On Jun 14, 2016 11:24 PM, "Florian Weimer" <fweimer@xxxxxxxxxx> wrote:
>
> On 06/15/2016 06:27 AM, Andrew Lutomirski wrote:
>>
>> On Tue, Jun 14, 2016 at 9:07 PM, Florian Weimer <fweimer@xxxxxxxxxx> wrote:
>>>
>>> On 06/15/2016 04:11 AM, Andrew Lutomirski wrote:
>>>
>>>> I *strongly* disagree here. The xdg-app folks seem to be doing a
>>>> pretty good job with their sandbox. The kernel attack surface is
>>>> reduced considerably, as is the attack surface against the user via
>>>> ptrace and filesystem access. If Wayland is available (which is
>>>> should be!) then so is the attack surface against X.
>>>
>>>
>>>
>>> What about the direct access to DRI device nodes? Why isn't this a problem
>>> that reduces the effectiveness of the sandbox considerably?
>>
>>
>> It's certainly a meaningful attack surface. That being said, if it
>> works well, it should be about as dangerous as Chromium's render
>> sandbox, and the latter seems to work fairly well in practice. I'm
>> assuming that xdg-app grants access to render nodes, not to the legacy
>> node.
>
>
> I'm not sure what kind of sandboxing there is. I was just able to open ~/.ssh/id_rsa from a Flatpak application, and change ~/.bash_profile (both outside the sandbox, obviously).
>
> I couldn't find any relevant device nodes in the file system namespace.
Hmm. Maybe the current Flatpak doesn't have the xdg-app sandbox enabled.
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://lists.fedoraproject.org/admin/lists/devel@xxxxxxxxxxxxxxxxxxxxxxx
