Supported since stretch, the FlatPak framework is available on Debian. Might be useful for newer versions of standalone software that move too fast for Debian’s release cycle. There is a big warning label on relying on it for sandboxing security however.
Flatpak’s sandboxing isn’t that great. Most apps come with
filesystem=home by default which mounts all of /home as read-write meaning you can escape just by running
echo evil_malware >> .bashrc or many have
device=all so you have access to all devices.
It’s not fine-grained at all and it’s either allow a whole bunch of stuff, or not allow anything.
The devs also refuse to add any X11 sandboxing and claim X11 can’t be secured even though using xpra is easy.
Indeed. Thanks for your input. It adds context to Bubblewrap’s recommendation of using Flatpak as an alternative for security sandboxing of resources like Pulseaudio which they don’t handle.
Now we know this is not a real option and that Firejail is the only sandboxing solution that attempts to handle the graphics/audio interactions of software besides other access.
In context of Policy for Inclusion of Compiled Software the sandboxing is irrelevant.
No, firejail’s handling of graphics/audio is essentially just a few blacklist rules.
They’ve just made it far more complicated than it needs to be. Another reason why firejail has too large attack surface.
This can easily be replicated in other sandboxing solutions like bubblewrap by just not mounting pulseaudio files.