reading /etc/crypto-policies from host
Alexander Larsson
alexl at redhat.com
Tue Dec 22 15:34:21 UTC 2020
On Tue, 2020-11-24 at 23:41 -0500, smitna at gmail.com wrote:
> Fedora 33 ships with tooling that enables central control of policy
> for
> various crypto libs:
>
> * https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2
> * crypto-policies(7)
>
> It writes configuration for supported crypto libs (openssl, gnutls,
> etc.) in /etc, and I'd like my installed flatpaks to honor that
> configuration but this seems impossible. For example, a filesystem
> override is not effective; quoting flatpak-metadata(5):
>
> host-etc
> The host operating system's configuration from /etc.
>
> To avoid conflicting with the Flatpak runtime, this is mounted
> in the sandbox at /run/host/etc.
>
> Is there a feature available in flatpak to address this? The option
> "-
> -add-policy=SUBSYSTEM.KEY=VALUE" from flatpak-run(1) might be
> relevant
> here but I'm not certain.
In general it is hard to expose host files, because they are typically
in a non-standard distro-specific form. For example, host ca-
certificates look very different from one distro to another.
So, unless the files are in a widely standardized form we can't just
expose them as is.
The specific case of host certificates *is* actually handled by
flatpak, by forwarding a p11-kit-server socket into the sandbox that
crypto libs in the sandbox are configured to talk to. Maybe it is
possible to expose the crypto policies this way too? I admit I'm not
very familiar with the details here.
More information about the Flatpak
mailing list