<div dir="auto"><div>If a hacker gains elevated permissions, could they not proceed to run...whatever they want as root? If they can gain full root access, all bets are off outside of things like SELinux.</div><div dir="auto"><br></div><div dir="auto">Also maybe I'm misunderstanding, but if the only way to access the system is through your app, then the user would be unable to modify the permissions overrides anyway, no?<br><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Wed, Mar 4, 2020, 3:18 PM Winnie Poon <<a href="mailto:winniepoon_home@hotmail.com">winniepoon_home@hotmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> <div dir="ltr"> <div>> Can you give a real world example where you worry about the users<br> </div> <div> <div><font size="2"><span style="font-size:11pt"> <div>> ability to weaken the sandbox?<br> <br> <span>From the perspective of a legitimate user of the system the approach <br> </span></div> <div><span>you mention makes sense: The user can decide to trust a flatpak app <br> </span></div> <div><span>and, at runtime, give it additional privileges to access to their system <br> </span></div> <div><span>as in your photos example, or they can choose not limit it to just the <br> </span></div> <div><span>access that the author requested, or if they really don't trust it she/he <br> </span></div> <div><span>can remove access/devices all together.</span></div> <div><span><br> </span></div> <div><span>However from the perspective of the application (or rather application developer) <br> </span></div> <div><span>who may not trust the environment in which the app will run this is a problem. <br> </span></div> <div><span>We want to make sure that if a hacker gains access to a system on <br> </span></div> <div><span>which our app is installed, that they cannot run our app with elevated <br> </span></div> <div><span>access/privilege that would give them the opportunity to snoop data or <br> </span></div> <div><span>intercept messages.</span></div> <div><span><br> </span></div> <div><span>To give some more background, we plan to run our flatpak app on a fully <br> </span></div> <div><span>locked down system (almost an embedded system) on which a legitimate <br> </span></div> <div><span>end user has no access to the OS at all. We boot directly into our app <br> </span></div> <div><span>and the only way the end user can interact with the system is through <br> </span></div> <div><span>our app. We will of course take as many precautions as possible to prevent <br> </span></div> <div><span>unauthorized access, but if a hacker does break in we want the sandboxed <br> </span></div> <div><span>flatpak application to provide and extra layer of defense the will prevent <br> </span></div> <div><span>the legitimate user's data and activity from being exposed. However if the <br> </span></div> <div><span>hacker can run our app with elevated access this protection is lost.</span></div> <div><span><br> </span></div> <div><span>Regards,</span></div> <div><span>Winnie<br> </span></div> <div><br> <span></span><span></span></div> <div><br> </div> </span></font></div> </div> </div> _______________________________________________<br> Flatpak mailing list<br> <a href="mailto:Flatpak@lists.freedesktop.org" target="_blank" rel="noreferrer">Flatpak@lists.freedesktop.org</a><br> <a href="https://lists.freedesktop.org/mailman/listinfo/flatpak" rel="noreferrer noreferrer" target="_blank">https://lists.freedesktop.org/mailman/listinfo/flatpak</a><br> </blockquote></div></div></div>