SailJail: how to un-grant or reset permissions?

So, when lanching an App for the first time, sailJail asks for permissions which one can grant.

After that the permissions can be checked in Settings->Apps.

But how do I un-grant or generally reset the permissions of a given app? And where are these permission grants stored?

3 Likes

Why would you want to do that? Reinstalling the app should do it, although a bit blunt. Changing the permissions also has the desired effect.

What if I decide that I don´t after all trust the app and want to revoke my given permissions, but do not want to uninstall the app (because multi-user)?

Also, right now when testing I have the phenomenon that while I have the [X-SailJail] section in the .desktop, when launched the app is NOT sandboxed. I suspect it may be because I had a Sandbox=Disabled at one point, and later changed it to proper config with permissions. But I`m not sure about that, and want to start afresh to confirm.
(Changing the permissions also shows up in the Settings-App parts, but I am never prompted for new permissions on launch.)

All this happens on SFOS 4.2 so I might just hit some things that have been resolved in later versions.

Aha, no, that’s something else at play. Apps launched through the SDK have full permissions, aka are launched without any jail.

Not launching through the SDK, just regular tap from launcher.

Sounds very buggy… Don’t remember seeing that, so hopefully that was fixed in 4.3.

AFAICS, the settings/permissions are stored per-user in one or more of these locations:

  • /home/.system/var/lib/sailjail/settings/user-100000.settings
  • /var/lib/sailjail-homescreen/100000/usr/share/applications/foo.desktop/

Untested, but presumably editing the former or removing files from the latter will reset permission grants.

1 Like

Just out of curiosity:
Why would apps always request permission for everything, e.g. why would “Galaxy Attack HD” access Internet, Kamera, Mediaindex, Microphone, Position and so on?

Because that is the compatibility mode Jolla chose for the initial release of mandatory sandboxing. Apps which do not request specific permissions get assigned a (broad) default set, hence the prompt.

This has been explained briefly in the Release Notes.

Ah! Thanks for clarification. I tried to revoke all permissions except for Audio for the Galaxy Attack HD app by editing /home/.system/var/lib/sailjail/settings/user-100000.settings, but after a reboot the app wouldn’t start but instead request the entire set of permissions again. I therefore conclude it’s currently not possible to revoke single permissions. What a pitty.

more info on: https://blog.jolla.com/whats-up-with-sandboxing/

1 Like

It should be [X-Sailjail]. The check is case sensitive. I fell for that as well.

1 Like

Keen eyes! But that is actually a typo in my post, not in the actual file.

1 Like

That’s pretty cool.
I played around a bit with the corresponding Desktop file (/usr/share/applications/harbour-pgz-galaxy-attack-hd.desktop) and added the section:
[X-Sailjail]
ApplicationName=harbour-pgz-galaxy-attack-hd
Permissions=Audio;Camera;

Audio is necessary for sound output, and Camera to access the sensors.
Using “Sensors” instead of “Camera” does also work, but Jolla doesn’t want it to be used, according to Github.
So next step is to alter all desktop files and add the adequate permissions, right?

Yes. And you probably can leave the original files alone, and put a copy in ~/.local/share/applications instead, which you then edit.

1 Like

Actually, /etc/sailjail/applications is probably the correct location.

1 Like

It’s automatic, if you run the app with extra permissions in .desktop file you get prompted, if you run with less permissions the old extra ones get removed

First guess: you modified both Permissions and Granted lists? After which Permissions does not match what .desktop has → looks like application requirements have changed → ask from user again. It should work if you: stop the service, edit just the Granted list, restart the service.

While the settings UI etc is still missing things, the underlying interfaces are already there, e.g.

$ devel-su
# dbus-send --system --print-reply --type=method_call --dest=org.sailfishos.sailjaild1  /org/sailfishos/sailjaild1 org.sailfishos.sailjaild1.GetGrantedPermissions uint32:100000 string:sailfish-office
   array [
      string "UserDirs"
      string "MediaIndexing"
      string "RemovableMedia"
   ]
# dbus-send --system --print-reply --type=method_call --dest=org.sailfishos.sailjaild1  /org/sailfishos/sailjaild1 org.sailfishos.sailjaild1.SetGrantedPermissions uint32:100000 string:sailfish-office array:string:UserDirs,MediaIndexing
# dbus-send --system --print-reply --type=method_call --dest=org.sailfishos.sailjaild1  /org/sailfishos/sailjaild1 org.sailfishos.sailjaild1.GetGrantedPermissions uint32:100000 string:sailfish-office
   array [
      string "UserDirs"
      string "MediaIndexing"
   ]
2 Likes

Interesting, thank you, I will give it a try.
I noticed that amazfish-ui wouldn’t start properly when launched through the desktop icon and I wonder which permission would be missing? According to the desktop file, everything including bluetooth is already granted.

BTW: Ah, could be the AppLaunch permission which is missing. How to restart the sailjail service?

$ devel-su
# systemctl stop sailjaild.service
# editor_of_choice /home/.system/var/lib/sailjail/settings/user-100000.settings
# systemctl start sailjaild.service
2 Likes