GitLab

If you run a flatpak:ed app with gvfs access, but with no network access you will get something like:

gio: cdda://sr1/: Error while getting peer-to-peer dbus connection: Could not connect: Connection refused

This is because on linux, gvfs-daemon always sets USE_ABSTRACT_SOCKETS, which makes it pass back dbus addresses for the p2p connections which are abstract sockets. However, abstract sockets are tied to the network namespace, so any kind of network isolation (even partial) in the app will make connections to the abstract socket break.

The chances of fixing this in the kernel is slight, however abstract sockets are not really very useful these days. They are mainly used to avoid having leftover sockets on the disk after reboot. These days that can be avoided by using tmpfs:es like /run for such sockets, which means we have full access to the regular fs namespaces support.

If we just drop USE_ABSTRACT_SOCKETS it will instead use sockets in /tmp, which is also a problem for isolated apps (as /tmp is per-app). So, I propose that we change that so the daemon creates the p2p sockets in something like /run/user/$uid/gvfds/ instead. Then apps that want to access this can ask for --filesystem=xdg-run/gvfsd access.

CC @hadess