flatpak_installation_launch() provides no way to run without a sandbox

[hughsie]

To launch apps like Chrome packaged as a flatpak we need to run them without the sandbox (as it contains a sandbox itself...). Could we have something like flatpak_installation_launch_full() that takes some bitfields, one of which being _NO_SANDBOX or something? I guess this needs setting up the namespace but not the various sandbox bits, if that's even possible.

[alexlarsson]

Chromes runs in a sandbox by shipping a setuid binary (chrome-sandbox). We can't allow setuid binaries to work in sandbox, because that is one of the fundamental things that makes it possible to use namespaces in a secure way.

[hughsie]

So what do we tell Google? Turn off the sandboxing support in their flatpak build of chrome? I can't see that being popular.

[alexlarsson]

Yeah. I unfortunately don't see what other option we have.

[nhlfr]

We could try to give an option for providing capabilities in bubblewrap - like systemd-nspawn, Docker, rkt etc. are doing. From what I understand, Chrome will need CAP_SYS_ADMIN and CAP_SYS_CHROOT. However, that's insecure, so if we aren't going to give that option even at flatpak app maintainers' risk, I totally understand.

If we aren't going to support adding more caps, then yes, Chrome would need to provide a possibility to turn off sandboxing without showing warnings to the user.

[alexlarsson]

There is a difference, docker/rkt/nspawn require you to be root to run them. Flatpak doesn't so, it would be a root privilege escalation if we did.

[matthiasclasen]

don't think there's anything for flatpak to be done here.