Web lists-archives.com

Re: Limiting the power of packages




On Thu, 04 Oct 2018 at 08:34:15 +0200, Florian Weimer wrote:
> * Paul Wise:
> > To fully solve the problem you need a whitelist based approach that
> > ends up something completely different like Flatpak.
> 
> Flatpaks don't work this way.  Try installing gedit and open a file
> like ~/.ssh/id_rsa with it.  There are no security prompts whatsoever,
> yet the software in a flatpak can read your SSH private key.

That particular app's whitelist presumably includes "share the entire
host filesystem"; the existence of a whitelist doesn't mean the whitelist
isn't large. General-purpose development tools and text editors generally
have larger whitelists than more limited apps, with GNOME Builder at
the extreme of least-confined.

% flatpak --user install flathub org.gnome.gedit
Installing in user:
org.gnome.Platform.Locale/x86_64/3.28 flathub 2823e3d81b74
org.gnome.gedit/x86_64/stable         flathub a03b66681bce
  permissions: ipc, wayland, x11
  file access: host, xdg-run/dconf, ~/.config/dconf:ro
               ^^^^
                \- this is why it can read arbitrary files
  dbus access: ca.desrt.dconf, org.gtk.vfs.*
org.gnome.gedit.Locale/x86_64/stable  flathub c2974b37ef08
Is this ok [y/n]:

I think the intention is that GUIs like GNOME Software prompt for apps
that need special permissions in a more user-friendly way, something
like how Android handles app permissions, although I don't think that's
actually implemented yet.

I don't know specifically why gedit has the host file access
permission: it's unnecessary for File->Open and File->Save
As... (e.g. org.gnome.Recipes is a good example of an app that
doesn't, but can still import and export recipes) but presumably some
of gedit's IDE-like features involve opening files other than the one
you directly asked for.

    smcv