Flatpak chromium is able to browse my entire file system in silverblue 36? How is this sandboxed?

I installed chromium via flatpak, and also restricted it more using flatseal, currently every access in the filesystem section for it is disabled, and the “Other files” access of it is only one file called “/run/.heim_org…”

But for example when i go to a website like VirusTotal, and try to upload something, i can easily browse my entire file system, and even go to /lib/modules/… and list all my kernel module files? How is this happening? Shouldn’t the chromium process be sandboxed and not have access to my root files?

Try to write file:/// in the address bar, and you will see that the application is actually sandboxed: you will notice that Chromium will be able to access only the filesystem of the sandbox itself, and not the outside world.
Probably (but I’m not a flatpak expert), the window that appears when uploading a file, is a call to a portal.

1 Like

Yeah you are correct, it seems like the filesystem browser gui that appears is actually another process, and the chromium process most likely cannot interfere with it, thus chromium cannot access my files.

1 Like

update I am grossly mistaken. The file manager shows more. It is possible to create files everywhere, but that is only with user interaction. Indeed, browsing with file:/// severely restricts access. Please pardon my ignorance :sweat_smile: