[sane-devel] Sandboxing scanner applications
Alexander Pevzner
pzz at apevzner.com
Fri Sep 18 20:08:28 BST 2020
On 9/18/20 8:08 PM, Bastien Nocera wrote:
> Firefox already supports using GtkPrintOperation to print using the
> portal, look for nsFlatpakPrintPortal:
> https://searchfox.org/mozilla-central/source/widget/gtk/nsPrintDialogGTK.cpp#570
I didn't know, thanks for explanation.
> The print portal is not as powerful as talking directly to CUPS to
> print, but it's better than having all the apps be on the network just
> to be able to print something.
D-Bus is, essentially, messaging over AF_UNIX socket.
IPP can work over AF_UNIX socket, though using TCP socket is more
convenient, because allows to reuse existent Avahi infrastructure for
printers/servers discovery (even within a single machine, over loopback).
And as for me, there is no a lot of conceptual difference between
AF_UNIX and loopback communication.
> But sane _drivers_ aren't sandboxed. The application using the hardware
> driver is.
OK, I probably was more concerned about sandboxing of sane drivers, so
misinterpreted your initial question.
Anyway, whatever we want to do solves both problems.
> So, will it be possible to use IPP scan without using IP, preferably
> over D-Bus, so it can be filtered, and authorised, using the existing
> portal mechanisms?
To make scanning over D-Bus possible, somebody needs to implement SANE
driver (backend) that can communicate with portal, and portal itself (a
kind of scan server, that responds to D-Bus requests and uses SANE
drivers to perform actual scanning). AFAIK, currently nobody works on
something like this.
--
Wishes, Alexander Pevzner (pzz at apevzner.com)
More information about the sane-devel
mailing list