feat: Update FLATPAK with info about Flatpak Browsers.md#317
feat: Update FLATPAK with info about Flatpak Browsers.md#317Cup-png wants to merge 6 commits intosecureblue:livefrom
Conversation
Cup-png
changed the title
Cup-png
changed the title
-added possibly useful link
content/articles/FLATPAK.md
Outdated
| ``` | ||
|
|
||
| As shown by one of the [links](https://forum.vivaldi.net/topic/33411/flatpak-support/191) in the features page part of flatpak's security model involves [denying user namespaces via SECCOMP-BPF to flatpaks, including flatpak browsers](https://discussion.fedoraproject.org/t/is-it-better-to-have-a-browser-sand-boxed-with-flatpak-or-not/162425/17). This (weakly) isolates them from the system & other apps but breaks their sandboxing layer responsible for site and process isolation, leaving only Zypak + SECCOMP-BPF in its place; or in the case of Firefox/Gecko-based browsers, [outright disables most sandboxing processes entirely by having no Zypak equivalent](https://bugzilla.mozilla.org/show_bug.cgi?id=1756236). The sole known exception to this being the GNOME Web/Epiphany flatpak, whose site isolation is still behind in comparison to the implementations in native Chromium-based & Gecko-based browser packages. | ||
| As shown by one of the [links](https://forum.vivaldi.net/topic/33411/flatpak-support/191) in the features page part of flatpak's security model involves [denying user namespaces via SECCOMP-BPF to flatpaks, including flatpak browsers](https://discussion.fedoraproject.org/t/is-it-better-to-have-a-browser-sand-boxed-with-flatpak-or-not/162425/17). This (weakly) isolates them from the system & other apps but breaks their sandboxing layer responsible for site and process isolation, leaving only Zypak + SECCOMP-BPF in its place; or in the case of Firefox/Gecko-based browsers, [outright disables most sandboxing processes entirely by having no Zypak equivalent](https://bugzilla.mozilla.org/show_bug.cgi?id=1756236). The sole known exception to this being the GNOME Web/Epiphany flatpak, whose site isolation is [still behind](https://github.com/RKNF404/chromium-hardening-guide/blob/main/pages/BROWSER_SELECTION.md#epiphanywebkitgtk) in comparison to the implementations in native Chromium-based & Gecko-based browser packages. |
There was a problem hiding this comment.
Instead of mentioning the features page, we can just start with:
Flatpak's security model involves...
This (weakly) isolates them from the system
It's one form of isolation. It prevents them from reaching certain kernel code paths that they would otherwise not be able to as unprivileged processes.
still behind
"notably weaker" is likely better here
There was a problem hiding this comment.
Also, Zypak is just one method for hacking around the issue. the chromium flatpak package uses a set of patches to replace the layer 1 sandbox with flatpak's: https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch
There was a problem hiding this comment.
Also, Zypak should be linked to, we shouldn't assume people know what it is
There was a problem hiding this comment.
Is "flatpak_sandbox" that I'm seeing here the seccomp-bpf parts?: https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch
| ``` | ||
| ujust harden-flatpak | ||
| ``` | ||
| Part of flatpak's security model involves [denying user namespaces](https://forum.vivaldi.net/topic/33411/flatpak-support/191) [via SECCOMP-BPF](https://www.kernel.org/doc/html/v4.19/userspace-api/seccomp_filter.html) [to flatpaks, including flatpak browsers](https://discussion.fedoraproject.org/t/is-it-better-to-have-a-browser-sand-boxed-with-flatpak-or-not/162425/17). This is one way to isolate them from the system & other apps by preventing them from reaching certain kernel code paths that they would otherwise not be able to as unprivileged processes but breaks their sandboxing layer responsible for site and process isolation, leaving only [Zypak](https://github.com/refi64/zypak) + SECCOMP-BPF + [additional patches](https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch) in its place; or in the case of Firefox/Gecko-based browsers, [outright disables most sandboxing processes entirely by having no Zypak equivalent](https://bugzilla.mozilla.org/show_bug.cgi?id=1756236). The sole known exception to this being the GNOME Web/Epiphany flatpak, whose site isolation is [notably weaker](https://github.com/RKNF404/chromium-hardening-guide/blob/main/pages/BROWSER_SELECTION.md#epiphanywebkitgtk) in comparison to the implementations in native Chromium-based & Gecko-based browser packages. |
There was a problem hiding this comment.
The first part of this is heavily linked, which might impact readability. Also, I'm not sure how valuable that fedora thread link is.
This is one way to isolate them from the system & other apps by preventing them from reaching certain kernel code paths that they would otherwise not be able to as unprivileged processes but breaks their sandboxing layer responsible for site and process isolation
This could be broken up for readability
- SECCOMP-BPF
What do you mean here?
[additional patches]
some details should be added on what these patches do and why it's a problem, same for zypak
2 participants
No description provided.