Sandbox rw mounts: newbie question

Andrey butirsky at gmail.com
Mon Nov 12 13:25:05 UTC 2018


Thanks Alexander, it's much clearer to me now.
Hope malicious software wouldn't get use of that rw /etc access :)

On November 12, 2018 12:41:27 PM GMT+03:00, Alexander Larsson <alexl at redhat.com> wrote:
>On Sun, Nov 11, 2018 at 2:20 AM Andrey Butirsky <butirsky at gmail.com>
>wrote:
>>
>> Hello,
>> from Flatpak wiki https://github.com/flatpak/flatpak/wiki/Sandbox:
>> in the sandbox, "all mounts are read-only, except" a few.
>>
>> But I see a lot of rw mounts in my apps sandboxes. Moreover, they
>seem
>> shared between the apps, so apparently one app can write to
>> /etc/profile.d/ and break things for others.
>>

>> /dev/sdb1 on /etc/geoclue type ext4
>(rw,nosuid,nodev,relatime,data=ordered)
>> /dev/sdb1 on /etc/issue type ext4
>(rw,nosuid,nodev,relatime,data=ordered)
>..
>> /dev/sdb1 on /etc/nsswitch.conf type ext4
>
>These however, are actually a problem as you say. They are supposed to
>be bind-mounts of /usr/etc (which is in the runtime) into /etc, so
>that we can get the right paths. These are supposed to be read-only,
>like the runtime (/usr) is. I'm pretty sure at some point they were,
>but we must have regressed on this. Typically (i.e. for system
>installs) they are not modifiable by the user, but for per-user
>installs this is actually a problem.
>
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.


More information about the Flatpak mailing list