On Jun 14, 2016 11:24 PM, "Florian Weimer" <fwei...@redhat.com> wrote: > > On 06/15/2016 06:27 AM, Andrew Lutomirski wrote: >> >> On Tue, Jun 14, 2016 at 9:07 PM, Florian Weimer <fwei...@redhat.com> wrote: >>> >>> On 06/15/2016 04:11 AM, Andrew Lutomirski wrote: >>> >>>> I *strongly* disagree here. The xdg-app folks seem to be doing a >>>> pretty good job with their sandbox. The kernel attack surface is >>>> reduced considerably, as is the attack surface against the user via >>>> ptrace and filesystem access. If Wayland is available (which is >>>> should be!) then so is the attack surface against X. >>> >>> >>> >>> What about the direct access to DRI device nodes? Why isn't this a problem >>> that reduces the effectiveness of the sandbox considerably? >> >> >> It's certainly a meaningful attack surface. That being said, if it >> works well, it should be about as dangerous as Chromium's render >> sandbox, and the latter seems to work fairly well in practice. I'm >> assuming that xdg-app grants access to render nodes, not to the legacy >> node. > > > I'm not sure what kind of sandboxing there is. I was just able to open ~/.ssh/id_rsa from a Flatpak application, and change ~/.bash_profile (both outside the sandbox, obviously). > > I couldn't find any relevant device nodes in the file system namespace.
Hmm. Maybe the current Flatpak doesn't have the xdg-app sandbox enabled.
-- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org