mirror of
https://github.com/flatpak/flatpak.git
synced 2026-03-28 03:45:10 -04:00
7c40ba3b91
In older versions of bubblewrap, the --dir argument could only create directories with mode 0755 (world-readable). The default mode is still 0755, but since bubblewrap 0.5.0, we can change this to the mode recommended by the basedirs spec (0700, private to user). Since version 1.11.1, the --dir used here is normally redundant, because each app-ID gets its own XDG_RUNTIME_DIR imported from the host (it's actually $XDG_RUNTIME_DIR/.flatpak/$FLATPAK_ID/xdg-run on the host) and those are correctly created with mode 0700. The one case where this change makes a difference is that a sub-sandbox, created by flatpak-spawn --sandbox or equivalent, does not share the common XDG_RUNTIME_DIR and instead received an XDG_RUNTIME_DIR private to that instance, with its permissions coming from this --dir argument. This is not a security issue, because processes outside the sandbox can only access this directory via /proc/$pid/root, which is only accessible by processes that would be allowed to trace the sandboxed process (either the same uid or a privileged process), resulting in behaviour similar to the canonical 0700 mode. Inside the sandbox, all processes have the same uid, so 0700, 0755 and even 0777 permissions would be essentially equivalent. However, some libraries that interact with XDG_RUNTIME_DIR, most notably Qt, verify that its mode is 0700 as a hardening mechanism, and these libraries did not work inside a Flatpak sandbox without being patched to be more permissive. Resolves: https://github.com/flatpak/flatpak/issues/3397 Signed-off-by: Simon McVittie <smcv@collabora.com>
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux.
See https://flatpak.org/ for more information.
Community discussion happens in #flatpak:matrix.org, on the mailing list, and on the Flathub Discourse.
Read documentation for Flatpak here.
Contributing
Flatpak welcomes contributions from anyone! Here are some ways you can help:
- Fix one of the issues and submit a PR
- Update flatpak's translations and submit a PR
- Improve flatpak's documentation, hosted at http://docs.flatpak.org and developed over in flatpak-docs
- Find a bug and submit a detailed report including your OS, flatpak version, and the steps to reproduce
- Add your favorite application to Flathub by writing a flatpak-builder manifest and submitting it
- Improve the Flatpak support in your favorite Linux distribution
Hacking
See CONTRIBUTING.md
Related Projects
Here are some notable projects in the Flatpak ecosystem:
- Flatseal: An app for managing permissions of Flatpak apps without using the CLI
- Flat-manager: A tool for managing Flatpak repositories