A Quick PSA on Writing Portal-friendly Application Code

For various reasons, desktop applications sometimes need to know whether they are running under a sandbox made by a technology such as Flatpak or Snap. Some portal APIs, such as the file chooser dialog, are used transparently so that the application code doesn’t need to make any distinction between the sandboxed and unsandboxed cases, and if you ask me that’s a pretty impressive magic trick on its own. Other portal APIs such as the screencast one are used by both sandboxed and unsandboxed apps thanks to the secure architecture of Wayland compositors. But still other portal APIs are used conditionally depending on whether the app is running sandboxed; this is the case for the OpenURI portal used by Epiphany.


It’s also useful for applications to know when they are sandboxed in order to disable features that don’t work (yet) under Flatpak, as Epiphany does for web apps, or to access host resources via sandbox holes, as in the case of GNOME Builder.


Currently apps can check for the existence of a /.flatpak-info file to check if they are in a Flatpak sandbox, but this is not good enough to know if they should use portals! Snaps also use the same portals as Flatpaks, and for this reason xdg-desktop-portal has code to detect if the calling process is running as a Snap by checking cgroups membership. However since this check is not trivial it is not ideal for every app to keep a separate copy of it, so I submitted a patch to add API to libportal with some helper functions. Once that is merged apps can use it to easily check their sandboxed status.


As a side note, the /.flatpak-info mechanism for identifying a process as untrusted to a portal is perhaps not ideal. It was at the heart of a recent security vulnerability and it is used by WebKit’s UI process so it is treated as untrusted even when not running under Flatpak, which seems like a potential source of confusion/bugs. Perhaps an area for improvement if anyone has ideas?


I found this issue while working on Epiphany as part of the effort to improve the support for Progressive Web Apps in GNOME (which I just started this week!) and I’ll submit a patch shortly to make Epiphany’s sandbox detection Snap-friendly.