flatpak_installation_launch() provides no way to run without a sandbox #473

Open
hughsie opened this Issue Jan 5, 2017 · 5 comments

Projects

None yet

3 participants

@hughsie
Collaborator
hughsie commented Jan 5, 2017

To launch apps like Chrome packaged as a flatpak we need to run them without the sandbox (as it contains a sandbox itself...). Could we have something like flatpak_installation_launch_full() that takes some bitfields, one of which being _NO_SANDBOX or something? I guess this needs setting up the namespace but not the various sandbox bits, if that's even possible.

@alexlarsson
Member

Chromes runs in a sandbox by shipping a setuid binary (chrome-sandbox). We can't allow setuid binaries to work in sandbox, because that is one of the fundamental things that makes it possible to use namespaces in a secure way.

@hughsie
Collaborator
hughsie commented Jan 12, 2017

So what do we tell Google? Turn off the sandboxing support in their flatpak build of chrome? I can't see that being popular.

@alexlarsson
Member

Yeah. I unfortunately don't see what other option we have.

@nhlfr
Contributor
nhlfr commented Jan 16, 2017

We could try to give an option for providing capabilities in bubblewrap - like systemd-nspawn, Docker, rkt etc. are doing. From what I understand, Chrome will need CAP_SYS_ADMIN and CAP_SYS_CHROOT. However, that's insecure, so if we aren't going to give that option even at flatpak app maintainers' risk, I totally understand.

If we aren't going to support adding more caps, then yes, Chrome would need to provide a possibility to turn off sandboxing without showing warnings to the user.

@alexlarsson
Member

There is a difference, docker/rkt/nspawn require you to be root to run them. Flatpak doesn't so, it would be a root privilege escalation if we did.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment