|
|
Subscribe / Log in / New account

OCI is an antiquated format, not fit for modern security requirements

OCI is an antiquated format, not fit for modern security requirements

Posted May 15, 2025 10:50 UTC (Thu) by jgu (subscriber, #129944)
In reply to: OCI is an antiquated format, not fit for modern security requirements by bluca
Parent article: The future of Flatpak

Can you say more about what you have in mind here? Something along the lines of dm-verity for OCI? Something else?

to post comments

OCI is an antiquated format, not fit for modern security requirements

Posted May 15, 2025 12:23 UTC (Thu) by bluca (subscriber, #118303) [Link] (8 responses)

Anything that enforces a read-only image plus signed dm-verity (as in, verified by the kernel). There are various workflows and tools that can do that, but it can also be implemented from scratch, as these are just primitives that anyone can use.

OCI is an antiquated format, not fit for modern security requirements

Posted May 15, 2025 16:32 UTC (Thu) by DemiMarie (subscriber, #164188) [Link] (3 responses)

Desktop workloads trust the local filesystem anyway. What you are looking for needs a completely different OS design and is only suitable for Android, ChromeOS, and other heavily locked-down systems.

OCI is an antiquated format, not fit for modern security requirements

Posted May 15, 2025 21:48 UTC (Thu) by bluca (subscriber, #118303) [Link] (2 responses)

They don't, sandboxing includes file accesses, as the article mentions there's a portal for that, and for good reasons.

In fact desktops are where these are most needed, since for the average user desktop browsers is how malware gets in.

OCI is an antiquated format, not fit for modern security requirements

Posted May 17, 2025 0:15 UTC (Sat) by DemiMarie (subscriber, #164188) [Link] (1 responses)

Sandboxing keeps applications from doing stuff they should not do. Someone who can tamper with the sandboxed executables can also tamper with ~/.bashrc and execute arbitrary code outside the sandbox.

OCI is an antiquated format, not fit for modern security requirements

Posted May 17, 2025 11:19 UTC (Sat) by bluca (subscriber, #118303) [Link]

Those are more reasons in favour of strong sandboxing and code integrity, not against them

Flatpak needs an unprivileged solution

Posted May 29, 2025 0:46 UTC (Thu) by DemiMarie (subscriber, #164188) [Link] (3 responses)

dm-verity requires root privileges to use. Flatpak doesn’t need any special privileges at all, so dm-verity isn’t even an option.

Flatpak needs an unprivileged solution

Posted May 29, 2025 1:12 UTC (Thu) by bluca (subscriber, #118303) [Link] (2 responses)

No, that's not necessary at all, via mountfsd or similar solutions

Unprivileged users need to be able to create and run flatpaks

Posted May 29, 2025 1:21 UTC (Thu) by DemiMarie (subscriber, #164188) [Link] (1 responses)

mountfsd is only secure if you configure it to only mount volumes created by a key that only root-equivalent users have access to. I strongly suspect that any solution that requires root-equivalent privileges to create and run a flatpak is not going to be accepted upstream. Only allowing signed flatpaks to run might be acceptable as an option, but not as the default, at least not unless users can enroll their own signing keys without needing any special privileges to do it.

Unprivileged users need to be able to create and run flatpaks

Posted May 29, 2025 18:57 UTC (Thu) by bluca (subscriber, #118303) [Link]

Sorry, but that's really not how any of that works, you might want to look at it again


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds