Permissions issues with Flatpak package

Options
WhyNotHugo
WhyNotHugo
Community Member
edited November 2021 in Desktop betas (Mac, Windows, and Linux)

Hi! I've come across two issues in the official Flatpak package related to permissions:

  1. The current package has filesystems=host. This is extremely insecure, as it gives the application unrestricted access to the entire filesystem, and negates most of the security benefits of the sandbox which Flatpak uses. This includes escaping out of the sandbox and completely highjacking user session, and complete access any sensitive material on the user's profile. I've added a local override to not have this permission, and it works fine, so I hope you'll be able to patch this upstream.

  2. The current package lacks the devices=all. Without this permission, 1Password cannot access a 2FA security key, so finishing logging in is impossible when using 2FA. I've added this permission as a local override and 2FA worked fine. This particular permission is a bit too wide-encompassing (since it includes cameras and other devices), but there's not other permission that's more granular that covers this scenario. There's ongoing discussion for such a thing (I know Firefox in particular would like to adopt such a thing), but it's just not there yet.

Oh, while reporting this, I also noticed the Flatpak does not have a version defined:

~
➜ flatpak list --app
Name                           Application ID                   Version                   Branch      Origin                  Installation
Discord                        com.discordapp.Discord           0.0.16                    stable      flathub                 system
Flatseal                       com.github.tchx84.Flatseal       1.7.4                     stable      flathub                 system
OnePassword                    com.onepassword.OnePassword                                stable      onepassword-origin      system
Skype                          com.skype.Client                 8.77.0.97                 stable      flathub                 system

1Password Version: stable (version missing)
Extension Version: n/a
OS Version: Flatpak 1.12.2

Comments

  • WhyNotHugo
    WhyNotHugo
    Community Member
    Options

    For the second item, you might want to follow this Flatpak issue: https://github.com/flatpak/flatpak/issues/2764

  • Savanni
    Savanni
    Options

    Hello, @WhyNotHugo !

    I've filed all three of these. Since all of them seem relatively easy, I'll see if I can get someone on them as soon as possible. Not likely for the release this week, but maybe next week.

  • WhyNotHugo
    WhyNotHugo
    Community Member
    Options

    Thanks for the follow up!

  • Jack.P_1P
    Jack.P_1P
    Options

    On behalf of Savanni, you're very welcome @WhyNotHugo!

  • sh1bumi
    sh1bumi
    Community Member
    Options

    Sad, to see this that the permission model did not change at all after more than 4 months :(

  • rob
    rob
    Options

    Hey, @sh1bumi. I'm sorry you're still having trouble. Could you elaborate on what you're seeing? The first two issues were resolved a few months ago on our side, leaving only the version number issue that we had some complications with. If you're not seeing that to be the case, though, I'd love to get one of our Linux folks to take another look here.

    ref: dev/core/core#10720
    ref: dev/core/core#10721
    ref: dev/core/core#10722

This discussion has been closed.