[HOME] [DOWNLOAD] [DOCS] [NEWS] [SUPPORT] [TIPS] [ISSUES] [DONATE]

FlatPak in Debian

Supported since stretch, the FlatPak framework is available on Debian. Might be useful for newer versions of standalone software that move too fast for Debian’s release cycle. There is a big warning label on relying on it for sandboxing security however.

https://wiki.debian.org/FlatPak

1 Like

Flatpak’s sandboxing isn’t that great. Most apps come with filesystem=home by default which mounts all of /home as read-write meaning you can escape just by running echo evil_malware >> .bashrc or many have device=all so you have access to all devices.

It’s not fine-grained at all and it’s either allow a whole bunch of stuff, or not allow anything.

The devs also refuse to add any X11 sandboxing and claim X11 can’t be secured even though using xpra is easy.

2 Likes

Indeed. Thanks for your input. It adds context to Bubblewrap’s recommendation of using Flatpak as an alternative for security sandboxing of resources like Pulseaudio which they don’t handle.

Now we know this is not a real option and that Firejail is the only sandboxing solution that attempts to handle the graphics/audio interactions of software besides other access.

2 Likes

In context of Policy for Inclusion of Compiled Software the sandboxing is irrelevant.

2 Likes

No, firejail’s handling of graphics/audio is essentially just a few blacklist rules.

https://github.com/netblue30/firejail/blob/master/src/firejail/pulseaudio.c

They’ve just made it far more complicated than it needs to be. Another reason why firejail has too large attack surface.

This can easily be replicated in other sandboxing solutions like bubblewrap by just not mounting pulseaudio files.

1 Like
[Imprint] [Privacy Policy] [Cookie Policy] [Terms of Use] [E-Sign Consent] [DMCA] [Investors] [Priority Support] [Professional Support]