Security and sandboxing on Fedora - Recommended way to install open source software

bennyisaiah · October 13, 2022, 2:59am

Hi there,

I am just wondering if I could get any insights into the recommended way to install software which is not found in the fedora repos.

Is there any clear way to harden the security and disable permissions on applications in Fedora?

I am wondering as with an app I am wanting to install scrcpy it provides no clear way to sandbox it with the copr repo version.

It is a screen sharing app which could pose a security threat potentially

I have been told to be wary of apps in the copr repo and I have the alternative to install via flatpak (which I can sandbox and harden with flatseal - i.e disable perminssions) though it requires a lot of dependencies,

What would be ideal from a security standpoint? copr version or flatpak version

[isaiah@fedora ~]$ sudo dnf copr enable zeno/scrcpy 
[sudo] password for isaiah: 
Enabling a Copr repository. Please note that this repository is not part
of the main distribution, and quality may vary.

The Fedora Project does not exercise any power over the contents of
this repository beyond the rules outlined in the Copr FAQ at
<https://docs.pagure.org/copr.copr/user_documentation.html#what-i-can-build-in-copr>,
and packages are not held to any quality or security level.

Please do not file bug reports about these packages in Fedora
Bugzilla. In case of problems, contact the owner of this repository.

Do you really want to enable copr.fedorainfracloud.org/zeno/scrcpy? [Y/n]:

[root@fedora isaiah]# flatpak install scrcpy
Looking for matches…
Found ref ‘app/in.srev.guiscrcpy/x86_64/stable’ in remote ‘flathub’ (system).
Use this ref? [Y/n]: y
Required runtime for in.srev.guiscrcpy/x86_64/stable (runtime/org.kde.Platform/x86_64/5.15-21.08) found in remote flathub
Do you want to install it? [Y/n]: y

in.srev.guiscrcpy permissions:
ipc network wayland x11
devices file access [1] dbus access [2]

[1] xdg-config/kdeglobals:ro
[2] com.canonical.AppMenu.Registrar, org.kde.KGlobalSettings,
    org.kde.kconfig.notify


    ID                       Branch      Op  Remote   Download

org.kde.KStyle.Adwaita   5.15-21.08  i   flathub    < 6.6 MB

org.kde.Platform.Locale  5.15-21.08  i   flathub  < 345.9 MB (partial)

org.kde.Platform         5.15-21.08  i   flathub  < 310.9 MB

in.srev.guiscrcpy        stable      i   flathub   < 19.5 MB

Proceed with these changes to the system installation? [Y/n]:

td211 · October 13, 2022, 3:18am

You can use firejail for non flatpak apps, there are some preconfigured profiles and you can make your own profiles. I use it to sandbox the browser and zoom.

You can read more here.

ankursinha · October 13, 2022, 9:16am

A lot of the times, it’s a question of trust. For COPRs, if you trust the person providing the COPR, use it by all means. You should even be able to see how the COPR packages are built—what sources are being used and so on. It should all be open source (one cannot use COPR for non FOSS bits etc.).

Flatpaks are also trustworthy, for all the reasons you’ve noted, but it’s the same thing—there’s a review process (not as detailed as the Fedora packaging review process), but I don’t think each update goes through a review the way updates in Fedora go through a feedback cycle. Next, the bits to generate the Flatpak may be FOSS, but if the software itself is not FOSS, all bets are off—there’s no way for you to know what a proprietary tool is doing because you can’t read the code. Sandboxing helps here, but then, if you give the Flatpak app permissions to access your home directory, then it can do what it wants there.

So, there’s no “right answer”, and a lot depends on the users’ awareness. By design, i guess Flatpaks are more restricted than system installed packages, but that doesn’t make all system installed packages “unsafe”.

bennyisaiah · October 14, 2022, 2:06am

Thanks for clarification, i was considering using firejail for sandboxing it.

Is there a way we can see how can we see what permissions are permitted on system installed apps. (without trusting the developer or reviewing the source code)

I can easily disable network access through portmaster

td211 · October 14, 2022, 6:48am

It depends on the privileges the app is running with, and the SELinux context.

rebok232 · October 14, 2022, 10:34am

you can use snap version
but notice that snap may be slow