Re: LibreOffice packages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Jun 5 2023 at 04:46:42 PM -0400, Demi Marie Obenour <demiobenour@xxxxxxxxx> wrote:
Fedora could, of course ship its own SELinux policy for Flatpak (and I
recommend this), but Flatpak will not (and cannot reasonably be expected
to) integrate with SELinux natively.

Well it would have to be a very permissive policy, because it would need to allow everything that any Flatpak app might ever want to do. Doesn't selinux work best when you have a good understanding of the software that you are trying to confine?

Could Flatpak be changed to use e.g. KVM + crosvm for isolation? Flatpak does (via seccomp) prevent applications from creating _new_ user namespaces.

Maybe in theory, but in practice that won't work because (a) it would be a major breaking change, and (b) flatpaks are integrated with the host system via D-Bus APIs, and throwing a VM boundary into the middle would make D-Bus rather difficult to do.

For example, when you want to open a file, the application does not have any access to the host filesystem, so if it attempts to display its own file chooser, you'll see only a sad empty home directory. Instead, an application designed for Flatpak will use the org.freedesktop.portal.FileChooser D-Bus API to ask the portal running on the host system to show a file chooser instead. (The application's UI toolkit, e.g. GTK or Qt, will usually handle this.) Then the user interacts with the host file chooser, and the host mounts the selected file in the sandbox so that the application can only see the file that the user selected. That would need to somehow work across the VM boundary. No doubt it's possible somehow, but using a VM would certainly make that a lot more complicated.

Now that's just one of dozens of portal APIs that allow sandboxed apps to interact with the host system. Another example: org.freedesktop.portal.FileTransfer, which allows drag-and-drop to and from the sandboxed application. All the portals would need to be reimplemented to ensure they still work with virtual machines instead of containerized applications. I don't want to say "no don't ever attempt this" but it sounds like a huge undertaking. We have to balance isolation vs. functionality; adding so much isolation such that applications no longer function as expected is too much. (We also have to satisfy users who expect flatpak to add no overheard relative to host system applications, which isn't possible but would be especially not possible if using VMs.)

So I don't expect upstream to be interested in this.

Michael

_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux