Skip to content

feat: Update FLATPAK with info about Flatpak Browsers.md #317

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Cup-png wants to merge 6 commits into
base: live
Choose a base branch
from
+5 −0
Open

feat: Update FLATPAK with info about Flatpak Browsers.md #317

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
071da64
FEAT: Update FLATPAK with info about Flatpak Browsers.md
Cup-png Mar 11, 2026
1b7a849
feat: Update FLATPAK.md
Cup-png Mar 11, 2026
062d4c7
Update FLATPAK.md
Cup-png Mar 13, 2026
c1270d4
Merge branch 'secureblue:live' into flatpak-info
Cup-png Mar 14, 2026
72ddd94
Merge branch 'secureblue:live' into flatpak-info
Cup-png Mar 15, 2026
c67833e
Merge branch 'secureblue:live' into flatpak-info
Cup-png Mar 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions content/articles/FLATPAK.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,3 +35,8 @@ Note that this will not only undo the `ujust flatpak-permissions-lockdown` comma
```
ujust harden-flatpak
```
Part of flatpak's security model involves [denying user namespaces](https://forum.vivaldi.net/topic/33411/flatpak-support/191) [via SECCOMP-BPF](https://www.kernel.org/doc/html/v4.19/userspace-api/seccomp_filter.html) [to flatpaks, including flatpak browsers](https://discussion.fedoraproject.org/t/is-it-better-to-have-a-browser-sand-boxed-with-flatpak-or-not/162425/17). This is one way to isolate them from the system & other apps by preventing them from reaching certain kernel code paths that they would otherwise not be able to as unprivileged processes but breaks their sandboxing layer responsible for site and process isolation, leaving only [Zypak](https://github.com/refi64/zypak) + SECCOMP-BPF + [additional patches](https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch) in its place; or in the case of Firefox/Gecko-based browsers, [outright disables most sandboxing processes entirely by having no Zypak equivalent](https://bugzilla.mozilla.org/show_bug.cgi?id=1756236). The sole known exception to this being the GNOME Web/Epiphany flatpak, whose site isolation is [notably weaker](https://github.com/RKNF404/chromium-hardening-guide/blob/main/pages/BROWSER_SELECTION.md#epiphanywebkitgtk) in comparison to the implementations in native Chromium-based & Gecko-based browser packages.
Copy link
Contributor

@RoyalOughtness RoyalOughtness Mar 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first part of this is heavily linked, which might impact readability. Also, I'm not sure how valuable that fedora thread link is.

This is one way to isolate them from the system & other apps by preventing them from reaching certain kernel code paths that they would otherwise not be able to as unprivileged processes but breaks their sandboxing layer responsible for site and process isolation

This could be broken up for readability

  • SECCOMP-BPF

What do you mean here?

[additional patches]

some details should be added on what these patches do and why it's a problem, same for zypak


Therefore we've kept hidden flatpak browsers (aside from GNOME Web) from view on the software store frontends including [recently](https://github.com/secureblue/secureblue/pull/1898) on Bazaar to discourage their usage and directing the user to Trivalent.

We have interest in shipping Trivalent as a flatpak in the future nonetheless for more availability but not until a solution like [nested namespaces](https://github.com/flatpak/flatpak/pull/6386) becomes usable to allow the browser to perform the necessary syscalls to execute its sandboxed processes properly.