Question about FUSE inside the flatpak sandbox
Alexander Larsson
alexl at redhat.com
Mon Apr 26 08:12:33 UTC 2021
On Sat, Apr 24 2021 at 16:19:12 -0400, Michael Terry <mike at mterry.name>
wrote:
> I am curious about the possibility of creating a FUSE mount inside my
> flatpak app (specifically, running "rclone mount").
>
> I don't *think* it's possible to do this, but just wanted to confirm
> my understanding before moving on to other strategies.
>
> Things needed for this to work (at least):
> - Access to /dev/fuse: possible with --device=all
> - Kernel permission to call mount(): normally done with a suid
> fusermount program, which is not allowed inside a flatpak
>
> My brief understanding is that nowadays there is kernel support for
> using FUSE with user namespaces, with an eye to letting FUSE work
> inside unprivileged containers. So _maybe_ it's possible to not need
> a suid fusermount, but I'm not super familiar with these subsystems.
> I tried throwing a non-suid fusermount into my flatpak, and I do
> unsurprisingly get "operation not permitted" errors when it calls
> mount().
>
> Is there a way to make this work? Thanks in advance for any answers.
It is not possible to do this because the app has not mount
capabilities or sub-user-namespace permissions in the sandbox. The
security boundary of the app/host interface depends on this in several
ways, so we can't add this feature either.
More information about the Flatpak
mailing list