Permission Denied with Flatpak (/sys/block)

user@host:~$ flatpak run org.mozilla.firefox
bwrap: Can't find source path /sys/block: Permission denied
user@host:~$

Note: All these hardened features are enabled in my VM:

1 Like

related feature:
https://www.kicksecure.com/wiki/Security-misc#Reduce_Kernel_Information_Leaks


flatpak requires /sys/block it. See this highlighted line:

reported upstream:


workaround:
https://www.kicksecure.com/wiki/Security-misc#Whitelisting_Applications

1 Like
[workstation user ~]% flatpak remote-add --if-not-exists flathub https://flathub.org/repo/flathub.flatpakrepo
error: Flatpak system operation ConfigureRemote not allowed for user
zsh: exit 1     flatpak remote-add --if-not-exists flathub

Current flatpak running from whonix-ws qubes.

Caused by:

  • A) hide hardware information and/or
  • B) hidepid and/or,
  • C) otherwise?

After couple of testing, yeah only A (hide-hardware-info) reproduce it clearly.

1 Like

Add to it this as well:

Qubes specific: If user removed qubes-core-agent-passwordless-root he will get this issue.

so to correctly address the issues here:

  • Issue (1)
bwrap: Can't find source path /sys/block: Permission denied

Due to hide hardware information

  • Issue (2)
error: Flatpak system operation ConfigureRemote not allowed for user

Due to user removed qubes-core-agent-passwordless-root package from his VM in Qubes.

Note: if both are enabled, it will just show Issue (2)

2 Likes
1 Like

flatpak: thanks to Make /sys hardening optional and allow access to /sys/fs to make polkit work by DanWin · Pull Request #204 · Kicksecure/security-misc · GitHub this is now fixed. Also discussed here: improve hide-hardware-info.service, make `/sys` hiding optional and enable by default · Issue #172 · Kicksecure/security-misc · GitHub

This is now in the testers repository.

1 Like

This is now in the stable repository.

2 Likes

Both of these issues are now fixed.

1 Like