Is a web browser _less_ secure when run within a Flatpak?

Posted May 27, 2025 13:29 UTC (Tue) by swilmet (subscriber, #98424)
Parent article: The future of Flatpak

From the article:

> One thing that has been a bit of a pain point, Wick said, is that nested sandboxing does not work in Flatpak. For instance, an application cannot use Bubblewrap inside Flatpak. Many applications, such as web browsers, make heavy use of sandboxing.
>
> > They really like to put their tabs into their own sandboxes because it turns out that if one of those tabs is running some code that manages to exploit and break out of the process there, at least it's contained and doesn't spread to the rest of the browser.
>
> What Flatpak does instead, currently, is to have a kind of side sandbox that applications can call to and spawn another Flatpak instance that can be restricted even further. ""So, in that sense, that is a solution to the problem, but it is also kind of fragile"." There have been issues with this approach for quite a while, he said, but no one knows quite how to solve them.

So, it's not really clear to me whether Firefox for example is more or less secure when run as a Flatpak compared to a traditional Linux distribution package.

Is a web browser _less_ secure when run within a Flatpak?

Posted May 28, 2025 7:22 UTC (Wed) by daenzer (subscriber, #7050) [Link] (1 responses)

I was wondering the same thing while reading the article. Comparing the Sandbox section of about:support between the Flatpak and native Fedora versions, the only difference is that "User Namespaces" is false with Flatpak. Everything else is the same, including the "Sandbox Level" values.

I'm not sure about the implications of the lack of user namespaces, offhand it doesn't seem like a big difference though.

Is a web browser _less_ secure when run within a Flatpak?

Posted Jun 2, 2025 23:27 UTC (Mon) by swilmet (subscriber, #98424) [Link]

So in short, what the article says is that there is a workaround for the lack of nested sandboxing, but it's a fragile implementation.

My understanding is that "fragile" means it'll break when the surrounding code changes a bit too much, or when doing some heavy refactorings. Not great security-wise.

And in fact, "There have been issues with this approach for quite a while", the article says.

For the about:support page I'm not sure, Firefox maybe provides the same information for some fields, but internally the details would differ (the fragile side-sandbox for Flatpak, versus the full-blown sandboxing solutions for distro packages). To be confirmed, this is just supposition.