Hi folks! As a bonus update ahead of the main September post I want to switch things up a bit and introduce you to an experimental new feature landing in the Ubuntu 24.10 dailies soon.
Permissions prompting is a critical tool for privacy and security conscious users to control, manage and understand the behaviour of applications running on their machine. This implementation represents a significant step forward in application security, and distinguishes itself from traditional XDG Desktop Portals by enabling fine-grained access control over unmodified binaries without requiring changes to the application code. By leveraging Ubuntu’s AppArmor implementation, prompting enforces sandboxing and mediates access at the system call level to ensure that every action is tightly controlled and subject to user consent, even for applications that are entirely unaware of this mediation.
The snapd, security and desktop teams at Canonical have collaborated closely over a number of years to bring this feature to life and we’re excited to deliver an initial opt-in implementation to Ubuntu 24.10 focussed on home interface permissions so that we can refine the experience based on your feedback.
What is it?
If a picture is worth a thousand words, let’s see how many a GIF can capture:
This solution consists of two new seeded components in Ubuntu 24.10, prompting-client and desktop-security-center alongside deeper changes to snapd and AppArmor available in the upcoming snapd 2.65. The first is a new prompting client (built in Flutter) that surfaces the prompt requests from the application via snapd. The second is our new Security Center:
In this release the Security Center is the home for managing your prompt rules, over time we will expand its functionality to cover additional security-related settings for your desktop such as encryption management and firewall control.
As always, the demo above represents a work in progress, with further UI improvements still to land over the next few weeks ahead of release (and beyond). This implementation, as an opt-in feature, is designed to surface as much information to the user as possible regarding what actions the application is attempting to perform, what permissions you will be granting and their duration. We expect this to be iterated over based on user feedback.
How does it work?
Prompting adds a new layer of user-control to the existing permissions model of snaps.
Let’s briefly look at how snap permissions are handled today:
- As part of the snap creation process, applications specify a set of interfaces required to access the required system files and resources to perform the necessary actions they need to function.
- When a snap is installed, an AppArmor profile is generated on the host system by snapd, based on the interfaces specified in the snap (assuming they are granted and the user has not disconnected this interface manually).
- When a snap requests access to a specific system resource it communicates with the AppArmor module in the Ubuntu kernel. This checks against the application’s AppArmor profile to confirm that it has permission to perform this action.
- If the AppArmor profile does not provide the necessary rules to perform the action then it is denied by the AppArmor module. If it does, then access is granted.
This flow is summarised in the following diagram:
How prompting gives users control over the home interface
The home interface is a common interface required by desktop applications as it allows access to non-hidden files owned by the user in their home directory (where your personal files and documents are normally stored).
With prompting enabled, an application that has access to the home interface in its AppArmor profile will trigger a request to snapd to ask the user for more granular permissions at the moment of access:
Or for power-users:
As a result, users now have direct control over the specific directories and file paths an application has access to, as well its duration. The results of prompts are then stored in snapd so they can be queried and managed by the user via the Security Center.
The permissions flow diagram for prompting looks something like this:
How does prompting interact with XDG Desktop Portals?
The Linux desktop provides XDG Desktop Portals as a standardised way for applications to access resources that are outside of the sandbox. Applications that have been updated to use XDG Desktop Portals will continue to use them. Prompting is not intended to replace XDG Desktop Portals but to complement them by providing the desktop an alternative way to ask the user for permission. Either when an application has not been updated to use XDG Desktop Portals, or when it makes access requests not covered by XDG Desktop Portals.
Since prompting works at the syscall level, it does not require an application’s awareness or cooperation to work and extends the set of applications that can be run inside of a sandbox, allowing for a safer desktop. It is designed to enable desktop applications to take full advantage of snap packaging that might otherwise require classic confinement.
Enabling the feature
Whilst we have made efforts to ensure that permissions prompts offer sensible default selections, we feel there is more to do on the user experience before we consider enabling this feature by default for all users.
If you would like to test this implementation and provide us with feedback, you can do so by opening the new seeded Security Center application on Ubuntu 24.10 once it lands and toggling the feature on from there.
After activating the feature you will be able to view and remove permissions rules generated through your prompt responses.
Testing prompting in Ubuntu 24.04 LTS
For eager orioles who want to try this feature on the current Ubuntu release (and are mindful of the risks of testing experimental features) you can do so by:
Switching to snapd 2.65 (currently in the candidate channel):
snap refresh snapd --channel=candidate
And then installing the prompting client and security center:
snap install desktop-security-center
snap install prompting-client
Help us improve prompting
Creating a good user experience for such a rich feature is quite a challenge, and we want to understand how it will work for real users in real environments. This initial design for the prompts is based on our early user research and internal testing, but that’s not enough.
Since Ubuntu does not collect telemetry by default, direct feedback from the community is particularly valuable. We invite you to enable this feature and see how it feels during your day to day activities before using the links in the Security Center to provide feedback or report issues.
What’s still to come?
This is the first milestone on a long term investment in expanding the scope and usability of prompting. Expect to see much more about this feature in future Ubuntu release roadmaps.
In the meantime, here are some of the improvements we intend to make over the next few Ubuntu releases.
-
Better default response suggestions based on user feedback.
-
Shell integration of the prompting pop-ups (eg full screen takeovers)
-
Improved rule management summaries and better messaging of overlapping or redundant prompts.
-
Expansion of the prompting system to cover additional snap interfaces such as camera and microphone access.
-
Smarter client side analysis of prompts, recommending additional options if multiple similar prompts are detected.
Wrapping up
The first interim release after an LTS is the opportunity for us to take risks, preview work in progress and declare our intent for the next Ubuntu LTS. We want to be bold and give those who follow every Ubuntu release something exciting to test and talk about.
For Ubuntu 24.10 we’re pushing hard across security, performance and accessibility. From our switch to Wayland on NVIDIA, new identity management tools, a bleeding edge kernel and parallel initiatives around O3 optimisations and Core Desktop, this cycle has proven to be quite a ride!
Until next time.