Sandboxing

Muayyad AlSadi alsadi at gmail.com
Mon Aug 6 08:23:29 UTC 2018 

> Limiting which applications can have access to which directories

yes, here is a screenshot where I limited application access to only
~/Documents

https://twitter.com/muayyadalsadi/status/870986338111299584


> When I install an application through flatpak, does it automatically get
sanboxed?

yes, but the default/automatic is controlled by app manifest, but we need a
UI to show those and allow user to decline some based on user choice, not
app author choice

> Does Sandboxing applications slow it down, if so by how much?
>> In theory there is some slowdown as there are additional kernel-side
checks, but its basically negligible.

yes, the overhead of sandboxing itself is negligible
there is an overhead of missing the system-wide cache (using different
libgtk.so other than the one that is already loaded)
Flatpak tries to reuse many of those like font caching.




On Mon, Aug 6, 2018 at 11:16 AM Alexander Larsson <alexl at redhat.com> wrote:

> On Wed, Jul 11, 2018 at 4:00 PM, Joe Smith <justman111111 at gmail.com>
> wrote:
>
>> To whom it may concern,
>>
>> I wanted to enquire a few security questions. Can flatpak sandboxiing do
>> the following:
>>
>>    - Prevent apps from having access to the user name
>>
>>
> No, the user name is visible to all apps.
>
>
>>
>>    - Taking screenshots without the consent of the user
>>
>>
> This works only if the user is using Wayland, not X11.
>
>
>>
>>    - Having Internet access
>>
>>
> Yes, sandboxes can either have no, or full network access.
>
>
>>
>>    - Limiting which applications can have access to which directories
>>
>>
> Yes.
>
>
>> I have further questions about flatpak which are:
>>
>>    - When I install an application through flatpak, does it
>>    automatically get sanboxed?
>>
>>
> All apps are sandboxed to some degree, but the details differ from app to
> app. The application requests a list of permission during install, and once
> installed those are granted by default. The user can chose to override
> these, but generally that means the app is likely to not work (because it
> needed that permission).
>
>
>>
>>    - Does Sandboxing applications slow it down, if so by how much?
>>
>>
> In theory there is some slowdown as there are additional kernel-side
> checks, but its basically negligible.
>
>
>>
>>    - If I have installed an application NOT from flatpak, then is it
>>    still possible to sandbox that application through flatpak?
>>
>> No.
>
>
>>
>>    - What is *flathub*?
>>
>>
> Flathub is a central location for many apps packaged as flatpaks.
>
> _______________________________________________
> Flatpak mailing list
> Flatpak at lists.freedesktop.org
> https://lists.freedesktop.org/mailman/listinfo/flatpak
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20180806/cdc51428/attachment-0001.html>

More information about the Flatpak mailing list