Worth noting that Flatpak's sandboxing is using the same container functionality of the Linux kernel as all the various other container tools. If containers are secure enough than so is Flatpak, assuming you've tweaked the applications sandbox settings to your liking.
Flatpak does not claim to be secure. This is also clearly stated in the FAQ. They provide a means of separation of applications. Sandboxing is not per se a form of security, just like this was with Docker in the 'early days'.
Flatpak uses kernel namespaces (like docker) to run software with a bundled set of libraries. From their FAQ:
> Flatpak mostly deployed as a convenient library bundling technology early on, with the sandboxing or containerization being phased in over time for most applications.
I don't really know if sandboxing is worth it for me. Running everything inside docker cotnaienrs sounds like an absolute nightmare when it comes to troubleshooting. You might think logs and things would be well defined and put in the right place for the OS to pick up, but if things were so well behaved we wouldn't feel the need for sandboxing now would we.
The tool that flatpak uses for sandboxing is bubblewrap, that can be used to sandbox distro packages fairly easily. None of the desktops do that though.
As far as I know, Flatpak offers a fair amount of control over sandboxing. It's just that isn't particularly useful for some thing like a document processing application that you usually want to be able to use on files in various parts of your system. The alternative might be giving it access to one particular directories, and then copying files there when you want to work on them. But that's already pretty cumbersome, something only the paranoid would bother with.
Realistically, I know that I do not have the skills to evaluate complicated applications and their complicated dependencies for security characteristics, so I am 100% reliant on packagers, maintainers, etc. for my security anyway. I'd rather just donate to the people publishing and maintaining the packages and hope that they are doing the job well, than fruitlessly attempt to fuss over it myself.
Flatpak offers sandboxing, but I think it's mostly meant for applications, not for development tools (where you often need to access your keys anyways).
You can run generic sandboxes using Bubblewrap (bwrap) which is the underlying infrastructure for Flatpak. It's much lower level than Podman or Docker though, and closer to the basic reality of containerization as a usage pattern for Linux namespaces. You don't get compatibility with OCI specifications, so it's not the kind of containers that most people might be used to.
App sandboxing is less of a concern when the software you use is built from source in your distro's package repository, and is maintained by distro maintainers whose interests align more closely to yours than the software manufacturer's. Ironically, Flatpaks are software from upstream and thus harder to trust.
tldr; The myth that flatpak apps provide a sandboxed environment is an illusion. Flatpaks are containerized applications that provide limited isolation by default and should be described as such.
This article takes a closer look at why flatpak fails to provide a real sandbox and demonstrates how popular applications on flathub can be exploited.
I am not particularly happy with Flatpak - I still think it mixes up two things (packaging, sandbox), and is not particularly good at the former. Nix actually solves the former issue, and does so splendidly. I would much rather see better sandboxes for linux.
Well, I have used it for years, and never encountered any issues. If you want to share a file between sandboxes you can hardlink it. Or use descriptor-passing. Or… But it feels like you are just looking for theoretical flaws in my personal workflow for the sake of coming up with flaws.
Of course, it is silly to sandbox your bread-winning software. I don't sandbox Android Studio. Or ffmpeg. Or VLC. Personally, I believe that nobody has a right to decide, how to sandbox software on other people's computers. I think, that such decision should be left to users of that software. Unfortunately, it looks like Flatpak does not make that easy.
It's mind boggling. The entire premise of being "sandboxed" means unable to escape the box and access the rest of the system. By that, one would think a Flatpak or any similar package would keep itself contained to the user's home directory, so that even if it broke out of the sandbox its path of destruction would be contained to the user's files (still not a great thing but not system-owning).
Theoretically yes (minus you are only one kernel vulnerability away from elevated access). However, a lot of Flatpaks take blanket access to the home directory or host filesystem:
So, many applications use it as a distribution mechanism and not so much for sandboxing. Of course, this is bound to get better over time when applications are modified to support sandboxing better and can use portals.
IMO you need both: isolation through e.g. sandboxing and timely security updates of applications and all their dependencies. Flatpak currently provides the former for some applications and the latter is completely dependent on the maintainer of the Flatpak.
reply