@@ -257,6 +257,102 @@ You can provide the following device permissions:
257257While not ideal, ``--device=all `` can be used to access devices like
258258webcams, CD/DVD drives etc.
259259
260+ USB portal
261+ ``````````
262+
263+ Since 1.5.11.
264+
265+ Sandboxed access to individual USB devices can be controlled by
266+ portals. Flatpak allows specifying enumerable USB devices to allow
267+ access.
268+
269+ Like ``--device=usb ``, this is just about accessing the raw USB
270+ device, that need libusb. By using the portal, you can restrict which
271+ device can be requested (enumerable) and then request an explicit
272+ permission to access. For example, if you run a scanner driver, there
273+ is no reason for USB security devices to be accessible.
274+
275+ A list of valid use cases includes scanners (handled, for example by
276+ SANE), photo cameras (handled by libgphoto2), flashing devices, etc.
277+
278+ While this is portal dependent and ``xdg-desktop-portal `` is currently
279+ the only portal implementation, the overall permission flow is as
280+ follows:
281+
282+ - The Flatpak package specifies the devices it wishes to enumerate
283+ through ``finish-args ``.
284+ - The application requests the portal to enumerate the available USB
285+ devices based on that list. If the list is empty it will enumerate
286+ all USB devices.
287+ - When the application wants to access the device, it will make a
288+ request for the device it wants to access via the portal.
289+ - The portal then requests permission from the user if not already
290+ granted.
291+ - If the permission was granted, a file descriptor for the device is
292+ passed back to the application.
293+
294+ The application is then able to open the devices it is supposed to use
295+ while the others would be hidden.
296+
297+ Specifying the enumerable devices
298+ """""""""""""""""""""""""""""""""
299+
300+ You can specify devices on the ``flatpak `` command line, and by
301+ extension in the finish arguments for Flatpak Builder. Enumerable
302+ devices are specified with a query passed with ``--usb= `` while hidden
303+ devices are specified with a query passed with ``--nousb= ``. The
304+ hidden list takes precedence over the enumerable list, like an
305+ exception list. The goal is to be able to specify a broad range and
306+ then exclude the few devices that shall not be enumerated.
307+
308+ Queries are made out of rules. These rules are composable with ``+ ``.
309+
310+ The rule ``all `` enumerates every USB device. There is no further rule
311+ allowed in the query.
312+
313+ The ``vnd `` and ``dev `` rules specify a USB vendor and a USB device ID
314+ respectively. A vendor can be specified alone, but a device rule
315+ always comes with a vendor rule as a device ID is only unique within a
316+ vendor. Vendor and device ID are specified with 4 digit hex
317+ numbers. For more information about the USB IDs, you can refer to the
318+ `Linux USB ID repository <http://www.linux-usb.org/usb-ids.html >`_
319+
320+ ``cls `` specifies the device USB class and subclass. Both class and
321+ subclass are two digit hex numbers separated by a colon ``: ``. You
322+ can use ``* `` to specify any subclass within the class.
323+
324+ Some examples of the syntax:
325+
326+ - ``vnd:1234 ``: Devices from vendor ``1234 ``
327+ - ``vnd:1234+dev:3456 ``: Only device ``3456 `` from vendor ``1234 ``.
328+ - ``vnd:1234+cls:06:* ``: All the PTP devices from vendor ``1234 ``.
329+ - ``cls:06:* ``: All the PTP devices.
330+
331+ This permission only allows to enumerate devices. To open them,
332+ permission must be requested from the portal. It is not possible to
333+ open a device that is not enumerable.
334+
335+ .. note ::
336+
337+ The ``--device=usb `` permission is broader than what the USB portal
338+ is supposed to provide and allows unfettered access to any USB
339+ device on the bus.
340+
341+ In some situations you may need to specify a very long list of devices.
342+
343+ Device lists can be passed in one single argument, or through a file.
344+
345+ When using ``--usb-list ``, the queries are separated by a semi-colon
346+ ``; ``, with queries for hidden devices (i.e. those that would be
347+ passed with ``--nousb ``) prefixed with ``! ``.
348+
349+ When using ``--usb-list-file ``, the filename of the file containing
350+ USB queries is passed line by line. Like with ``--usb-list `` queries
351+ for hidden devices are prefixed with ``! ``. Empty lines and lines
352+ starting with a ``# `` are ignored. When used with ``flatpak override ``
353+ or ``flatpak build-finish `` the file is no longer needed afterwards as
354+ the list is persisted internally.
355+
260356dconf access
261357````````````
262358
0 commit comments