Sandboxing

Joe Smith justman111111 at gmail.com
Mon Aug 6 09:00:52 UTC 2018


Got it, thanks!

On Mon, Aug 6, 2018 at 6:23 PM Muayyad AlSadi <alsadi at gmail.com> wrote:

>
> > Limiting which applications can have access to which directories
>
> yes, here is a screenshot where I limited application access to only
> ~/Documents
>
> https://twitter.com/muayyadalsadi/status/870986338111299584
>
>
> > When I install an application through flatpak, does it automatically get
> sanboxed?
>
> yes, but the default/automatic is controlled by app manifest, but we need
> a UI to show those and allow user to decline some based on user choice, not
> app author choice
>
> > Does Sandboxing applications slow it down, if so by how much?
> >> In theory there is some slowdown as there are additional kernel-side
> checks, but its basically negligible.
>
> yes, the overhead of sandboxing itself is negligible
> there is an overhead of missing the system-wide cache (using different
> libgtk.so other than the one that is already loaded)
> Flatpak tries to reuse many of those like font caching.
>
>
>
>
> On Mon, Aug 6, 2018 at 11:16 AM Alexander Larsson <alexl at redhat.com>
> wrote:
>
>> On Wed, Jul 11, 2018 at 4:00 PM, Joe Smith <justman111111 at gmail.com>
>> wrote:
>>
>>> To whom it may concern,
>>>
>>> I wanted to enquire a few security questions. Can flatpak sandboxiing do
>>> the following:
>>>
>>>    - Prevent apps from having access to the user name
>>>
>>>
>> No, the user name is visible to all apps.
>>
>>
>>>
>>>    - Taking screenshots without the consent of the user
>>>
>>>
>> This works only if the user is using Wayland, not X11.
>>
>>
>>>
>>>    - Having Internet access
>>>
>>>
>> Yes, sandboxes can either have no, or full network access.
>>
>>
>>>
>>>    - Limiting which applications can have access to which directories
>>>
>>>
>> Yes.
>>
>>
>>> I have further questions about flatpak which are:
>>>
>>>    - When I install an application through flatpak, does it
>>>    automatically get sanboxed?
>>>
>>>
>> All apps are sandboxed to some degree, but the details differ from app to
>> app. The application requests a list of permission during install, and once
>> installed those are granted by default. The user can chose to override
>> these, but generally that means the app is likely to not work (because it
>> needed that permission).
>>
>>
>>>
>>>    - Does Sandboxing applications slow it down, if so by how much?
>>>
>>>
>> In theory there is some slowdown as there are additional kernel-side
>> checks, but its basically negligible.
>>
>>
>>>
>>>    - If I have installed an application NOT from flatpak, then is it
>>>    still possible to sandbox that application through flatpak?
>>>
>>> No.
>>
>>
>>>
>>>    - What is *flathub*?
>>>
>>>
>> Flathub is a central location for many apps packaged as flatpaks.
>>
>> _______________________________________________
>> Flatpak mailing list
>> Flatpak at lists.freedesktop.org
>> https://lists.freedesktop.org/mailman/listinfo/flatpak
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20180806/71823009/attachment.html>


More information about the Flatpak mailing list