Chrome and Chromium should not run as unconfined processes, even in a flatpak?
The internet suggests that SELinux is applied within the flatpak. I’m not sure how to check that those labels are applied to processes within the flatpak?
/? selinux flatpak: Google Search ::
- I’m afraid this does apply to the Chrome and Chromium (and Firefox) flatpaks, which also have their own applications sandbox: Flatpak - a security nightmare ::
Most of the apps have full access to the host system but users are misled to believe the apps are sandboxed
Steps to verify that the Chrome and Chromium and Firefox flatpaks are running unconfined
flatpak install com.google.Chrome
flatpak run com.google.Chrome &
ps xaZ | grep chrome | grep -v unconfined
flatpak install org.chromium.Chromium
flatpak run org.chromium.Chromium &
ps aufxZ | grep Chromium | grep -v unconfined
flatpak install org.mozilla.firefox
flatpak run org.mozilla.firefox &
ps aufxZ | grep firefox | grep -v unconfined
Relevant selinux-policy for chrome|chromium|google-chrome|google-chrome-unstable
but not /usr/bin/bwrap
> /app/chromium/chrome
FWICS:
- selinux-policy/policy/modules/contrib/chrome.fc at rawhide · fedora-selinux/selinux-policy · GitHub
- selinux-policy/policy/modules/contrib/chrome.if at rawhide · fedora-selinux/selinux-policy · GitHub
- selinux-policy/policy/modules/contrib/chrome.te at rawhide · fedora-selinux/selinux-policy · GitHub
- selinux-policy/policy/modules/contrib/mozilla.fc at rawhide · fedora-selinux/selinux-policy · GitHub
- selinux-policy/policy/modules/contrib/mozilla.if at rawhide · fedora-selinux/selinux-policy · GitHub
- selinux-policy/policy/modules/contrib/mozilla.te at rawhide · fedora-selinux/selinux-policy · GitHub
Is this an issue for:
- fedora-selinux/fedora-policy
- the Chrome, Chromium, and Firefox flathub flatpaks
- fedora flatpaks
- the security mailing list?
Similar issues:
It says the security mailing list is archived? A security.txt
could link to the current list.
I believe this is an issue with all rpm-ostree distros that e.g. install Firefox as a flatpak by default or discourage installing layered packages instead of flatpaks?