@@ -264,6 +264,103 @@ You can provide the following device permissions:
264264While not ideal, ``--device=all `` can be used to access devices like
265265webcams, CD/DVD drives etc.
266266
267+ USB portal
268+ ``````````
269+
270+ Since 1.5.11.
271+
272+ Sandboxed access to individual USB devices can be controlled by
273+ portals. Flatpak allows specifying enumerable USB devices to allow
274+ access.
275+
276+ Like ``--device=usb ``, this is just about accessing the raw USB
277+ device, that needs libusb (or equivalent). By using the portal, you
278+ can restrict which device can be requested (enumerable) and then
279+ request an explicit permission to access. For example, if you run a
280+ scanner driver, there is no reason for USB security devices to be
281+ accessible.
282+
283+ A list of valid use cases includes scanners (handled, for example by
284+ SANE), photo cameras (handled by libgphoto2), flashing devices, etc.
285+
286+ While this is portal dependent and ``xdg-desktop-portal `` is currently
287+ the only portal implementation, the overall permission flow is as
288+ follows:
289+
290+ - The Flatpak package specifies the devices it wishes to enumerate
291+ through ``finish-args ``.
292+ - The application requests the portal to enumerate the available USB
293+ devices based on that list. If the list is empty it will enumerate
294+ all USB devices.
295+ - When the application wants to access the device, it will make a
296+ request for the device it wants to access via the portal.
297+ - The portal then requests permission from the user if not already
298+ granted.
299+ - If the permission was granted, a file descriptor for the device is
300+ passed back to the application.
301+
302+ The application is then able to open the devices it is supposed to use
303+ while the others would be hidden.
304+
305+ Specifying the enumerable devices
306+ """""""""""""""""""""""""""""""""
307+
308+ You can specify devices on the ``flatpak `` command line, and by
309+ extension in the finish arguments for Flatpak Builder. Enumerable
310+ devices are specified with a query passed with ``--usb= `` while hidden
311+ devices are specified with a query passed with ``--nousb= ``. The
312+ hidden list takes precedence over the enumerable list, like an
313+ exception list. The goal is to be able to specify a broad range and
314+ then exclude the few devices that shall not be enumerated.
315+
316+ Queries are made out of rules. These rules are composable with ``+ ``.
317+
318+ The rule ``all `` enumerates every USB device. There is no further rule
319+ allowed in the query.
320+
321+ The ``vnd `` and ``dev `` rules specify a USB vendor and a USB device ID
322+ respectively. A vendor can be specified alone, but a device rule
323+ always comes with a vendor rule as a device ID is only unique within a
324+ vendor. Vendor and device ID are specified with 4 digit hex
325+ numbers. For more information about the USB IDs, you can refer to the
326+ `Linux USB ID repository <http://www.linux-usb.org/usb-ids.html >`_
327+
328+ ``cls `` specifies the device USB class and subclass. Both class and
329+ subclass are two digit hex numbers separated by a colon ``: ``. You
330+ can use ``* `` to specify any subclass within the class.
331+
332+ Some examples of the syntax:
333+
334+ - ``vnd:1234 ``: Devices from vendor ``1234 ``
335+ - ``vnd:1234+dev:3456 ``: Only device ``3456 `` from vendor ``1234 ``.
336+ - ``vnd:1234+cls:06:* ``: All the PTP devices from vendor ``1234 ``.
337+ - ``cls:06:* ``: All the PTP devices.
338+
339+ This permission only allows to enumerate devices. To open them,
340+ permission must be requested from the portal. It is not possible to
341+ open a device that is not enumerable.
342+
343+ .. note ::
344+
345+ The ``--device=usb `` permission is broader than what the USB portal
346+ is supposed to provide and allows unfettered access to any USB
347+ device on the bus.
348+
349+ In some situations you may need to specify a very long list of devices.
350+
351+ Device lists can be passed in one single argument, or through a file.
352+
353+ When using ``--usb-list ``, the queries are separated by a semi-colon
354+ ``; ``, with queries for hidden devices (i.e. those that would be
355+ passed with ``--nousb ``) prefixed with ``! ``.
356+
357+ When using ``--usb-list-file ``, the filename of the file containing
358+ USB queries is passed line by line. Like with ``--usb-list `` queries
359+ for hidden devices are prefixed with ``! ``. Empty lines and lines
360+ starting with a ``# `` are ignored. When used with ``flatpak override ``
361+ or ``flatpak build-finish `` the file is no longer needed afterwards as
362+ the list is persisted internally.
363+
267364dconf access
268365````````````
269366
0 commit comments