module-access: move EACCES check to pw_check_flatpak

Decisions on whether an application is considered Flatpak sandboxed should be in pw_check_flatpak. Added the comment from 4169d9196d why we consider EACCES as non-sandboxed. This is probably OK as it shouldn't occur on functioning Flatpak setup.
2025-11-04 13:30:12 -05:00 · 2022-08-13 21:32:51 +03:00 · 2022-08-13 21:32:51 +03:00 · 4bd1cc8fcd
commit 4bd1cc8fcd
parent e3a69d1932
2 changed files with 11 additions and 17 deletions
--- a/src/modules/flatpak-utils.h
+++ b/src/modules/flatpak-utils.h
@ -76,20 +76,20 @@ static int pw_check_flatpak(pid_t pid, char **app_id, char **devices)
 	spa_autoclose int root_fd = openat(AT_FDCWD, root_path, O_RDONLY | O_NONBLOCK | O_DIRECTORY | O_CLOEXEC | O_NOCTTY);
 	if (root_fd < 0) {
 		res = -errno;
+		pw_log_info("failed to open \"%s\": %s", root_path, spa_strerror(res));
+
 		if (res == -EACCES) {
-			struct statfs buf;
-			/* Access to the root dir isn't allowed. This can happen if the root is on a fuse
-			 * filesystem, such as in a toolbox container. We will never have a fuse rootfs
-			 * in the flatpak case, so in that case its safe to ignore this and
-			 * continue to detect other types of apps. */
-			if (statfs(root_path, &buf) == 0 &&
-			    buf.f_type == 0x65735546) /* FUSE_SUPER_MAGIC */
+			/* If we can't access the root filesystem, consider not sandboxed.
+			 * This should not happen but for now it is a workaround for selinux
+			 * where we can't access the gnome-shell root when it connects for
+			 * screen sharing.
+			 */
 			return 0;
 		}
+
 		/* Not able to open the root dir shouldn't happen. Probably the app died and
 		 * we're failing due to /proc/$pid not existing. In that case fail instead
 		 * of treating this as privileged. */
-		pw_log_info("failed to open \"%s\": %s", root_path, spa_strerror(res));
 		return res;
 	}

--- a/src/modules/module-access.c
+++ b/src/modules/module-access.c
@ -263,17 +263,11 @@ context_check_access(void *data, struct pw_impl_client *client)

 	res = pw_check_flatpak(pid, &flatpak_app_id, NULL);
 	if (res != 0) {
-		if (res < 0) {
-			if (res == -EACCES) {
-				access = "unrestricted";
-				goto granted;
-			}
+		if (res < 0)
 			pw_log_warn("%p: client %p sandbox check failed: %s",
 				impl, client, spa_strerror(res));
-		}
-		else if (res > 0) {
+		else
 			pw_log_debug(" %p: flatpak client %p added", impl, client);
-		}
 		access = "flatpak";
 		items[nitems++] = SPA_DICT_ITEM_INIT("pipewire.access.portal.app_id",
 				flatpak_app_id);