Re: Sandbox all the WebKit!

Good questions! Under flatpak, WebKit will actually use flatpak-spawn to create a flatpak subsandbox, instead of using its own bubblewrap sandbox. So yes, WebKit's bubblewrap sandbox does not get used, but there is a flatpak "subsandbox" instead. It effectively does:

$ flatpak-spawn --sandbox --no-network --sandbox-flag=share-gpu --sandbox-flag=share-display --sandbox-flag=share-sound --sandbox-flag=allow-a11y --sandbox-flag=allow-dbus

So network access is blocked. We have an new experimental GPU process that should allow blocking GPU as well in the (distant) future. D-Bus access is restricted to whatever flatpak allows (portals, plus services namespaced by the app ID). The other permissions are probably not removable.

Regardless of whether WebKit is using its bubblewrap sandbox or flatpak-spawn, limited host access is provided via xdg-desktop-portal and xdg-desktop-portal-gtk, so distros should be sure to add an appropriate runtime Requires: xdg-desktop-portal-gtk (which I had forgotten to do in Fedora until... yesterday).

Thank Patrick (TingPing) for putting this all together. I think Alex helped too with some changes in flatpak-sandbox? I'm very impressed at how well it worked out. :)


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]