feat: Update FLATPAK with info about Flatpak Browsers.md#317
feat: Update FLATPAK with info about Flatpak Browsers.md#317Cup-png wants to merge 5 commits intosecureblue:livefrom
Conversation
Cup-png
changed the title
Cup-png
changed the title
-added possibly useful link
content/articles/FLATPAK.md
Outdated
| ``` | ||
|
|
||
| As shown by one of the [links](https://forum.vivaldi.net/topic/33411/flatpak-support/191) in the features page part of flatpak's security model involves [denying user namespaces via SECCOMP-BPF to flatpaks, including flatpak browsers](https://discussion.fedoraproject.org/t/is-it-better-to-have-a-browser-sand-boxed-with-flatpak-or-not/162425/17). This (weakly) isolates them from the system & other apps but breaks their sandboxing layer responsible for site and process isolation, leaving only Zypak + SECCOMP-BPF in its place; or in the case of Firefox/Gecko-based browsers, [outright disables most sandboxing processes entirely by having no Zypak equivalent](https://bugzilla.mozilla.org/show_bug.cgi?id=1756236). The sole known exception to this being the GNOME Web/Epiphany flatpak, whose site isolation is still behind in comparison to the implementations in native Chromium-based & Gecko-based browser packages. | ||
| As shown by one of the [links](https://forum.vivaldi.net/topic/33411/flatpak-support/191) in the features page part of flatpak's security model involves [denying user namespaces via SECCOMP-BPF to flatpaks, including flatpak browsers](https://discussion.fedoraproject.org/t/is-it-better-to-have-a-browser-sand-boxed-with-flatpak-or-not/162425/17). This (weakly) isolates them from the system & other apps but breaks their sandboxing layer responsible for site and process isolation, leaving only Zypak + SECCOMP-BPF in its place; or in the case of Firefox/Gecko-based browsers, [outright disables most sandboxing processes entirely by having no Zypak equivalent](https://bugzilla.mozilla.org/show_bug.cgi?id=1756236). The sole known exception to this being the GNOME Web/Epiphany flatpak, whose site isolation is [still behind](https://github.com/RKNF404/chromium-hardening-guide/blob/main/pages/BROWSER_SELECTION.md#epiphanywebkitgtk) in comparison to the implementations in native Chromium-based & Gecko-based browser packages. |
There was a problem hiding this comment.
Instead of mentioning the features page, we can just start with:
Flatpak's security model involves...
This (weakly) isolates them from the system
It's one form of isolation. It prevents them from reaching certain kernel code paths that they would otherwise not be able to as unprivileged processes.
still behind
"notably weaker" is likely better here
There was a problem hiding this comment.
Also, Zypak is just one method for hacking around the issue. the chromium flatpak package uses a set of patches to replace the layer 1 sandbox with flatpak's: https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch
There was a problem hiding this comment.
Also, Zypak should be linked to, we shouldn't assume people know what it is
There was a problem hiding this comment.
Is "flatpak_sandbox" that I'm seeing here the seccomp-bpf parts?: https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch
2 participants
No description provided.