Browser security in flatpak

etvt · November 8, 2024, 7:32pm

Dear all,

By no means I want to revive a sensitive topic, but I really feel that the question has not been addressed well enough yet.

Even if the outcome for most users might be that “Flatpak is secure enough for me”, I think everybody should have a clear view on these security peculiarities and consider applying the best solution for their usecase based on that.

Disclaimer: I’m not a security expert on sandboxing at all, so please correct me where I’m wrong.

Concern description:
Currently the ublue distros ship by default with the Flatpak version of Firefox. While this might provide a good enough isolation from the host system, unfortunately, as described here, Flatpak completely disables one layer of security in Firefox’s sandboxing solution. If I understand correctly, this makes the isolation between browser tabs much less secure.

Firefox Flatpak simply doesn’t use namespace sandboxes (but runs anyways!) and relies purely on seccomp filters. Dont use this! This is a weaker sandbox!

Using Flatpak Firefox is simply less secure, as one layer of Sandboxing is entirely removed. Especially if you use your browser more as a platform than a program, where the protection between browser and OS may be less important than between processes within the browser.

I also honestly think that nowadays, when many users use their browser as a platform (remote work, remote desktop, document editing, online banking, shopping, music, chat, social media, etc. all in the browser), the removal of this sandboxing layer significantly compromises the security.

Other browsers (e.g. Chromium-based) are less affected by Flatpak, because they use a different sandboxing technology, but the workaround applied for them is less conventional and less tested than their original implementations.

I really hope that Flatpak can provide a proper sandboxing API for such usecases (i.e. browsers) in the future, if I understand it right they already started the discussions on this topic.

Suggestions/questions:

Based on this information, in my opinion, maybe Flatpak Firefox should not be the default browser shipped with the ublue distros, but maybe a properly de-googled Chromium-based Flatpak browser would be a better approach.
Or maybe even an ostree Firefox is better?
Or at least the users should be clearly notified somehow of these security consequences, so that they can make their choices.
(I think installing and using a browser from inside distrobox might be too complicated for non-technical users, so I’m not listing it as a suggestion for the default browser.)

What are your thoughts on this?

Thanks,
etvt

kylegospo · November 8, 2024, 7:58pm

Can you provide a single example of a flatpak browser being exploited where the native RPM version of the same browser was not affected?

Has Mozilla made a single public statement about this given that the flatpak is listed as an option on their website?

j0rge · November 8, 2024, 7:59pm

That is the correct place to have this discussion and it doesn’t have anything to do with us.

SuperFunHappySlide · November 8, 2024, 10:06pm

I think this is in interesting discussion. Thanks for the links you provided.

Just to be clear, security isn’t a binary thing, hell it’s not even a sliding scale, it’s completely multi dimensional dependent on your particular threat model. For sake of argument, sandboxing may be weaker, but if a Flatpak means you get faster updates, it becomes a pro and cons consideration.

UBlue is not alone in making the decision to ship Firefox as a Flatpak, MicroOS is also doing the same. If you are worried about it being a bad call for your threat model it’s actually pretty easy to layer Firefox back into Bazzite and use the Fedora packaging, free of the Flatpak sandbox issues.

I’d love to see an actual open security vulnerability around exploiting the weaker sandbox. I don’t know if it’s just theory at this point or if security researchers have a working proof of concept.

AmyIsCoolz · November 8, 2024, 11:10pm

From what I’ve heard Firefox in general has a worse security than Chromium (saying this, I still use Firefox).

No, Chromium flatpak sandbox with zypak is often considered worse. I think that’s why secureblue uses a hardended Chromium RPM instead.

About informing users, I think this is a hard choice, users may panic and freak out or they may have a realistic understanding, that’s pretty tough ig. I’d say put it in the docs for those who wants to learn more, but like not a huge red warning when opening the app.

Overall, I think it is a concern, but I don’t think it is a big one for the average user. I think this is more of an upstream Firefox issue (seeing as Flatpak is official) and I don’t think the Universal Blue team can just make Flatpak Firefox better. I’d say you should just use secureblue anyways if this is a concern for you.

tulilirockz · November 9, 2024, 3:35am

i believe that even tho it doesnt use the namespaces it still uses the flatpak sandbox, if you make it strict enough it should be fine for regular usage. anyways that probably doesnt affect like anyone

etvt · November 18, 2024, 7:22pm

Thanks, but I am not sure this is relevant to my original questions.
Security implementations are not just to counteract actual known exploits, but to prevent potential ones too.

As per public ack: I’m not sure about Firefox, but Brave recommends using their native installations vs their official Flatpak.
Also, when one opens brave://flags or chrome://flags, it highlights the
Layer 1 Sandbox: SUID with yellow in Flatpak, indicating a potentially problematic protection compared to namespaces.

That said, this still might be an acceptable security level for most users. Nevertheless, I was just trying to open up the topic for discussion to understand more experienced user’s take on this.

kylegospo · November 18, 2024, 7:34pm

Considering we don’t install brave or any chromium browser by default that information is irrelevant to this conversation.

etvt · November 18, 2024, 7:53pm

I understand that implementing the proper sandboxing in Flatpak and contained browsers is not the responsibility of a distro in itself.
But I think the choice of which browser in what format to include in a distro to ensure an adequate level of protection might be a relevant responsibility.

All that I was trying to say is: hey, I have found some additional info on this (see links) and based on this I have some questions (see list). It was not a critique or any kind of blaming.

Was just hoping for a bit of an assurance from you guys who have much more expertise on these topics to tell why Firefox Flatpak is good enough compared to Chromium* Flatpak and are we safe to go with Flatpak browsers in general or should the more concerned ones install them in distrobox, etc…

Others too might stumble upon the same concerns. And currently there is nothing that provides a good explanation / recommendation to us, puzzled users.

kylegospo · November 18, 2024, 8:36pm

Please see my first post in this thread. Until Mozilla stops recommending the flatpak or there is a single CVE that affects only the flatpak for sandbox reasons, this conversation is pointless. An endless debate over baseless speculation.

etvt · November 19, 2024, 8:44am

Thanks, got it!

Closed from my perspective.

Topic		Replies	Views
Flatpak browsers not secure? Bazzite	9	574	October 5, 2024
Is Firefox a Flatpak on Bazzite? Bazzite	5	348	October 12, 2024
Flatpak firefox and system certificates Bazzite	0	107	July 13, 2024
Flatpak Web Browser Native Messaging General	3	111	October 3, 2024
Shoud I install Firefox via rpm-ostree install? Bluefin	5	238	October 22, 2024

Browser security in flatpak

Related topics