Release planning for 1.6

Alexander Larsson alexl at redhat.com
Fri Oct 4 07:05:16 UTC 2019 

On Fri, Oct 4, 2019 at 2:59 AM Winnie Poon <winniepoon_home at hotmail.com> wrote:
>
> > Does anyone have any other features they really need in 1.6? I'd like
> > to not add any more large features for it, but there is still a lot of
> > time for smaller changes to get in.
>
> I guess port-specific network permission  and device-specific mass storage permission (--device=usbdevice)  wouldn't be considered small changes?

It is not possible to split up of /dev in this way because the usb
device nodes are highly dynamic (i.e. are created when needed) and we
can only set up the mounts when we create the filesystem namespace. It
works for drm because all drm nodes are in a subdirectory so we can
just mount in the entire subdirectory, but that solution can't be used
for most device types.

Also, once you have access to raw usb devices you're already pretty
non-sandboxed, so I'm not sure what the point is of splitting
permissions up further. It will only make the app permissions ui more
complex (listing all sort of technical details) while being less
reliable (you think that usb access means "usb camera", but actually
all sorts of things are available on the usb bus that the app can use
to break out of the sandbox in clever ways).

Rather than adding more static permissions we should focus on making
portals cover more usecases. Portals are the right way forward for
good sandboxing.

As for networking, there are limitations to what is possible with
unprivileged sandboxing. Most network filtering is global state (like
firewalls, etc) which you need to be root to modify. Its also very
easy for things to go wrong when modifying such state as there are
other things modifying the state too, often thinking they are in 100%
control of it (like firewall setup tools).

There *is* a way to get unprivileged network filtering, namely
userspace filtering with slipr4netns. However, this needs new
dependencies and is going to be a piece of work. I don't think this
will happen for 1.6 unless someone magically shows up to do the work.

[1] https://github.com/rootless-containers/slirp4netns


-- 
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
 Alexander Larsson                                Red Hat, Inc
       alexl at redhat.com         alexander.larsson at gmail.com

More information about the Flatpak mailing list