|
|
Subscribe / Log in / New account

Application isolation

Application isolation

Posted Aug 21, 2018 14:48 UTC (Tue) by tux3 (subscriber, #101245)
In reply to: Application isolation by astian
Parent article: Flatpak 1.0 released

My understanding is that they've been using Bubblewrap as a sandbox (https://github.com/projectatomic/bubblewrap), which is a sort of homemade lightweight user namespaces implemented with a setuid helper.

As far as I can tell, as of today their sandbox seems perfectly functional, but if there's some fine print hidden somewhere I'd love to take a look at it!

Here's their wiki that I've only quickly glossed over: https://github.com/flatpak/flatpak/wiki/Sandbox

to post comments

Application isolation

Posted Aug 21, 2018 22:43 UTC (Tue) by smcv (subscriber, #53363) [Link] (4 responses)

The sandbox itself is as good as any other unprivileged container based on namespaces: the sandboxed app has access to the kernel's (significant) attack surface, but with strict permissions it can't do much to interact with the rest of the system. On some kernel configurations (notably Debian and RHEL), bubblewrap normally needs to be setuid; on others (notably Fedora and Ubuntu), it can be unprivileged. (The difference is because by default Debian and RHEL kernels don't let unprivileged users create their own user namespaces, whereas Fedora and Ubuntu kernels do.)

The fine print is that to let an app do useful things (draw a window, play sounds, contact network services, load and save per-user preferences, etc.) it needs to have some permissions (gaps in the sandbox boundary), and at the moment many of those permissions are more coarse-grained than you might hope: for example, access to PulseAudio is currently a binary yes/no choice per app, and there's no way to say "this app can play sounds, but can't use PulseAudio's shared-memory transport, and can't record". This should get better with continued development, partly in Flatpak itself and partly in other projects adjacent to it.

Application isolation - PA

Posted Aug 22, 2018 10:05 UTC (Wed) by darwish (guest, #102479) [Link] (2 responses)

> for example, access to PulseAudio is currently a binary yes/no choice per app, and there's no way to say "this app can play sounds, but can't use PulseAudio's shared-memory transport, and can't record".

This was initially going to be solved by adding Access Control support to PulseAudio, along with lots of PA code re-design to guarantee real isolation:

https://www.freedesktop.org/wiki/Software/PulseAudio/Docu...

https://lists.freedesktop.org/archives/pulseaudio-discuss...

AFAIK Fedora merged these Access Control patches on their own, but as seen above they are definitely not enough. The tide now is go with PipeWire since it's careful to solve this problem correctly from the start.

Application isolation - PA

Posted Aug 22, 2018 14:02 UTC (Wed) by kloczek (guest, #6391) [Link] (1 responses)

So many years people have been telling to stop doing those nasty things with alsa/pulseaudio in user space and move all to kernel space .. no one listens.

Application isolation - PA

Posted Aug 22, 2018 17:41 UTC (Wed) by zlynx (guest, #2285) [Link]

How exactly would that help? If the kernel audio interfaces allowed recording you'd be in the same fix because the kernel ABI cannot be changed.

In the past before ALSA with OSS audio there were horrible library hacks to intercept open(), read(), write(), ioctl() calls to audio devices so that kernel behavior could be modified. There are *reasons* why things are now in userspace.

Application isolation

Posted Aug 22, 2018 19:57 UTC (Wed) by astian (guest, #118981) [Link]

Thanks for the summary.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds