Flatpak: harden default permissions

[secretmango]

Summary

This way the application only has static access to it's own folder, an empty folder in Downloads and read-only access to the user's music folder.

Direct rendering access was removed as it is not needed for the app to run.

Users should be encouraged to change the permissions, maybe in the initial dialog. KDE has easy settings included, other desktops can use Flatseal.

Test plan

I have tested these permissions locally via a flatpak override file in ~/.local/share/flatpak/overrides

closes #117

[secretmango]

I am also not sure if IPC permission is needed.

[got3nks]

Thanks for digging in. A few thoughts:

--filesystem=home — would push back. aMule users routinely set Incoming/Temp to arbitrary paths (~/Movies, second drive) and share folders outside Downloads. Narrowing to xdg-download/aMule:create + xdg-music:ro silently breaks those flows; users have to discover Flatseal to repair. Both qBittorrent and Transmission use --filesystem=host (full host FS) for the same reason — our current --filesystem=home is already a hardening step against the Flathub precedent.

--device=dri — fine with dropping in principle. wxGTK widget rendering doesn't need GPU access, so the principle-of-least-privilege call is right. But we need UI smoke-tests on GNOME 49 + KDE Plasma (Wayland and X11) before merging — some compositor/wxGTK combos hit slow scrolling or blank widgets without DRI, and we'd rather catch that here than in user reports after release.

I'd land the --device=dri removal as its own commit (after testing) and keep the broader filesystem grant.

[got3nks]

--share=ipc is needed for X11's MIT-SHM extension (shared-memory pixmap transfers between client and X server). Without it, X11 sessions still work but fall back to a slower non-SHM rendering path; Wayland sessions don't use it at all.

Since we still ship --socket=fallback-x11 to cover users on Mate/XFCE/Cinnamon and other non-Wayland-default sessions, I'd keep --share=ipc for now. qBittorrent and Transmission both keep it for the same reason. If we eventually drop fallback-x11 support entirely, ipc would go with it.

[secretmango]

the thing is, it does not silently break. the GUI chooser will only show the allowed directories, so users will know that something is missing.

But what do you think of changing the startup dialog to inform about this? Doesnt even need to be a flatpak specific one, could just be

IMPORTANT: if you are using the Flatpak, you might need Flatseal or KDE Plasma settings to allow access to more directories.

I can confirm it works fine on Plasma 6 wayland without dri access, scrolls quick and fine. Others could be tested too.