Anonymous
04/26/24(Fri)02:49:17 No.100185851 >>100181965
The flatpak seccomp filter is obviously not supposed to be fine-grained, that's the job of the program developers who know what's best for their program. It just blocks features that would break flatpak and stuff that is blatantly unnecessary like dmesg which already should be unusable by unprivileged users via sysctl. It's analogous to @system-service in systemd (systemd.exec(5), systemd-analyze syscall-filter @system-service
) though systemd actually uses a whitelist approach. Though it would be nice if it had some more configurability as most programs don't currently need io_uring but some might.
>Firefox needs ptrace for the crash reporter
Why is ptrace dangerous while everyone uses the yama LSM so you can only ptrace children by default and PID namespaces exist (outside of the fact that its another feature that might have bugs like io_uring)?
>You also have to be careful and deny permissions such as /home filesystem access, because it lets Flatpak apps override their own permissions by design (https://github.com/flatpak/flatpak/issues/3637)
Not a bad thing IMO when permissions are made clear when you look at its page in flathub. You can and should look at the permissions and override it with flatseal if you have different permission requirements. If you don't want to use file portals which can be inconvenient for certain applications then configuring which directories you want ro/rw access to is ultimately a personal decision so its easier to have a default of $HOME or Downloads and tell the user that in the flathub page.
>X11/Pulseaudio sockets are also dangerous
This is fixed with Wayland and soon in PipeWire.