permission override - does it defeat the purpose of sandboxing?

Winnie Poon winniepoon_home at hotmail.com
Mon Mar 2 10:55:05 UTC 2020


Hi all,

anyone has any insight on this? 🙂

Thanks,
Winnie

________________________________
From: Winnie Poon <winniepoon_home at hotmail.com>
Sent: February 28, 2020 12:33 PM
To: flatpak <flatpak at lists.freedesktop.org>
Subject: permission override - does it defeat the purpose of sandboxing?

Hi all,

i must be missing something so please help to clear my confusion.

What's the point of packaging an app as flatpak app with restricted permissions, when users can easily open up any permissions by doing :

flatpak run --filesystem=host  ....

or use override to permanently override an app's permissions.

So we package an app in a nice bubble wrap, give it to user and user can remove the whole bubble wrap?  or can the user?

For snap, seems like they have something called a "developer mode", does flatpak has something like that so a "regular" user cannot easily override the permissions?

--------------------------
Developer mode
Sometimes it is helpful when developing a snap to not have to worry about the security sandbox in order to
focus on developing the snap. To support this, snappy allows installing the snap in developer mode
which puts the security policy in complain mode (where violations against security policy are logged,
but permitted).
For example:sudo snap install --devmode <snap>

-------------------------------------------

Thanks for your time again!

Regards,
Winnie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20200302/0873df35/attachment.htm>


More information about the Flatpak mailing list