On 08.07.22 01:41, Aaron Puchert wrote:
Am 06.07.22 um 12:11 schrieb Dan Čermák:
Michael Pujos
writes: I don't need to run Firefox, Thunderbird or some other desktop program containerized.
You don't, but from a security standpoint, you really do want to run your browser as isolated from the rest of your system as possible. Browsers currently have the ability to view local files (file:///...), would we then cut that off?
They would probably need to go through a system-provided file->open dialog (similar like when you want to open something from arbitrary storage locations on recent android) to get to these files. This extra dialog when something wants to "reach outside" the restrictions is what got me sold on the idea. I hate selinux and apparmor and the like just because they deny access without talking to me about it, and thus are IMHO a UI nightmare (Also the windows UAC popups "this application wants to change *something*" are useless, because they do not actually tell *what* is about to be changed and are (AFAIK) just "confirm that i might run something with sudo" notifications).
These could be files in a home directory, and there could be cross-links between them.
Also, as you're probably aware, Firefox and other browsers already have their own sandboxing for content processes that is much stronger than containers. (They only have a handful of syscalls available and cannot e.g. open any additional files.)
That's true. But huge, complex, network-connected programs processing mostly untrusted input -- IMHO every single layer of isolation around them is a good idea.
Sandboxing content processes makes more sense to me than sandboxing the entire browser, because lots of valuable secrets are already in the browser (passwords, cookies, other private data). But they shouldn't escape to other webservers than the one they're intended for. These kinds of barriers can only be erected within the browser.
Yes, sure. But my machine stores many more valuable secrets outside the browser and I welcome any additional protection. And -- at least that's how I understand it now -- you could still just allow "any <---> any" for a given flatpak in your configuration, so if you do not want that extra isolation, this should be the simple fix for you. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman