[SailJail] Do I need `Bluetooth` for media buttons/audio output?

I’m trying to finally actually set the correct SailJail values for gPodder, at the moment I arrived at the following list of permissions:
Audio;UserDirs;RemovableMedia;Internet

But do I also need Bluetooth for Audio output to a bluetooth headset and media button input?

Also is there a way to also grant ${HOME} and not just subfolders? I allow users to change their Downloads folder so I really have no idea where they will want to save their stuff.

@pvuorela @vige

If you use the Tracker db you will probably need MediaIndexing permission as well.

Also is there a way to also grant ${HOME} and not just subfolders? I allow users to change their Downloads folder so I really have no idea where they will want to save their stuff.

There is not, unless you want to ship your own application profile. There you can do anything you want, but it’s tricky to get right.

But once sailjailed, users won’t be able to select any folders outside the Jail, so for new users that should not be an issue.
Of course for others there will be a migration scenario if they used a location outside the Jail.

I’m sure @pvuorela can answer your questions from the top of his head, but here’s my two cents:

1. You can find pretty much everything there is to know from the sailjail permissions repository
2. Audio should be enough for audio output to bluetooth headset
3. Regarding the access to ${HOME} etc., think about the other way around: As a user of gPodder, why would I want to give it access to all of my files? I don’t want to give it access to e.g. my private ssh keys! In a perfect world, I could specify the directory where I want to give it access to, but unfortunately we don’t live in that world, at least not yet.

Pretty much what @vige said.

Could add that there shouldn’t be need to add bluetooth for media buttons either. The key input is handled outside the app and it shouldn’t necessarily even know from what source the events are coming from.

In an ideal world I think it would just pop up a question do you want to grant access to this path outside the jail that you are trying to access when it happens and maybe store that, I don’t really want to take broad permissions, but I also am allowing users to move their downloads folder and to write export files and who am I to tell them where they should store their stuff.

I guess I’ll try with just Downloads, Documents and RemovableMedia and see what the users have to say.

@vige I read the repo first and even read the profiles but it was still not 100% clear to me if Media buttons would be allowed, I was pretty sure that Audio should cover all audio output but once I am asking I might as well ask for 100% certainty.

@nephros not using the Tracker, thanks for pointing it out though.

JFI: Right now, I’m listing to an audio stream via gPodder + BT EarPods + controlling Stop/Play at the EarPods. The applications is patched and has following sailjail config:

        [X-Sailjail]

        OrganizationName=harbour-org.gpodder.sailfish
        ApplicationName=harbour-org.gpodder.sailfish
        Permissions=Internet;Audio

Do you mean that you added that? Because that is most certainly not in the .desktop file of the project at the moment.

Yes, I patched it as described above. Apps without any Sailjail config are asking for “full” access, and that made me to patched it here locally …

Careful with the dashes.
While Sailjail has no problem with it, they are actually not allowed in D-Bus interface and object path names (they are ok for service names).

So in case you want to use the dbus activation features later you want a name without a dash.

Yeah, the SDK warned me about that, unless I am very much mistaken it is never set explicitly, for the Notifications I use ‘gPodder’ as the appName and it works but that is probably something that I need to change if pyotherside supports it.

@leon Great, you had me worried there for a second that the rpm distributed on the store was different from what I submitted.

I took a look into the installed desktop files and find a lot of apps that have a dash in their ApplicationName value. Some more are probably affected …

Slightly OT question, but the people here probably know, does SFOS use localized folder names or can I hardcode ~/Documents/?

If not then what is the method?

Very OT, but i’ll indulge.
Neither; SFOS is spared from the idiocy of translating folders, but you still should not hard-code.
Use QStandardPaths.

hmm, I’ll need to figure out how to call that from pyotherside…

nvm… StandardPaths QML Type | Qt Qml Core 6.8.0

Something like

#!/usr/bin/python3
[...]
def doStuff(path, data):
    [...]

# qml
import QtQuick 2.6
[...]
function doStuff(data) {
   python.call("doStuff", [StandardPaths.download, data], ...)
}
Python { id: python
[...]
}

I hope you guys don’t mind me continuing to document the SailJail for gPodder journey here.

It turns out (as documented on GitHub) that setting ApplicationName to gPodder was not a good idea because Sailjail based on the set ApplicationName and OrganizationName and creates various dotfolders with the pattern (.local|.cache|.config)/orgname/appname which would be OK were it not that all those dotfolders historically already exist at (.local|.cache|.config)/harbour-org.gpodder.sailfish/ and contain data for existing users.

Is there a way to seperate the DBUS name from the foldernames? Or a facility to migrate?

Don’t know if you’re aware of https://forum.sailfishos.org/t/migrating-configuration-and-data-files-for-sandboxed-apps/8866

Hey thanks, I had not seen that, I’ll test it on my phone, on the SDK I was not maintaining access to the old path.