Re: Sandbox all the WebKit!
- From: Michael Catanzaro <mcatanzaro gnome org>
- To: Jordan Petridis <jordan alatiera com>
- Cc: desktop-devel-list <desktop-devel-list gnome org>
- Subject: Re: Sandbox all the WebKit!
- Date: Wed, 17 Jun 2020 08:01:08 -0500
Good questions! Under flatpak, WebKit will actually use flatpak-spawn
to create a flatpak subsandbox, instead of using its own bubblewrap
sandbox. So yes, WebKit's bubblewrap sandbox does not get used, but
there is a flatpak "subsandbox" instead. It effectively does:
$ flatpak-spawn --sandbox --no-network --sandbox-flag=share-gpu
--sandbox-flag=share-display --sandbox-flag=share-sound
--sandbox-flag=allow-a11y --sandbox-flag=allow-dbus
So network access is blocked. We have an new experimental GPU process
that should allow blocking GPU as well in the (distant) future. D-Bus
access is restricted to whatever flatpak allows (portals, plus services
namespaced by the app ID). The other permissions are probably not
removable.
Regardless of whether WebKit is using its bubblewrap sandbox or
flatpak-spawn, limited host access is provided via xdg-desktop-portal
and xdg-desktop-portal-gtk, so distros should be sure to add an
appropriate runtime Requires: xdg-desktop-portal-gtk (which I had
forgotten to do in Fedora until... yesterday).
Thank Patrick (TingPing) for putting this all together. I think Alex
helped too with some changes in flatpak-sandbox? I'm very impressed at
how well it worked out. :)
Michael
[
Date Prev][
Date Next] [
Thread Prev][Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
