this post was submitted on 03 Nov 2023
52 points (84.2% liked)

Linux

48413 readers
1180 users here now

From Wikipedia, the free encyclopedia

Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).

Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.

Rules

Related Communities

Community icon by Alpár-Etele Méder, licensed under CC BY 3.0

founded 5 years ago
MODERATORS
 

I'm especially concerned about it being somehow broken, unwieldy, insecure or privacy-invasive.

Case in point; at times I have to rely on a Chromium-based browser if a website decides to misbehave on a Firefox-based browser. Out of the available options I gravitate towards Brave as it seems like the least bad out of the bunch.

Unfortunately, their RPM-package leaves a lot to be desired and has multiple times just been awful to deal with. So much so that I have been using another Chromium-based browser instead that's available directly from my distro's repos. But..., I would still switch to Brave in an instant if Brave was found in my distro's repos. A quick search on repology.org reveals that an up-to-date Brave is packaged in the AUR (unsurprisingly), Manjaro and Homebrew. I don't feel like changing distros for the sake of a single program, but adding Homebrew to my arsenal of universal package managers doesn't sound that bad. But, not all universal package managers are created equal, therefore I was interested to know how Homebrew fares compared to the others and if it handles the packaging of the browser without blemishing the capabilities of the browser's sandbox.


P.S. I expect people to recommend me Distrobox instead. Don't worry, I have been a staunch user of Distrobox for quite a while now. I have also run Brave through an Arch-distrobox in the past. But due to some concerns I've had, I chose to discontinue this. Btw, its Flatpak package ain't bad either. But unfortunately it's not official, so I choose to not make use of it for that reason.

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 1 year ago (1 children)

https://github.com/refi64/zypak

It lets Chromium use flatpak sub-sandboxes and is basically identical to its normal sandbox in terms of permissions.

[–] [email protected] 1 points 1 year ago (1 children)

I am thankful that zypak exists so that Chromium-based browsers and Electron apps don't have to explicitly flag --no-sandbox to continue functioning. However, it doesn't undermine the fact that native Chromium's sandbox is more powerful than Flatpak's sandbox. As such, if one desires security, then one should gravitate towards the native installed one.

It lets Chromium use flatpak sub-sandboxes

Are you sure that's the case?

[–] [email protected] 2 points 1 year ago (1 children)

The sandbox is not weakened meaningfully. It’s in a different namespace, no filesystem, no network, no GPU, seccomp rules still applied.

[–] [email protected] 0 points 1 year ago* (last edited 1 year ago) (2 children)

Unfortunately, you didn't -to my knowledge- support nor retract your claim on Chromium using flatpak sub-sandboxes. Therefore, I find it hard to continue taking your words at face value.

I have enjoyed these interactions, so don't get me wrong; but if I (possibly) catch you on spreading misinformation (even if unintentional), then I find it hard to keep engagement up as there's no guarantee that anything else coming from you is actually correct.

I would love to be corrected on this though, so please feel free if I have misunderstood you or anything else that would revive this conversation. If not, then I would still like to thank you from the bottom of my heart for this friendly interaction we've had. Take care!

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

I linked the source but sure, I'll link it more for you.

The portal code is here: https://github.com/refi64/zypak/blob/ded79a2f8a509adc21834b95a9892073d4a91fdc/src/dbus/flatpak_portal_proxy.h

The actual code that Chromium calls is here: https://github.com/refi64/zypak/blob/ded79a2f8a509adc21834b95a9892073d4a91fdc/src/helper/spawn_latest.cc#L21

This calls the org.freedesktop.portal.Flatpak service.

This service is here: https://github.com/flatpak/flatpak/tree/main/portal

The Spawn method creates a new sandbox completely isolated from the originating sandbox.

[–] [email protected] 1 points 1 year ago (1 children)

I linked the source but sure, I’ll link it more for you.

I am aware, but the same source seemingly contradicted your point^[1]^ regarding sub-sandboxing.

Wow, thanks a lot for the work you've put into this! It might take some time for me to go through this, but I'll definitely take a look and perhaps I'll return on this at a later point. Perhaps with this I will finally be able to install my Chromium-based browsers as a flatpak and don't feel bad about it.

Once again, your engagement has been much appreciated! So please feel free to let me know if I can buy you a coffee or something 😊! Unfortunately, statements like "Thank you so much!" don't quite capture the sheer magnitude of gratitude I feel towards you right now. For whatever it's worth; I salute you, good human.


  1. "It lets Chromium use flatpak sub-sandboxes" that you expressed in this comment.
[–] [email protected] 2 points 1 year ago (1 children)

The comment on there is odd, I’m not even sure what that issue is referring to. Not much exciting happened in that release for new features but there were subsandbox security fixes https://github.com/flatpak/flatpak/compare/1.10.8...1.12.0

[–] [email protected] 1 points 1 year ago

Thanks for taking the time to take a proper look at the link!