On Wed, 2016-06-15 at 08:24 +0200, Florian Weimer wrote: > On 06/15/2016 06:27 AM, Andrew Lutomirski wrote: > > On Tue, Jun 14, 2016 at 9:07 PM, Florian Weimer <fwei...@redhat.com > > > wrote: > > > On 06/15/2016 04:11 AM, Andrew Lutomirski wrote: > > > > > > > I *strongly* disagree here. The xdg-app folks seem to be doing > > > > a > > > > pretty good job with their sandbox. The kernel attack surface > > > > is > > > > reduced considerably, as is the attack surface against the user > > > > via > > > > ptrace and filesystem access. If Wayland is available (which > > > > is > > > > should be!) then so is the attack surface against X. > > > > > > > > > What about the direct access to DRI device nodes? Why isn't this > > > a problem > > > that reduces the effectiveness of the sandbox considerably? > > > > It's certainly a meaningful attack surface. That being said, if it > > works well, it should be about as dangerous as Chromium's render > > sandbox, and the latter seems to work fairly well in practice. I'm > > assuming that xdg-app grants access to render nodes, not to the > > legacy > > node. > > I'm not sure what kind of sandboxing there is. I was just able to > open > ~/.ssh/id_rsa from a Flatpak application, and change ~/.bash_profile > (both outside the sandbox, obviously).
You can opt-out of parts of the sandbox for flatpak apps, and right now most apps allow access to the home-directory, because we've not yet finished the work on portals which will allow mediated access to user files. That said, simple apps like a game will work fine without granting them access to the users file. This means current applications packaged with flatpak is mostly about distribution, and not so much sandboxing. However, we're working on fixing this. -- devel mailing list devel@lists.fedoraproject.org https://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org
