New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Bug]: Can't access /usr
with permission
#5575
Comments
Maybe |
Unbfortunally not.
|
This is not possible. As the error message says, |
|
The security advantage would be the Principle of Least Privilege. In other words, why punch a bigger hole in the sandbox than is necessary? For example, in my project we are looking at various methods of getting flatpaks to work with hardened_malloc. We have them running with hardened_malloc, using the steps documented here: secureblue/secureblue#67 (comment) In short, we can directly reference
The only downside is that this requires
Which gives all flatpaks readonly access to all of /usr. It would be good if instead, we could do:
Or something to that effect. Something more specific and/or less of a hack. |
What integrity, confidentiality or availability property are you aiming to provide by limiting the sandbox's access to a /usr directory to which it does not have write access anyway? The closest thing I can see is that you could argue that access that being able to know what software is installed on the host system can be used for fingerprinting (which is a minor attack on confidentiality); but there are many, many other ways to identify a host system (machine ID, network interfaces' MAC addresses, IPv4/IPv6 address, hostname, list of available fonts).
As I said on #5617, taking arbitrary code from the host OS distribution and injecting it into processes running inside the Flatpak sandbox is not something Flatpak aims to support, because library code from the host OS can legitimately have dependencies on host OS libraries that are not available (too old, or don't exist at all) inside the sandbox. A large part of the point of Flatpak is that the app runs in an environment that is independent of the host OS, so that as much as possible, if it works on its maintainer's machine, it will work everywhere. If you want to replace the malloc() used by Flatpak apps, the way to achieve that is to talk to the maintainers of the runtime that provides glibc (in practice that means the freedesktop.org SDK, which is the basis for the other widely-used runtimes like GNOME and KDE) about either applying the replacement malloc() to everything, or providing an extension point by which a replacement malloc() can be hooked into it as a Flatpak extension. A Flatpak extension is a special mini-runtime which acts like a plugin for a larger runtime or app: for example, the Mesa and Nvidia OpenGL/Vulkan drivers are extensions. |
@smcv greatly appreciate your input on this, that makes complete sense. I'll pursue a thread with freedesktop requesting the extension functionality you mentioned. Thanks again for pointing me in the right direction. |
Checklist
Flatpak version
1.15.4
What Linux distribution are you using?
Manjaro Linux
Linux distribution version
latest
What architecture are you using?
x86_64
How to reproduce
Give a Flatpak the
filesystem=host:ro
permission. now you can access the/usr
directory f the Host as/run/host/usr
inside the Flatpak.Now remove the
filesystem=host:ro
permission and add thefilesystem=/usr/share/applications:ro
instead.Expected Behavior
You should be able to access
/usr/share/applications
from the host inside the Flatpak as/run/host/usr/share/applications
.Actual Behavior
When starting the Flatpak you get an
F: Not sharing "/usr/share/applications" with sandbox: Path "/usr" is reserved by Flatpak
error and can't access the directory.Additional Information
No response
The text was updated successfully, but these errors were encountered: