Security repercussions of allowing ~/.local/share/flatpak

[Phaedrus Leeds]

Read-write access to the flatpak installation directory means you can override the permissions granted to yourself (in this case org.freedesktop.appstream-glib) or any other app, or corrupt the Flatpaks any other way you please. But if you only need to do validation, don't you only need read-only access? So you can do `--filesystem=~/.local/share/flatpak:ro`?

--

Phaedrus Leeds

------- Original Message -------

On Tuesday, March 8th, 2022 at 2:47 AM, TheEvilSkeleton <theevilskeleton at riseup.net> wrote:

> Hello,
>
> I have recently opened a merge request (MR) in the appstream-glib repository to allow read-write access to ~/.local/share/flatpak, where all Flatpak applications are installed as a user. This is because I wanted to check whether an application had a valid appstream file after install.
>
> The reason of submitting this MR, as pointed out in the MR, I couldn't run appstream-glib in said directory because filesystem=host excludes the install directory, so I went ahead and explicitly added this directory so I can run this application inside that directory. However, the maintainer of the application, hughsie, is unsure about this MR and would like to know about the security repercussions of allowing this directory explicitly. In my opinion, for an application like appstream-glib, there shouldn't be much of an issue, but I'll see what the members have to say.
>
> Thanks,TheEvilSkeleton