Sandbox rw mounts: newbie question

Alexander Larsson alexl at redhat.com
Mon Nov 12 10:45:50 UTC 2018


On Mon, Nov 12, 2018 at 10:41 AM Alexander Larsson <alexl at redhat.com> wrote:
>
> On Sun, Nov 11, 2018 at 2:20 AM Andrey Butirsky <butirsky at gmail.com> wrote:
> >
> > Hello,
> > from Flatpak wiki https://github.com/flatpak/flatpak/wiki/Sandbox:
> > in the sandbox, "all mounts are read-only, except" a few.
> >
> > But I see a lot of rw mounts in my apps sandboxes. Moreover, they seem
> > shared between the apps, so apparently one app can write to
> > /etc/profile.d/ and break things for others.
> >
> > Please, help to understand:
> >

> > /dev/sdb1 on /etc/geoclue type ext4 (rw,nosuid,nodev,relatime,data=ordered)
> > /dev/sdb1 on /etc/issue type ext4 (rw,nosuid,nodev,relatime,data=ordered)
> ..
> > /dev/sdb1 on /etc/nsswitch.conf type ext4
>
> These however, are actually a problem as you say. They are supposed to
> be bind-mounts of /usr/etc (which is in the runtime) into /etc, so
> that we can get the right paths. These are supposed to be read-only,
> like the runtime (/usr) is. I'm pretty sure at some point they were,
> but we must have regressed on this. Typically (i.e. for system
> installs) they are not modifiable by the user, but for per-user
> installs this is actually a problem.

Fixes for this here:

  https://github.com/flatpak/flatpak/pull/2305


More information about the Flatpak mailing list