blizzz
/
harbour-nextcloud-talk
3
3
Fork 3
Code Issues 9 Pull Requests 1 Releases 13 Wiki Activity

Changes needed to support SailJail #44

New Issue
Closed
opened 2022-03-19 15:11:41 +00:00 by nephros · 13 comments
nephros commented 2022-03-19 15:11:41 +00:00
Collaborator
Copy Link

The recently released SFOS 4.4 features sandboxing enabled for all apps.

These is a collection of things needed to support running Nextcloud Talk under SailJail:

See the documentation at https://github.com/sailfishos/sailjail-permissions/blob/master/README.md

  • Select names for Organisation and Application name
  • Set Orga and App names in Qt (not strictly necessary according to this)
  • Figure out correct permissions for SailJail (minimum Permissions=Secrets;Internet, maybe Downloads, maybe some documents and media dirs for uploads)
  • Implement migration of dataDir location and files if necessary (here is a good example
  • adjust .desktop file

Problems I found when testing:

  • no "Secrets" permission in older SFOS Releases: on my 4.2 system, the permission "Secrets" does not exist. This means Talk does not launch when sailjail is enabled in the .desktop file.
  • "harbour-nextcloud-talk" is not accepted as ApplicationName. This may or my not be a bug in 4.2, but it means Sandboxing can NOT be enabled in older 4.x releases with that ApplicationName

Therefore I propose shipping three different .desktop files:

  1. one for SFOS < 4.4 with sandboxing disabled
  2. one for SFOS 4.4+ with sandboxing enabled (when ready)
The recently released SFOS 4.4 features sandboxing enabled for all apps. These is a collection of things needed to support running Nextcloud Talk under SailJail: See the documentation at https://github.com/sailfishos/sailjail-permissions/blob/master/README.md * [x] Select names for Organisation and Application name * [x] Set Orga and App names in Qt (not strictly necessary according to [this](https://forum.sailfishos.org/t/application-data-dir-sailjail-and-organizationname/6471/12)) * [x] Figure out correct permissions for SailJail (minimum `Permissions=Secrets;Internet`, maybe Downloads, maybe some documents and media dirs for uploads) * [x] Implement migration of `dataDir` location and files if necessary ([here](https://forum.sailfishos.org/t/migrating-configuration-and-data-files-for-sandboxed-apps/8866/13) is a good example * [x] adjust .desktop file Problems I found when testing: - no "Secrets" permission in older SFOS Releases: on my 4.2 system, the permission "Secrets" does not exist. This means Talk does not launch when sailjail is enabled in the .desktop file. - "harbour-nextcloud-talk" is not accepted as `ApplicationName`. This may or my not be a bug in 4.2, but it means Sandboxing can NOT be enabled in older 4.x releases with that ApplicationName Therefore I propose shipping three different .desktop files: 1. one for SFOS < 4.4 with sandboxing disabled 1. one for SFOS 4.4+ with sandboxing enabled (when ready)
nephros commented 2022-03-20 08:34:42 +00:00
Author
Collaborator
Copy Link

@blizz, in PR #43 I chose:

OrganizationName=org.nextcloud.talk
ApplicationName=NextcloudTalk

more or less randomly, please decide on proper names for these.

Note that the Orga name AFAIK needs to match any Dbus services the app registers, which why I chose that one.

[EDIT:] This is now

OrganizationName=org.nextcloud
ApplicationName=talk

because of #44 (comment)

@blizz, in PR #43 I chose: OrganizationName=org.nextcloud.talk ApplicationName=NextcloudTalk more or less randomly, please decide on proper names for these. Note that the Orga name AFAIK needs to match any Dbus services the app registers, which why I chose that one. [EDIT:] This is now OrganizationName=org.nextcloud ApplicationName=talk because of https://codeberg.org/blizzz/harbour-nextcloud-talk/issues/44#issuecomment-409795
blizzz commented 2022-03-20 19:34:03 +00:00
Owner
Copy Link

@blizz, in PR #43 I chose:

OrganizationName=org.nextcloud.talk
ApplicationName=NextcloudTalk

more or less randomly, please decide on proper names for these.

Note that the Orga name AFAIK needs to match any Dbus services the app registers, which why I chose that one.

That makes sense ✔️ The orga name is also what the android client does fwiw.

> @blizz, in PR #43 I chose: > > OrganizationName=org.nextcloud.talk > ApplicationName=NextcloudTalk > > more or less randomly, please decide on proper names for these. > > Note that the Orga name AFAIK needs to match any Dbus services the app registers, which why I chose that one. That makes sense ✔️ The orga name is also what the android client does fwiw.
blizzz commented 2022-03-20 19:37:47 +00:00
Owner
Copy Link

no "Secrets" permission in older SFOS Releases: on my 4.2 system, the permission "Secrets" does not exist. This means Talk does not launch when sailjail is enabled in the .desktop file.

4.2 or 4.3? If really 4.2 I am perfectly fine with dropping support for it. Older releases will probably not event care, and that should be ok for the first Jolla device.

> no "Secrets" permission in older SFOS Releases: on my 4.2 system, the permission "Secrets" does not exist. This means Talk does not launch when sailjail is enabled in the .desktop file. 4.2 or 4.3? If really 4.2 I am perfectly fine with dropping support for it. Older releases will probably not event care, and that should be ok for the first Jolla device.
nephros commented 2022-03-21 06:59:57 +00:00
Author
Collaborator
Copy Link

no "Secrets" permission in older SFOS Releases: on my 4.2 system, the permission "Secrets" does not exist. This means Talk does not launch when sailjail is enabled in the .desktop file.

4.2 or 4.3? If really 4.2 I am perfectly fine with dropping support for it. Older releases will probably not event care, and that should be ok for the first Jolla device.

AFAICS the "Secrets" permission only made it into sailjail-permissions-1.0.90, which ships in 4.4 only (4.3 has 1.0.81).

Personally I like to support older versions (especially because I like to lag behind in versions on my daily driver).

And in this case it should be a simple case of installing the right .desktop file. (The db file file migration would still happen though.)

Now, this is very easily done on OBS/chum, as this builds a separate package for each version, and you can just detect the runtime version in the .spec and package the correct .desktop file there.

If you do not build on OBS this then requires building at least two separate packages (one for 4.4+, one for older), and installing the .desktop in %post.

But it's your call.

> > no "Secrets" permission in older SFOS Releases: on my 4.2 system, the permission "Secrets" does not exist. This means Talk does not launch when sailjail is enabled in the .desktop file. > > 4.2 or 4.3? If really 4.2 I am perfectly fine with dropping support for it. Older releases will probably not event care, and that should be ok for the first Jolla device. AFAICS the "Secrets" permission only made it into [`sailjail-permissions-1.0.90`](https://github.com/sailfishos/sailjail-permissions/releases/tag/1.0.90), which ships in 4.4 only (4.3 has `1.0.81`). Personally I like to support older versions (especially because I like to lag behind in versions on my daily driver). And in this case it should be a simple case of installing the right .desktop file. (The db file file migration would still happen though.) Now, this is very easily done on OBS/chum, as this builds a separate package for each version, and you can just detect the runtime version in the .spec and package the correct .desktop file there. If you do not build on OBS this then requires building at least two separate packages (one for 4.4+, one for older), and installing the .desktop in %post. But it's your call.
nephros commented 2022-03-21 07:27:03 +00:00
Author
Collaborator
Copy Link

Another thing that came up in testing here:

file:///usr/share/harbour-nextcloud-talk/qml/harbour-nextcloud-talk.qml:23:5: QML DBusHandler: Failed to register service org.nextcloud.talk

file:///usr/share/harbour-nextcloud-talk/qml/harbour-nextcloud-talk.qml:23:5: QML DBusHandler: org.freedesktop.DBus.Error.ServiceUnknown

According to the Sailjail docs, we are allowed to own a bus called <OrganizationName>.<ApplicationName>. So either DBusHandler (and the C++ services that talk to it) must be set up to register such a service, or OrganizationName and ApplicationName must be org.nextcloud and talk, respectively.

Another thing that came up in testing here: file:///usr/share/harbour-nextcloud-talk/qml/harbour-nextcloud-talk.qml:23:5: QML DBusHandler: Failed to register service org.nextcloud.talk file:///usr/share/harbour-nextcloud-talk/qml/harbour-nextcloud-talk.qml:23:5: QML DBusHandler: org.freedesktop.DBus.Error.ServiceUnknown According to the [Sailjail docs](https://github.com/sailfishos/sailjail), we are allowed to own a bus called `<OrganizationName>.<ApplicationName>`. So either `DBusHandler` (and the C++ services that talk to it) must be set up to register such a service, or OrganizationName and ApplicationName must be `org.nextcloud` and `talk`, respectively.
nephros commented 2022-03-21 09:21:04 +00:00
Author
Collaborator
Copy Link

Another thing that came up in testing here:

file:///usr/share/harbour-nextcloud-talk/qml/harbour-nextcloud-talk.qml:23:5: QML DBusHandler: Failed to register service org.nextcloud.talk

ok, fixed by b3e15062b572241bea007116669c01fdcf7b67a1.

> Another thing that came up in testing here: > > file:///usr/share/harbour-nextcloud-talk/qml/harbour-nextcloud-talk.qml:23:5: QML DBusHandler: Failed to register service org.nextcloud.talk > ok, fixed by b3e15062b572241bea007116669c01fdcf7b67a1.
👍 1
nephros commented 2022-03-21 09:23:55 +00:00
Author
Collaborator
Copy Link

One last(?) thing:

sailjail -p harbour-nextcloud-talk.desktop /usr/bin/harbour-nextcloud-talk
constructing /run/firejail/mnt/privileged:  ...
mounting /run/firejail/mnt/privileged @ /home/nemo/.local/share/system/privileged
hiding /run/firejail/mnt/privileged
10:17:54.450 unknown:0 unknown Using Wayland-EGL
10:17:54.892 org.sailfishos.secrets.daemon.connection: unknown:0  Unable to connect to secrets daemon: QDBusError("org.freedesktop.DBus.Error.FileNotFound", "Failed to connect to socket /run/user/100000/sailfishsecretsd-p2pSocket: No such file or directory") 1 "org.freedesktop.DBus.Error.FileNotFound"
10:17:54.892 org.sailfishos.secrets: unknown:0  Unable to connect to the secrets daemon!  No functionality will be available!

Again, this is due to my old 4.2/4.3 test systems.

bce97c6e29 moved the socket file into rundir/sailfishsecretsd/, where the Secrets permission permits access.

One last(?) thing: sailjail -p harbour-nextcloud-talk.desktop /usr/bin/harbour-nextcloud-talk constructing /run/firejail/mnt/privileged: ... mounting /run/firejail/mnt/privileged @ /home/nemo/.local/share/system/privileged hiding /run/firejail/mnt/privileged 10:17:54.450 unknown:0 unknown Using Wayland-EGL 10:17:54.892 org.sailfishos.secrets.daemon.connection: unknown:0 Unable to connect to secrets daemon: QDBusError("org.freedesktop.DBus.Error.FileNotFound", "Failed to connect to socket /run/user/100000/sailfishsecretsd-p2pSocket: No such file or directory") 1 "org.freedesktop.DBus.Error.FileNotFound" 10:17:54.892 org.sailfishos.secrets: unknown:0 Unable to connect to the secrets daemon! No functionality will be available! Again, this is due to my old 4.2/4.3 test systems. https://github.com/sailfishos/sailfish-secrets/commit/bce97c6e294413127d8b835dc6b1435925edd644 moved the socket file into rundir/sailfishsecretsd/, where the Secrets permission permits access.
blizzz commented 2022-03-22 22:09:09 +00:00
Owner
Copy Link

Now, this is very easily done on OBS/chum, as this builds a separate package for each version, and you can just detect the runtime version in the .spec and package the correct .desktop file there.

So far I am building on SDK. I tried OBS but got weird errors, building was not even started. I did not look into Chum yet. Offering a version for >= via deps should work with OpenRepos as well. The unjailed one could be offered additionally.

This should help also with the unavailable Secrets permission in 4.3/4.2.

Thank you for the contributions on this topic 💙

> Now, this is very easily done on OBS/chum, as this builds a separate package for each version, and you can just detect the runtime version in the .spec and package the correct .desktop file there. So far I am building on SDK. I tried OBS but got weird errors, building was not even started. I did not look into Chum yet. Offering a version for >= via deps should work with OpenRepos as well. The unjailed one could be offered additionally. This should help also with the unavailable Secrets permission in 4.3/4.2. Thank you for the contributions on this topic 💙
nephros commented 2022-03-23 07:51:15 +00:00
Author
Collaborator
Copy Link

Now, this is very easily done on OBS/chum, as this builds a separate package for each version, and you can just detect the runtime version in the .spec and package the correct .desktop file there.

So far I am building on SDK. I tried OBS but got weird errors, building was not even started. I did not look into Chum yet. Offering a version for >= via deps should work with OpenRepos as well. The unjailed one could be offered additionally.

This should help also with the unavailable Secrets permission in 4.3/4.2.

Thank you for the contributions on this topic 💙

The way it's implemented meanwhile does not have the problem of needing multiple packages (because we deal with it in %post).

But if you want ot look into OBS/chum again, it's as "simple" as https://build.sailfishos.org/package/view_file/home:nephros:devel/nextcloud-talk/_service?expand=1

> > Now, this is very easily done on OBS/chum, as this builds a separate package for each version, and you can just detect the runtime version in the .spec and package the correct .desktop file there. > > So far I am building on SDK. I tried OBS but got weird errors, building was not even started. I did not look into Chum yet. Offering a version for >= via deps should work with OpenRepos as well. The unjailed one could be offered additionally. > > This should help also with the unavailable Secrets permission in 4.3/4.2. > > Thank you for the contributions on this topic 💙 The way it's implemented meanwhile does not have the problem of needing multiple packages (because we deal with it in `%post`). But if you want ot look into OBS/chum again, it's as "simple" as https://build.sailfishos.org/package/view_file/home:nephros:devel/nextcloud-talk/_service?expand=1
blizzz commented 2022-03-27 20:47:21 +00:00
Owner
Copy Link

Now, this is very easily done on OBS/chum, as this builds a separate package for each version, and you can just detect the runtime version in the .spec and package the correct .desktop file there.

So far I am building on SDK. I tried OBS but got weird errors, building was not even started. I did not look into Chum yet. Offering a version for >= via deps should work with OpenRepos as well. The unjailed one could be offered additionally.

This should help also with the unavailable Secrets permission in 4.3/4.2.

Thank you for the contributions on this topic 💙

The way it's implemented meanwhile does not have the problem of needing multiple packages (because we deal with it in %post).

Yes, of course.

But if you want ot look into OBS/chum again, it's as "simple" as https://build.sailfishos.org/package/view_file/home:nephros:devel/nextcloud-talk/_service?expand=1

Not too soon, alas, limited time.

> > > Now, this is very easily done on OBS/chum, as this builds a separate package for each version, and you can just detect the runtime version in the .spec and package the correct .desktop file there. > > > > So far I am building on SDK. I tried OBS but got weird errors, building was not even started. I did not look into Chum yet. Offering a version for >= via deps should work with OpenRepos as well. The unjailed one could be offered additionally. > > > > This should help also with the unavailable Secrets permission in 4.3/4.2. > > > > Thank you for the contributions on this topic 💙 > > The way it's implemented meanwhile does not have the problem of needing multiple packages (because we deal with it in `%post`). Yes, of course. > But if you want ot look into OBS/chum again, it's as "simple" as https://build.sailfishos.org/package/view_file/home:nephros:devel/nextcloud-talk/_service?expand=1 Not too soon, alas, limited time.
blizzz referenced this issue from a commit 2022-03-27 20:54:47 +00:00
SailJail preparations (#43)
blizzz commented 2022-03-27 20:55:29 +00:00
Owner
Copy Link

fixed with #43

fixed with #43
blizzz commented 2022-04-06 20:10:26 +00:00
Owner
Copy Link

But if you want ot look into OBS/chum again, it's as "simple" as https://build.sailfishos.org/package/view_file/home:nephros:devel/nextcloud-talk/_service?expand=1

Not too soon, alas, limited time.

In fact I was trying a longer time ago to have webhook-triggered builds, but never got them running. I now looked are your file… having the repo urls without the '.git' extension seems to be the missing magic =)

> > But if you want ot look into OBS/chum again, it's as "simple" as https://build.sailfishos.org/package/view_file/home:nephros:devel/nextcloud-talk/_service?expand=1 > > Not too soon, alas, limited time. In fact I was trying a longer time ago to have webhook-triggered builds, but never got them running. I now looked are your file… having the repo urls without the '.git' extension seems to be the missing magic =)
blizzz commented 2022-04-06 21:17:20 +00:00
Owner
Copy Link

But if you want ot look into OBS/chum again, it's as "simple" as https://build.sailfishos.org/package/view_file/home:nephros:devel/nextcloud-talk/_service?expand=1

Not too soon, alas, limited time.

In fact I was trying a longer time ago to have webhook-triggered builds, but never got them running. I now looked are your file… having the repo urls without the '.git' extension seems to be the missing magic =)

No webhook does not work, i triggered for changing the service file 🤷‍♂️

> > > But if you want ot look into OBS/chum again, it's as "simple" as https://build.sailfishos.org/package/view_file/home:nephros:devel/nextcloud-talk/_service?expand=1 > > > > Not too soon, alas, limited time. > > In fact I was trying a longer time ago to have webhook-triggered builds, but never got them running. I now looked are your file… having the repo urls without the '.git' extension seems to be the missing magic =) No webhook does not work, i triggered for changing the service file 🤷‍♂️
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
master
fix-build-64b
optimize-qnam
enh/noid/upload
fix/linebreaks
enh/noid/conv-v4
presence-color
whtest
fix/noid/reset-to-theme-color-not-saved
enh/20/themed-indicator
enh/noid/notificationservice
fix/16/v2-endpoints
fix/11/autoscroll-if-desired
11-automatic-scrolldown-in-chat-view
enh/noid/file-preview
enh/noid/rounded-avatar-component
v1.0.4
v1.0.3
v1.0.2
v1.0.1
v1.0.0
v1.0.0-alpha11
v1.0.0-alpha.10
v1.0.0-alpha.9
v1.0.0-alpha.8
v1.0.0-alpha.7
v1.0.0-alpha.6
v1.0.0-alpha.5
v1.0.0-alpha.4
v1.0.0-alpha.3
v1.0.0-alpha.2
v1.0.0-alpha.1
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Assignees
Clear assignees
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: blizzz/harbour-nextcloud-talk#44
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?