@@ -472,6 +472,181 @@ Note that these should not have subpaths in them unless the value
472472of the subpath can be consistently pre-determined. Block device naming
473473depends on the kernel/fstab configuration and cannot be pre-determined.
474474
475+ Conditional permissions
476+ -----------------------
477+
478+ Since 1.17.0.
479+
480+ Some sandbox permissions support the conditional permissions system
481+ which allows them to be granted only when certain runtime conditions
482+ are satisfied or fallback otherwise. A permission can be
483+
484+ - Unconditionally allowed
485+ - Unconditionally denied
486+ - Conditionally allowed, depending on runtime conditions
487+
488+ Unconditionally allowing or denying a permission (for example
489+ through ``--socket=NAME `` or ``--nosocket=NAME ``) will grant or revoke
490+ the permission outright without any conditional evaluation.
491+
492+ The following permissions support the conditional system:
493+ ``sockets ``, ``devices ``, ``share `` and ``allow ``.
494+
495+ Conditional permission syntax
496+ ``````````````````````````````
497+
498+ Conditional permissions are expressed using the
499+ ``if:PERMISSION:CONDITION `` syntax in metadata, where they are merged
500+ with existing permission keys, and using the
501+ ``--socket-if ``, ``--device-if ``, ``--share-if `` and ``--allow-if ``
502+ options on the command line. The syntax in commandline is
503+ ``--socket-if=PERMISSION:CONDITION `` and so on.
504+
505+ .. note ::
506+
507+ Older Flatpak versions will fail when encountering unknown
508+ commandline options, while unrecognized metadata entries will be
509+ silently ignored.
510+
511+ Flatpak manifests using conditional flags (for example
512+ ``--socket-if `` etc.) will require Flatpak 1.17.0 or newer to
513+ build and attempting to build them with older Flatpak versions will
514+ produce an error.
515+
516+ The following conditions are supported:
517+
518+ - ``true `` - Always evaluates to true
519+ - ``false ``- Always evaluates to false
520+ - ``has-input-device `` - ``true `` if the Flatpak version supports the
521+ ``device=input `` permission (since 1.15.6), always true in Flatpak
522+ versions supporting the conditional syntax and ``false `` otherwise.
523+ - ``has-wayland `` - ``true `` if the current desktop session supports
524+ Wayland, ``false `` otherwise.
525+
526+ For example, instead of the ``--socket=wayland `` permission which
527+ unconditionally allows access to the Wayland socket,
528+ ``--socket-if=wayland:has-wayland `` can be used to only grant access to
529+ the socket when running in a Wayland desktop session.
530+
531+ Conditions can be negated by prefixing with ``! ``.
532+
533+ For example, instead of the ``--socket=x11 `` permission which
534+ unconditionally allows access to the X11 socket,
535+ ``--socket-if=x11:!has-wayland `` can be used to only grant access to the
536+ socket when a Wayland desktop session is not available.
537+
538+ Multiple conditionals can be specified for the same permission, in which
539+ case the permission is granted if any condition matches (OR logic). For
540+ example::
541+
542+ sockets=wayland;if:x11:!has-wayland;if:x11:!has-input-device;
543+
544+ - ``wayland `` is unconditionally allowed
545+ - ``x11 `` is allowed if Wayland is unavailable (``!has-wayland ``)
546+ - ``x11 `` is also allowed if the input device permission is unsupported
547+ (``!has-input-device ``)
548+
549+ In commandline the flags are translated as::
550+
551+ --socket=wayland
552+ --socket-if=x11:!has-wayland
553+ --socket-if=x11:!has-input-device
554+
555+ If no conditional rule evaluates to ``true ``, the permission is denied
556+ unless it is also unconditionally allowed. Duplicate conditions are
557+ ignored and conditions are treated as an unordered set.
558+
559+ For backward compatibility with older Flatpak versions, conditional
560+ permissions should be combined with unconditional permissions. The
561+ unconditional form should be included before conditionals. Older
562+ Flatpak versions will ignore conditional entries and see only the
563+ unconditional entries while newer versions will evaluate both and apply
564+ the conditional logic. For example::
565+
566+ sockets=x11;if:x11:!has-wayland;
567+
568+ In commandline the flags are translated as::
569+
570+ --socket=x11
571+ --socket-if=x11:!has-wayland
572+
573+ The trade-off is that older Flatpak which does not understand
574+ the conditional syntax, will grant a broader permissions than intended
575+ while newer Flatpak will function correctly as intended.
576+
577+ Examples
578+ `````````
579+
580+ The pattern::
581+
582+ sockets=wayland;fallback-x11;
583+
584+ can be translated to the conditional system (without backwards
585+ compatibility)::
586+
587+ sockets=wayland;if:x11:!has-wayland;
588+
589+ The ``has-input-device `` condition can be used to fall back to
590+ ``--device=all `` on older Flatpak versions that do not support
591+ ``--device=input ``::
592+
593+ devices=all;input;if:input:has-input-device;if:all:!has-input-device;
594+
595+ - **Pre-1.15.6 **: The ``input `` device permission is unsupported and
596+ only ``all `` is recognised, granting access to all devices as a
597+ fallback.
598+
599+ - **1.15.6 to 1.17 **: The ``all, input `` device permissions are supported
600+ but conditional syntax is not understood. ``all `` takes precedence
601+ over ``input `` granting access to all devices as a fallback.
602+
603+ - **1.17+ **: The conditional syntax is understood. The
604+ ``has-input-device `` condition evaluates to true so ``input `` is
605+ granted. The ``!has-input-device `` condition evaluates to false so
606+ ``all `` is not granted. Therefore, only ``input `` device access is
607+ granted.
608+
609+ In commandline the flags are translated as::
610+
611+ --device=all
612+ --device=input
613+ --device-if=input:has-input-device
614+ --device-if=all:!has-input-device
615+
616+ To explicitly deny a permission that might be granted through runtime
617+ metadata or overrides, the permission can be prefixed with ``! ``::
618+
619+ socket=!x11;
620+
621+ This denial can be combined with conditional grants to remove
622+ unconditional access while allowing conditional access::
623+
624+ sockets=!x11;x11;if:x11:!has-wayland;
625+
626+ This denies unconditional X11 access but allows X11 conditionally when
627+ Wayland is unavailable. The ``x11 `` and ``!x11 `` entries ensure
628+ backwards compatibility as older Flatpak versions see the ``x11 `` grant
629+ and allow X11 unconditionally, while newer versions recognize the
630+ conditional logic.
631+
632+ In commandline the flags are translated as::
633+
634+ --nosocket=x11
635+ --socket=x11
636+ --socket-if=x11:!has-wayland
637+
638+ fallback-x11 socket
639+ ````````````````````
640+
641+ The ``fallback-x11 `` socket, on pre-1.17 Flatpak versions implicitly
642+ granted ``x11 `` access and at runtime X11 access was suppressed when
643+ Wayland was available, while on newer Flatpak (1.17+) it is internally
644+ converted to the conditional syntax ``if:x11:!has-wayland ``. When saving
645+ the metadata, Flatpak converts ``if:x11:!has-wayland `` back to
646+ ``fallback-x11 `` only when it is the sole conditional on ``x11 ``. If
647+ additional conditionals are present, the new syntax is written directly
648+ and older Flatpak versions will not understand the conditional entries.
649+
475650.. rubric :: Footnotes
476651
477652.. [#f1 ] This is not necessarily required, but without it the X11 shared
0 commit comments