Not really sure it works that way, you still have to grant it location permissions at start, the fact it has extra app settings where you can deny/allow specific websites access to location permission is all just a matter of trust, the main permission has been granted, sure it’s an app by Jolla so probably trustworthy, but that doesn’t make sfos apps trustworthy (see some devs claiming their app downloading latest possible backdoors on start is a feature). And I’m not sure how firejail approach is better than android’s, it’s basically the same thing at the end of the day (whether app you granted X permission presents some extra choices inside, it’s already granted, what’s the big difference?)
couldn’t you just use something like e.g.
sed -r 's/Location;//' /usr/share/applications/sailfish-browser.desktop
to remove location permission from browser app? browser should still work as long as you dont use location stuff on websites?
Yes but, if I’m not mistaken, not only.
edit: well, I was mistaken. See next post.
It seems possible to remove/add permissions by modifying two files:
The one you mention:
>/usr/share/applications/sailfish-browser.desktop
and
>/home/.system/var/lib/sailjail/settings/user-100000.settings
Permissions for a given app have to match in both files.
@headlamp_mapper, think of making a backup of these files before editing them.
About the easiest way to edit them, I don’t know exactly. I use vim as root.
Is there a simpler way, btw?
You can of course also replace strings with sed, if you know it, as advised by @mive.
You also can use the search function of the forum to find more info, for example:
NO, no no no no!
Don’t edit the files owned by the package!
What you do is copy the file into /etc/sailjail/applications, edit the copy (optionally removing everything but the [x-Sailjail] (or [Sailjail]) group, and then modify whatever you want to modify in the sailjail group.
(Obvioulsy, to revert to default, just remove the file in /etc again)
After that
also shouldn’t need to be touched, the next time the app is launched, the new configurations should be picked up (causing another permission prompt).
Reference: Sailjail daemon README
7 Likes
The above was just an example if someone wants to mess up package files. Didnt know that there is a overrride directory
(maybe because of:
]$ man
-bash: man: not found
)
I for myself dont do stuff like that, I even avoid any untracked package in /usr/local and dont install systemd files in weird places (or edit the package version)
Thanks for correcting.
I’ll revert and try the correct way.
edit:
Done.
Everything works as you described.
Thanks and sorry for the noise.
4 Likes
python helper to mess up your permissions in a safe(r) way (in /etc/sailjail/application)
#!/usr/bin/env python3
import os
import argparse
import time
AVAILABLE_PERMS=["Accounts","Ambience","AppLaunch","ApplicationInstallation","Audio","Base","Bluetooth","Calendar","CallRecordings","Camera","CaptivePortal","CommunicationHistory","Compatibility","Connman","Contacts","Documents","Downloads","Email","FingerprintSensor","GnuPG","Internet","Location","MediaIndexing","Messages","Microphone","Music","NFC","Notifications","Phone","Pictures","PinQuery","PublicDir","RemovableMedia","Secrets","Sensors","Sharing","Synchronization","Thumbnails","UDisks","UDisksListen","UserDirs","Videos","WebView"]
def create_parser():
#def _check_choice(choice):
# if choice not in AVAILABLE_PERMS:
# raise ValueError(f"{choice} not a valid choice {str(AVAILABLE_PERMS)}")
# else:
# return(choice)
#parser = argparse.ArgumentParser()
parser = argparse.ArgumentParser(
description="Create SailJail Override",
epilog="""
Examples:
show defaults
./py_sailjail_perms.py -ld
show overrides
./py_sailjail_perms.py --list-overrides
create override
devel-su ./py_sailjail_perms.py -s sailfish-browser.desktop "WebView;Audio;Camera;Internet;UserDirs;RemovableMedia;MediaIndexing"
devel-su ./py_sailjail_perms.py -s harbour-file-browser.desktop disable
""",
formatter_class=argparse.RawDescriptionHelpFormatter
)
parser.add_argument("-ld","--list-defaults",help="List default used permissions",nargs="?",const=True)
parser.add_argument("-lo","--list-overrides",help="List overrides",nargs="?",const=True)
parser.add_argument("--list-perms",help="List available permissions",nargs="?",const=True)
parser.add_argument("-s",
"--set-perm",
help="specify desktop file and set new permission(s). desktop file space sperated from Permission seperated by either ; or ,",
nargs=2
)
return(parser.parse_args())
def find_str_index(searchstr, txt, include_searchstr=False, stopsearch=True):
index = None
for n,line in enumerate(txt):
if searchstr in line:
index = n+1 if not include_searchstr else n
if stopsearch:
break
return(index)
class SailJailGetPerms:
def __init__(self,path="/usr/share/applications"):
self.path = path
self.files = self._get_files(self.path)
self.app_perms = {}
def _read_file(self,fn):
with open(fn,"r") as f:
f_out = f.read()
return(f_out)
def _get_files(self,path):
return(os.listdir(path))
def _split_lines(self,txt):
return(txt.split("\n")[:-1]) # remove empty '' in the end
def _find_perms(self,txt):
# not perms yet only everything below [X-Sailjail]
lines = self._split_lines(txt)
last_line = len(lines)
perms = []
index = find_str_index("[X-Sailjail]",lines)
if index == None:
return(None)
for i in range(index,last_line):
line = lines[i]
if "Permissions" in line or "Sandbox" in line:
perms.append(lines[i])
return(perms)
def get_perms(self):
for fn in self.files:
fn_out = self._read_file(self.path+"/"+fn)
perms = self._find_perms(fn_out)
self.app_perms[fn] = perms
class SailJailShowEditedPerms(SailJailGetPerms):
def __init__(self,path="/etc/sailjail/applications"):
super().__init__(path)
class SailJailEditPerms(SailJailGetPerms):
def __init__(self,fn,perms,tag="python_script"):
super().__init__()
self.fn = fn
self.srcdir = self.path
self.trgdir = "/etc/sailjail/applications/"
self.new_perms = self._set_new_perms(perms)
self.tag = tag
#cleanup env
del self.files
def get_perms(self):
pass
def commit_ts(self):
ts = time.localtime(time.time())
return(f"#{self.tag} created {ts.tm_year}-{ts.tm_mon}-{ts.tm_mday}")
# override _find_perms, add index number to per,s
def _find_perms(self,txt):
# not perms yet only everything below [X-Sailjail]
lines = self._split_lines(txt)
last_line = len(lines)
perms = []
index = find_str_index("[X-Sailjail]",lines)
if index == None:
return(None)
for i in range(index,last_line):
line = lines[i]
if "Permissions" in line or "Sandbox" in line:
perms.append([lines[i],i])
return(perms)
def _set_new_perms(self,perms):
if isinstance(perms,str):
if "disable" in perms.lower() or "sandbox" in perms.lower():
ret_perms = "Sandboxing=Disabled"
else:
ret_perms = "Permissions="+perms.replace(",",";") # change , to ;
# shouldn't be a list, but just in case
elif isinstance(perms,list):
#TEST
print("using list for new perms")
if "disable" in perms[0].lower() or "sandbox" in perms[0].lower():
ret_perms = "Sandboxing=Disabled"
else:
ret_perms = "Permissions="+";".join(perms)
else:
raise ValueError(f"{type([])} or {type('')} needed, not {type(perms)}")
return(ret_perms)
def create_override(self):
txt = self._read_file(self.srcdir+"/"+self.fn)
out_lines = self._split_lines(txt)
src_perms = self._find_perms(txt)
if len(src_perms) > 1:
for perm in src_perms:
if perm[0].startswith("#"):
continue
else:
override_perm = [self.new_perms,perm[1]]
else:
override_perm = [self.new_perms,src_perms[0][1]]
out_lines[override_perm[1]] = override_perm[0]
out_lines.append("\n"+self.commit_ts())
with open(self.trgdir+"/"+self.fn,"w") as f:
for line in out_lines:
f.write(line+"\n")
def arg_show_perms(op):
Perms = SailJailGetPerms() if op == "default" else SailJailShowEditedPerms()
Perms.get_perms()
print("-----> %s" %Perms.path)
for app,perms in Perms.app_perms.items():
if perms != None:
for perm in perms:
if perm.startswith("#"):
continue
print("%s --> %s" %(app,perm.replace("Permissions=","")))
else:
print("%s --> %s (No [X-Sailjail] Entry)" %(app,perms))
if __name__ == "__main__":
args = create_parser()
#print(args)
if args.list_defaults:
arg_show_perms("default")
if args.list_overrides:
arg_show_perms("")
if args.list_perms:
for perm in AVAILABLE_PERMS:
print(perm)
if args.set_perm != None:
override = SailJailEditPerms(args.set_perm[0],args.set_perm[1])
override.create_override()
you have to specify desktop file name (only file name not full path) and new permissions (; or , seperated, use “” for ; ). Use .desktop filename and disable to disable sandboxing (useful for e.g. harbour filemanager)
e.g.:
[defaultuser@Fairphone4 bin]$ devel-su ./py_get_sailjail_perms.py -s sailfish-browser.desktop "WebView;Audio;Camera;Internet;UserD
irs;RemovableMedia;MediaIndexing"
[defaultuser@Fairphone4 bin]$ ./py_sailjail_perms.py -h
usage: py_sailjail_perms.py [-h] [-ld [LIST_DEFAULTS]] [-lo [LIST_OVERRIDES]] [--list-perms [LIST_PERMS]] [-s SET_PERM SET_PERM]
Create SailJail Override
optional arguments:
-h, --help show this help message and exit
-ld [LIST_DEFAULTS], --list-defaults [LIST_DEFAULTS]
List default used permissions
-lo [LIST_OVERRIDES], --list-overrides [LIST_OVERRIDES]
List overrides
--list-perms [LIST_PERMS]
List available permissions
-s SET_PERM SET_PERM, --set-perm SET_PERM SET_PERM
specify desktop file and set new permission(s). desktop file space sperated from Permission seperated by either ; or ,
Examples:
show defaults
./py_sailjail_perms.py -ld
show overrides
./py_sailjail_perms.py --list-overrides
create override
devel-su ./py_sailjail_perms.py -s sailfish-browser.desktop "WebView;Audio;Camera;Internet;UserDirs;RemovableMedia;MediaIndexing"
devel-su ./py_sailjail_perms.py -s harbour-file-browser.desktop disable
[defaultuser@Fairphone4 bin]$ ./py_sailjail_perms.py -lo
-----> /etc/sailjail/applications
jolla-classzero-dialog.desktop --> None (No [X-Sailjail] Entry)
harbour-file-browser.desktop --> Sandboxing=Disabled
sailfish-browser.desktop --> WebView;Audio;Camera;Internet;UserDirs;RemovableMedia;MediaIndexing
1 Like