Reduce Multiplex permissions

[sonnyp]

Follow up to https://floss.social/@pojntfx@mastodon.social/111966298529562604
See https://flathub.org/apps/com.pojtinger.felicitas.Multiplex

I'm pretty sure we can get from "potentially unsafe" to "probably safe". We don't do a lot of advocacy around this topic so if we succeed I'd love to publish a blog post on Flathub blog.

Here are some quick suggestions - not sure how realistic

• Network access: no choice for now until we get a network portal Network permission portal flatpak/xdg-desktop-portal#1166
• Arbitrary permission: whatever you spawn, do it in the sandbox
• Download Folder read/write access: instead ask users where they want to save files (one time is fine, document portal entries are permanent)
• System folder /tmp: there is a $TMPDIR in the sandbox
• Video folder: same as download folder - use document portal

Flathub:

GNOME Softare:

[pojntfx]

Thanks a lot for the suggestions! I'll def. get to working on these once I've published updated versions of the underlying weron and panrpc libraries, as well as the GNOME Builder MR that adds Go support.

Regarding the individual permissions:

• "Network access: no choice for now until we get a network portal" - yup, and since this has to do NAT hole punching to signal once there is such a portal, maybe there would also have to be a "requesting access to the local network" type of permission in addition to being able to reach out to the signaling server URL
• "Arbitrary permission: whatever you spawn, do it in the sandbox" - this should be fixable by embedding MPV inside of the GTK views instead of doing what I'm doing rn (spawning MPV using the MPV Flatpak). Delfin does this in Rust + GTK4, so I'm sure it's going to be possible here as well, although I'm not quite sure how embedding works with the Go GTK bindings!
• "Download Folder read/write access: instead ask users where they want to save files (one time is fine, document portal entries are permanent)" - sweet, didn't know that this was a thing! That folder is already configurable, and we only need read/write access to one specific directory, so should be an easy enough improvement
• "System folder /tmp: there is a $TMPDIR in the sandbox" - that relates to the MPV embedding issue, if we use $TMPDIR with the current solution there is no way of the MPV Flatpak accessing the same directory I'm afraid, but once we can embed Delfin-style that won't be a problem
• "Video folder: same - use document portal" - same as the downloads folder, should be user-configurable anyways