Skip to content

Draft: Thunderbird can open files in home (using portals)

segfault requested to merge 19157-portals-in-thunderbird into stable

The portal services xdg-desktop-portal and xdg-desktop-portal-gtk assume that sandboxed applications which want to access files from outside the sandbox are either run via flatpak or snap. To still be able to use them we trick them to think that we're running in a flatpak. That requires mounting a .flatpak-info file to the root filesystem of the application. We do that via a bwrap binding. Relevant parts of the xdg-desktop-portal code:

When this file exists, Thunderbird thinks that it's running in a flatpak, so it will try to use portals even when GTK_USE_PORTAL is not set.

Now that the portal service knows that we're running in a sandbox it doesn't return the path selected by the user but a path below /run/user/1000/doc. We allow Thunderbird access to those in the AppArmor profile.

To avoid that Thunderbird can access portal documents opened by other applications we bind-mount /run/user/1000/doc/by-app/org.mozilla.Thunderbird to /run/user/1000/doc in the Thunderbird sandbox. That's the same flatpak does:

https://github.com/flatpak/flatpak/blob/a9a2c70e963c78f150ff8cf1854975fdf9990b69/common/flatpak-run.c#L3072-L3074

Closes #19592

Edited by segfault

Merge request reports

Loading