpak is a "requirement" to ship Signal #14567
Archive
Copied from #10422:
Originally created by @sajolida on #10422 (Redmine)
In https://mailman.boum.org/pipermail/tails-ux/2015-September/000645.html we’re been discussing the idea of granting Tor Browser access to files if and only if the user decide to open or otherwise access it.
This would improve on the current control access policy based on a set of folders (/Tor Browser and /Persistent/Tor Browser). This idea is inspired by “Guidelines and Strategies for Secure Interaction Design” by Ka-Ping Yee and also seems to be of interest to GNOME as “Implicit permission grants from interactive operations”:
https://mail.gnome.org/archives/gnome-os-list/2015-March/msg00010.html
We should follow-up on the plans of GNOME regarding this but there’s not much we can do ourselves for the time being.
Existing WIP and discussions:
- https://trac.torproject.org/projects/tor/ticket/25578
- https://github.com/flathub/flathub/pull/1135
- https://github.com/micahflee/torbrowser-launcher/issues/407
- https://bugzilla.redhat.com/show_bug.cgi?id=1731284
- https://discussion.fedoraproject.org/t/tor-browser-on-silverblue/2032/12
Blueprints:
- Blueprint: https://tails.boum.org/blueprint/Linux_containers/
- https://tails.boum.org/contribute/design/application_isolation/
Parent Task: #15678