permission override - does it defeat the purpose of sandboxing?

[Winnie Poon]

> Can you give a real world example where you worry about the users
> ability to weaken the sandbox?

>From the perspective of a legitimate user of the system the approach
you mention makes sense: The user can decide to trust a flatpak app
and, at runtime, give it additional privileges to access to their system
as in your photos example, or they can choose not limit it to just the
access that the author requested, or if they really don't trust it she/he
can remove access/devices all together.

However from the perspective of the application (or rather application developer)
who may not trust the environment in which the app will run this is a problem.
We want to make sure that if a hacker gains access to a system on
which our app is installed, that they cannot run our app with elevated
access/privilege that would give them the opportunity to snoop data or
intercept messages.

To give some more background, we plan to run our flatpak app on a fully
locked down system (almost an embedded system) on which a legitimate
end user has no access to the OS at all. We boot directly into our app
and the only way the end user can interact with the system is through
our app. We will of course take as many precautions as possible to prevent
unauthorized access, but if a hacker does break in we want the sandboxed
flatpak application to provide and extra layer of defense the will prevent
the legitimate user's data and activity from being exposed. However if the
hacker can run our app with elevated access this protection is lost.

Regards,
Winnie


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/flatpak/attachments/20200304/cdec2606/attachment.htm>