Failure of sandboxing

Posted Apr 18, 2025 6:28 UTC (Fri) by epa (subscriber, #39769)
In reply to: Failure of sandboxing by khim
Parent article: Catanzaro: Dangerous arbitrary file read vulnerability in Yelp

Yes. For the particular case of a help browser, what it does is so limited that sandboxing should be possible. For other applications retrofitting a sandbox can create a maze of authentication prompts that users quickly turn off (or train themselves to ignore). Or functionality may just be lost. We see some of the same effects with apps packaged as snaps by Ubuntu, which don’t always integrate fully with the rest of the system, I believe.

(I’d like to see a file open dialogue box that grants permission to a sandboxed app to open that file but no other; similarly for saving.)

Failure of sandboxing

Posted Apr 18, 2025 10:11 UTC (Fri) by ebassi (subscriber, #54855) [Link]

> (I’d like to see a file open dialogue box that grants permission to a sandboxed app to open that file but no other; similarly for saving.)

That's literally the file chooser portal: https://flatpak.github.io/xdg-desktop-portal/docs/doc-org...

Which is what GTK, for instance, uses out of the box with its GtkFileDialog API: https://docs.gtk.org/gtk4/class.FileDialog.html

The file selection dialog runs on the host, and exposes only the user selected file(s) into the sandbox.

Failure of sandboxing

Posted Apr 18, 2025 16:45 UTC (Fri) by vonbrand (subscriber, #4458) [Link] (1 responses)

And all users are fine with checking what "123_PGR_xvg.js" does. Heck, I would understand around half of the code, and would not appreciate to have to interrupt my work (already interrupted looking for help, or whatever) to launch an audit on some recondite snippet of code of no interest to me.

Failure of sandboxing

Posted Apr 22, 2025 9:22 UTC (Tue) by epa (subscriber, #39769) [Link]

I imagined that reading a file that's installed on the system (and readable to all local users) wouldn't require a prompt, but reading a file which is under the user's home directory would prompt, and doubly so if it's not world-readable.