--share=network permission
Winnie Poon
winniepoon_home at hotmail.com
Thu Sep 5 17:25:39 UTC 2019
Thanks Alex. Can i possibly use iptables inside the sandbox to further limit the access? LIke can i install iptables inside the sandbox and go from there? or the firewall approach has to be outside the sandbox?
________________________________
From: Alexander Larsson <alexl at redhat.com>
Sent: September 4, 2019 1:45 AM
To: Winnie Poon <winniepoon_home at hotmail.com>
Cc: flatpak <flatpak at lists.freedesktop.org>
Subject: Re: --share=network permission
On Tue, Sep 3, 2019 at 9:28 PM Winnie Poon <winniepoon_home at hotmail.com> wrote:
>
> Hi,
>
> i'm working on running our product in the flatpak sandbox environment, and we had to punch a few holes, one being "--share=network" for it to work.
>
> wanna see how others do it. It seems like this network hole is a big hole to punch. By relaxing this permission, would it defeat the purpose of a sandbox environment? Is there a better way than this blanket access?
I think a majority of apps these days use some form of network access.
Its definately not something that e.g. android or iphone warn you
about when installing an app. So, I think in general this is fine.
However, it would be nice if we had a way to grant less than "full"
network access. For example a NATed/firewalled mode where incoming
accesses would be disallowed. However, at this point that is
technically hard to do as an unprivileged user with the current kernel
APIs.
--
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Alexander Larsson Red Hat, Inc
alexl at redhat.com alexander.larsson at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20190905/b7cb7391/attachment.html>
More information about the Flatpak
mailing list