New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
flatpak_installation_launch() provides no way to run without a sandbox #473
Comments
Chromes runs in a sandbox by shipping a setuid binary (chrome-sandbox). We can't allow setuid binaries to work in sandbox, because that is one of the fundamental things that makes it possible to use namespaces in a secure way. |
So what do we tell Google? Turn off the sandboxing support in their flatpak build of chrome? I can't see that being popular. |
Yeah. I unfortunately don't see what other option we have. |
We could try to give an option for providing capabilities in bubblewrap - like systemd-nspawn, Docker, rkt etc. are doing. From what I understand, Chrome will need CAP_SYS_ADMIN and CAP_SYS_CHROOT. However, that's insecure, so if we aren't going to give that option even at flatpak app maintainers' risk, I totally understand. If we aren't going to support adding more caps, then yes, Chrome would need to provide a possibility to turn off sandboxing without showing warnings to the user. |
There is a difference, docker/rkt/nspawn require you to be root to run them. Flatpak doesn't so, it would be a root privilege escalation if we did. |
don't think there's anything for flatpak to be done here. |
To launch apps like Chrome packaged as a flatpak we need to run them without the sandbox (as it contains a sandbox itself...). Could we have something like flatpak_installation_launch_full() that takes some bitfields, one of which being
_NO_SANDBOX
or something? I guess this needs setting up the namespace but not the various sandbox bits, if that's even possible.The text was updated successfully, but these errors were encountered: