Skip to content

implement a secondary permission system

Harald Sitter requested to merge work/sitter/permissionstore into master

interactive permission prompts are nice and all, but sometimes users need to authorize access to resources non-interactively

e.g. consider these use cases:

  • an advanced users SSHs home to their computer and wants to enable RDP. they will need to authorize the RDP server from the terminal without GUI interaction

  • a user likes to play games remotely which require access to input devices but xwayland doesn't persist authorization, nor does it have an app_id

to solve this we now have a bespoke permission table 'kde-authorized' in the XDP permission store. Inside this table the user may store pre-authorization to bypass the interactive workflow.

To authorize a well-known application a user can pass the app_id to the set command:

flatpak permission-set kde-authorized remote-desktop org.kde.krdpserver yes

To authorize a host application without app_id, an empty app_id may be provided.

flatpak permission-set kde-authorized remote-desktop "" yes

Usually the app_id gets obtained from flatpak/snap metadata.

For host applications it gets obtained from the systemd unit name: For applications that get started by Plasma those will be set up correctly. For manually created units the https://systemd.io/DESKTOP_ENVIRONMENTS/ spec should be followed (i.e. name the unit app-org.kde.appname.service).

Merge request reports

Loading