--share=network permission

[Alexander Larsson]

On Mon, Sep 9, 2019 at 9:27 PM Winnie Poon <winniepoon_home at hotmail.com> wrote:
>
> Hi,
>
> just want to follow up on this again.  Is using firewall with flatpak a suggested approach to limit the network permission?  Or maybe it's too difficult to achieve useful outcome?  Just wanna get the 2 cents from the experts before digging further

In general, flatpak is (by design) limited in what it can do based on
what features the kernel exposes to non-privileged (i.e. not running
as root) applications. i.e. "flatpak run foo" runs completely without
permissions, purely applying self-limiting. There are certain
sandboxing/limit features that the kernel has that can only be applied
by root, but we can't use those, and networking setup (such as
firewalls) are generally like this.

So, yes, currenly external options like firewalls is the only way to
achieve anything other than full network or no network access.

Long term this may change. For instance, there is some upstream work
going on to allow unprivileged network filters on cgroups, which we
could use, and there is the slirp hack. However, don't expect this to
be there soon.