SailJail: how to un-grant or reset permissions?

nephros · 19 March 2022 22:45

So, when lanching an App for the first time, sailJail asks for permissions which one can grant.

After that the permissions can be checked in Settings->Apps.

But how do I un-grant or generally reset the permissions of a given app? And where are these permission grants stored?

attah · 20 March 2022 08:17

Why would you want to do that? Reinstalling the app should do it, although a bit blunt. Changing the permissions also has the desired effect.

nephros · 20 March 2022 08:29

What if I decide that I don´t after all trust the app and want to revoke my given permissions, but do not want to uninstall the app (because multi-user)?

Also, right now when testing I have the phenomenon that while I have the [X-SailJail] section in the .desktop, when launched the app is NOT sandboxed. I suspect it may be because I had a Sandbox=Disabled at one point, and later changed it to proper config with permissions. But I`m not sure about that, and want to start afresh to confirm.
(Changing the permissions also shows up in the Settings-App parts, but I am never prompted for new permissions on launch.)

All this happens on SFOS 4.2 so I might just hit some things that have been resolved in later versions.

attah · 20 March 2022 08:47

Aha, no, that’s something else at play. Apps launched through the SDK have full permissions, aka are launched without any jail.

nephros · 20 March 2022 09:01

Not launching through the SDK, just regular tap from launcher.

attah · 20 March 2022 09:06

Sounds very buggy… Don’t remember seeing that, so hopefully that was fixed in 4.3.

nephros · 21 March 2022 07:11

AFAICS, the settings/permissions are stored per-user in one or more of these locations:

/home/.system/var/lib/sailjail/settings/user-100000.settings
/var/lib/sailjail-homescreen/100000/usr/share/applications/foo.desktop/

Untested, but presumably editing the former or removing files from the latter will reset permission grants.

Inte · 21 March 2022 09:31

Just out of curiosity:
Why would apps always request permission for everything, e.g. why would “Galaxy Attack HD” access Internet, Kamera, Mediaindex, Microphone, Position and so on?

nephros · 21 March 2022 09:49

Because that is the compatibility mode Jolla chose for the initial release of mandatory sandboxing. Apps which do not request specific permissions get assigned a (broad) default set, hence the prompt.

This has been explained briefly in the Release Notes.

Inte · 21 March 2022 09:54

Ah! Thanks for clarification. I tried to revoke all permissions except for Audio for the Galaxy Attack HD app by editing /home/.system/var/lib/sailjail/settings/user-100000.settings, but after a reboot the app wouldn’t start but instead request the entire set of permissions again. I therefore conclude it’s currently not possible to revoke single permissions. What a pitty.

rgrnetalk · 21 March 2022 10:18

more info on: https://blog.jolla.com/whats-up-with-sandboxing/

martinh · 21 March 2022 10:42

It should be [X-Sailjail]. The check is case sensitive. I fell for that as well.

nephros · 21 March 2022 11:06

Keen eyes! But that is actually a typo in my post, not in the actual file.

Inte · 21 March 2022 13:53

That’s pretty cool.
I played around a bit with the corresponding Desktop file (/usr/share/applications/harbour-pgz-galaxy-attack-hd.desktop) and added the section:
[X-Sailjail]
ApplicationName=harbour-pgz-galaxy-attack-hd
Permissions=Audio;Camera;
Audio is necessary for sound output, and Camera to access the sensors.
Using “Sensors” instead of “Camera” does also work, but Jolla doesn’t want it to be used, according to Github.
So next step is to alter all desktop files and add the adequate permissions, right?

nephros · 21 March 2022 13:59

Yes. And you probably can leave the original files alone, and put a copy in ~/.local/share/applications instead, which you then edit.

nephros · 21 March 2022 16:00

Actually, /etc/sailjail/applications is probably the correct location.

throwaway69 · 22 March 2022 07:54

It’s automatic, if you run the app with extra permissions in .desktop file you get prompted, if you run with less permissions the old extra ones get removed

spiiroin · 22 March 2022 11:18

First guess: you modified both Permissions and Granted lists? After which Permissions does not match what .desktop has → looks like application requirements have changed → ask from user again. It should work if you: stop the service, edit just the Granted list, restart the service.

While the settings UI etc is still missing things, the underlying interfaces are already there, e.g.

$ devel-su
# dbus-send --system --print-reply --type=method_call --dest=org.sailfishos.sailjaild1  /org/sailfishos/sailjaild1 org.sailfishos.sailjaild1.GetGrantedPermissions uint32:100000 string:sailfish-office
   array [
      string "UserDirs"
      string "MediaIndexing"
      string "RemovableMedia"
   ]
# dbus-send --system --print-reply --type=method_call --dest=org.sailfishos.sailjaild1  /org/sailfishos/sailjaild1 org.sailfishos.sailjaild1.SetGrantedPermissions uint32:100000 string:sailfish-office array:string:UserDirs,MediaIndexing
# dbus-send --system --print-reply --type=method_call --dest=org.sailfishos.sailjaild1  /org/sailfishos/sailjaild1 org.sailfishos.sailjaild1.GetGrantedPermissions uint32:100000 string:sailfish-office
   array [
      string "UserDirs"
      string "MediaIndexing"
   ]

Inte · 22 March 2022 12:57

Interesting, thank you, I will give it a try.
I noticed that amazfish-ui wouldn’t start properly when launched through the desktop icon and I wonder which permission would be missing? According to the desktop file, everything including bluetooth is already granted.

BTW: Ah, could be the AppLaunch permission which is missing. How to restart the sailjail service?

spiiroin · 23 March 2022 06:50

$ devel-su
# systemctl stop sailjaild.service
# editor_of_choice /home/.system/var/lib/sailjail/settings/user-100000.settings
# systemctl start sailjaild.service