On Mon, Jun 5 2023 at 04:46:42 PM -0400, Demi Marie Obenour
<demiobenour@xxxxxxxxx> wrote:
Fedora could, of course ship its own SELinux policy for Flatpak (and I
recommend this), but Flatpak will not (and cannot reasonably be
expected
to) integrate with SELinux natively.
Well it would have to be a very permissive policy, because it would
need to allow everything that any Flatpak app might ever want to do.
Doesn't selinux work best when you have a good understanding of the
software that you are trying to confine?
Could Flatpak be changed to use e.g. KVM + crosvm for isolation?
Flatpak
does (via seccomp) prevent applications from creating _new_ user
namespaces.
Maybe in theory, but in practice that won't work because (a) it would
be a major breaking change, and (b) flatpaks are integrated with the
host system via D-Bus APIs, and throwing a VM boundary into the middle
would make D-Bus rather difficult to do.
For example, when you want to open a file, the application does not
have any access to the host filesystem, so if it attempts to display
its own file chooser, you'll see only a sad empty home directory.
Instead, an application designed for Flatpak will use the
org.freedesktop.portal.FileChooser D-Bus API to ask the portal running
on the host system to show a file chooser instead. (The application's
UI toolkit, e.g. GTK or Qt, will usually handle this.) Then the user
interacts with the host file chooser, and the host mounts the selected
file in the sandbox so that the application can only see the file that
the user selected. That would need to somehow work across the VM
boundary. No doubt it's possible somehow, but using a VM would
certainly make that a lot more complicated.
Now that's just one of dozens of portal APIs that allow sandboxed apps
to interact with the host system. Another example:
org.freedesktop.portal.FileTransfer, which allows drag-and-drop to and
from the sandboxed application. All the portals would need to be
reimplemented to ensure they still work with virtual machines instead
of containerized applications. I don't want to say "no don't ever
attempt this" but it sounds like a huge undertaking. We have to balance
isolation vs. functionality; adding so much isolation such that
applications no longer function as expected is too much. (We also have
to satisfy users who expect flatpak to add no overheard relative to
host system applications, which isn't possible but would be especially
not possible if using VMs.)
So I don't expect upstream to be interested in this.
Michael
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
