219196 – [GTK] Sandbox in Flatpak

RESOLVED WONTFIX219196

[GTK] Sandbox in Flatpak

https://bugs.webkit.org/show_bug.cgi?id=219196

Summary [GTK] Sandbox in Flatpak

Milan Crha

Reported 2020-11-20 02:11:56 PST

I suggest to disable sandbox (mimic WEBKIT_FORCE_SANBOX=0) when the application runs in a Flatpak sandbox. The current behavior just means to run a sandbox in a sandbox, which feels like an overhead. I know the "attacker" can get to the application data, but not to the system data, thus it should be fine. More or less. I've got this idea after seeing a Flatpak-related downstream print bug report: https://gitlab.gnome.org/GNOME/evolution/-/issues/1236 which you may or may not consider covered by the bug #202363.

Attachments
Add attachment proposed patch, testcase, etc.

Michael Catanzaro

Comment 1 2023-06-13 11:33:32 PDT

The nested sandbox is intentional. Having only top-level sandboxing isn't enough because you run web content from multiple origins in a web browser, and those origins are expected to compromise the web process and try to hack each other. The overhead should be pretty minimal. I know it's not necessary for Evolution, but it is needed in general.

Note You need to log in before you can comment on or make changes to this bug.

Status RESOLVED

Resolution WONTFIX

Priority P2

Severity Normal

Classification Unclassified

Version Other

Hardware Unspecified

OS Unspecified

Product WebKit

Component WebKitGTK

Assignee

Nobody

Reported

2020-11-20 02:11 PST

Modified

2023-06-13 11:33 PDT History

CC List

2 users Show

URL

Keywords

Depends on

Blocks