SEC: Flatpak Chrome, Chromium, and Firefox run without SELinux confinement?

Chrome and Chromium should not run as unconfined processes, even in a flatpak?

The internet suggests that SELinux is applied within the flatpak. I’m not sure how to check that those labels are applied to processes within the flatpak?
/? selinux flatpak: Google Search ::

  • I’m afraid this does apply to the Chrome and Chromium (and Firefox) flatpaks, which also have their own applications sandbox: Flatpak - a security nightmare ::

    Most of the apps have full access to the host system but users are misled to believe the apps are sandboxed

Steps to verify that the Chrome and Chromium and Firefox flatpaks are running unconfined

flatpak install com.google.Chrome
flatpak run com.google.Chrome &
ps xaZ | grep chrome | grep -v unconfined

flatpak install org.chromium.Chromium
flatpak run org.chromium.Chromium &
ps aufxZ | grep Chromium | grep -v unconfined

flatpak install org.mozilla.firefox
flatpak run org.mozilla.firefox &
ps aufxZ | grep firefox | grep -v unconfined

Relevant selinux-policy for chrome|chromium|google-chrome|google-chrome-unstable but not /usr/bin/bwrap > /app/chromium/chrome FWICS:

Is this an issue for:

  • fedora-selinux/fedora-policy
  • the Chrome, Chromium, and Firefox flathub flatpaks
  • fedora flatpaks
  • the security mailing list?

Similar issues:

It says the security mailing list is archived? A security.txt could link to the current list.

I believe this is an issue with all rpm-ostree distros that e.g. install Firefox as a flatpak by default or discourage installing layered packages instead of flatpaks?

1 Like

The workaround is to install the RPM versions of Chrome, Chromium, or Firefox so that the SELinux policies apply, FWIU?

But it takes longer to upgrade a (userspace) package with rpm-ostree than with dnf upgrade or flatpak upgrade, which don’t require a reboot.

rpm-ostree upgrade

dnf upgrade firefox chromium google-chrome

flatpak upgrade org.mozilla.firefox com.google.Chrome org.chromium.Chromium

Note that I just yesterday have confirmed, that Firefox and Chromium both work excellently in bubblejail!

https://copr.fedorainfracloud.org/coprs/secureblue/bubblejail

Create a new profile based on Firefox wayland. Maybe add pulseaudio permission (Firefox still has no native Pipewire output?), and a desktop entry is created

Workarounds:

  • rpm-ostree install RPM packaged browsers instead of flatpak-packaged browsers
    • Install the firefox RPM from the fedora repos
    • Install chromium RPM from the fedora repos
    • Install the google-chrome RPM from the google-chrome RPM
  • Create a toolbox or distrobox container and dnf install the RPMs
    • Is this more or less isolated than a browser flatpak?
    • The container must have e.g. openh264 and ffmpeg and VDPAU / nvdec installed, too or instead of on the host
  • Install the browser within bubblewrap (bwrap)
    • Why isn’t this the default; with Fedora Workstation or Silverblue or ublue?
    • Why isn’t bubblejail in the main package repos?
      What packages do I need to include in a yum.repos.d allow_packages for the secureblue bubblejail COPR?
    • Bubblewrap configurations are probably similar to apparmor and selinux (audit2allow) policies?

Bubblejail is not packaged because the dev hasnt added it to Fedora yet.

The bubblejail COPR contains the package bubblejail, the website shows this.