The question seems stupid but this publication affirms that Flatpak could potentially break the already strong sandboxes proprieties of some common browsers, giving the opposite result than a safer enviromnemnt.
From what I understand it’s better to proceed with a manual sandboxing, maybe via Bubblejail. What kind of limitations are safe to add without compromising the browser?
I’m not sure if bubblejail, which uses the same sandboxing technology as flatpak, allows the use of user namespaces.
When it comes to sandboxing, what safety is not a linear scale. Flatpak’s sandbox is meant to protect your system from the app. So by sandboxing the browser (with proper permissions), it may prevent an exploited browser from accessing stuff like your pictures, downloads, videos, documents, etc.
However, currently, the flatpak sandbox weakens the browser’s internal sandboxing. The browser’s internal sandbox is meant to protect the browser. Different parts of the browser are run as different processes with minimal permissions. If one part of the browser is exploited, ideally it should remain isolated and not be able to access the data of other processes or data.
One unique risk of browsers is that they hold so much sensitive data, so some believe its better to have the browser’s internal sandboxing work in full capacity. It holds cookies, which if exfiltrated, could allow others to access your signed in sites. Or if you have a password manager extension, that data could be stolen.
The answer is flatpak does not give ANY advantage to the user besides the option of having updates directly instead of relying on the distribution package maintainers.
Anything else is a disadvantage.
Why flatpaks then?
Because they don’t need distribution package maintainers.
But they still require the flatpak maintainer to attempt to keep the flatpak up to date with the OS (especially newer kernels) and that often falls far short.
Nope. The flatpak “maintainer” is the flatpak publisher and nobody knows her/him but that means nobody is responsible for her/his work and consequences. Lets say you install a flatpak, the software erases all your user data (not the system since it is “immutable”), you can still boot the thing so everything is fine, you have lost all your stuff but, like my bank says, it is your own fault because you installed the wrong app.
No, I did not have problem with the bank, I just asked them what happens if I use the smartphone for banking and it gets hacked, they said it is not their business, if i lose something I am on my own. So I asked why they push me to use the smartphone and the simple answer is it makes some things easier for them, while they don’t get any responsibility.
Browsers such as Firefox, Brave, Vivaldi, Librewolf are all maintained by their upstreams. Not “nobodies”.
If the flatpak apps have reasonable sandboxing, such as Firefox and Brave, which only have access to your downloads folder, then they can’t wipe all your user data, just your downloads folder.
It would be nice if they decided to default the file save location to a subdirectory of the downloads folder. In that case, they would have no access to data on your system and can only wipe its own data.
I think @computersavvy was referring to the flatpack “Application deployment framework” (e.g., flatpack.x86_64). It isn’t clear if you are referring to the flatpack packager (who works from what upstream provides) or publishers of flatpack apps. Flatpak does have limitations, so is not well suited to some use-cases, e.g., browsers with built-in sandboxes/. The easy cases of distro differences should be handled by upstream flatpack system devs. The cases (e.g., application sandboxing) that don’t have straightforward solutions are problematic. They could be better documented, but it is debatable whether users would read the documents if they could find them behind the surge of AI nonsense.
Question: is Firefox (or any other software) any better when installed as flatpak?
Answer: no, at best it makes no difference besides the bloat. Often there are some unnecessary glitches.
Additional question: so who benefits from flatpak?
Answer: better to not think of it.
Besides, the idea of installing software from third parties is ANCIENT and it has always been problematic at best. Lets do it again and again. There is not way to sell this idea like it is new and like it is wise. Out of people with five minutes memory.
If the browser could access your download folder only I could not work. It must access the internet, then the network, the printer, the graphic stack and a lot of other things. Maybe you mean to write. Yes, because hostile software usually respect boundaries.
Simply install Firefox via DNF and you won’t have any problems.
Firefox has weak sandboxing from what I read compared to chromium ones. Now based on this it would be interesting knowing in which areas it’s weaker and how it could be fixed + chromium browsers can need this too?
I would like to hear technical opinions or possible studies to have some proves maybe to be collected and help users to make the right decision.
All the answers are out there already, have a search.
Firefox has all those permissions, I was just referring to filesystem permissions because you were talking about filesystem harm.
And the neat thing about flatpak is that I don’t need Firefox to have all those permissions. I remove Firefox’s access to CUPS since I don’t print things, at least not often. That lowers the surface area of attack.
No need to be sarcastic. Of course flatpak is not going to protect you against high level threats. But it raises the amount of effort needed to cause you harm. Rather than just a browser exploit, it will also need a sandbox escape to cause further harm to your system.
Nope.
Among all the issues flatpak has (bloat, no real sandboxing, system access) the catastrofic one is not strictly related to flatpak itself, it is the idea of the “store”.
The idea you don’t get software from the repositories inside the distribution but from a “third party” which, BTW, is the same for everybody and so it can kill everybody. The worst way possibile to distribute software has the less safety. Which would be ironic if it wasn’t sold like “the future of linux”.
Since I am not writing anything new or complicated, it is quite strange I have to write it, it should’t be necessary.
Great news then. Fedora hosts their own flatpak repo that comes preinstalled, called Fedora Flatpaks.
A browser inside a Flatpak makes it easier to exploit your system, not less. Flatpak weakens security of browsers. Its seccomp filter hinders the spinning up of the browser’s namespace and chroot sandboxing layer. This layer is also important for site isolation and important for the browser’s sandboxing structure. Flatpak’s sandbox does not make up for that.
It’s not about the technology, it’s about whether the necessary syscalls needed for creating all sandboxing layers are allowed.
Note: I am not opposed to using Flatpaks, just don’t use it for browsers.
Browsers do the work to handle their own sandboxing. Flatpak is a generic sandbox requiring others/self to do the hookup to other programs that might happen to be a browser.
I like the idea of trusting the browser’s own implementation; if they were lax on it, that’s the browser’s rep on the line. I trust Firefox and Google Chrome to do it right! None of that is really technical though 
You are conflating things.
flatpak as a technology is meant to allow the federation of remotes. You can even define multiple environments on disk using the commandline tooling and some configs.. which is actually pretty interesting capability once you dig into it with your sysadmin brain on. But only a fraction of its capability is exposed in the desktop software UI. Just like a lot of the dnf capability is not exposed in the desktop software UI.
There are people who want a single store, yes. But flatpaks as a technology is built in such a way that it allows multple remotes and not a single store concept. It would a kindness if you could separate out the critcism of the technology and how desktop projects have chosen to integrate it. They are distinctly different sets of concerns that overlap.
Yes, just a few people, not a big deal.
See, again, everything is quite obvious and it is connected to the other thread about “the future” being the “immutable/atomic” distribution, “bootable containers” and so on. Flatpak is part of this “vision”.
The point here is “the user”.
If “the user” is a sysadmin who needs to manage a network of servers, workstations, etc, or a developer who works from inside that infrastructure, these tools make sense.
In the same time, nothing of this makes sense if “the user” is just a guy with his own “personal computer”.
I am not saying flatpak or anything else don’t make sense in abstract terms, I am saying it doesn’t make sense for me and for everybody else with a “user case” like mine. Despite it is sold to everybody like “the future”. It is not “future” it is a quite “narrow user case”, like “the sysadmin brain”.
Then again, the consequences are obvious.
I wonder why no one suggested that using browsers within rootless podman is possible (even if the initial setup is more complicated).
I am not an expert in terms of userns, so I cannot say whether the solution of using containers is more or less secure than Flatpak!