|
Bugzilla – Full Text Bug Listing |
| Summary: | AUDIT-1: xdg-desktop-portal: D-Bus interface supporting communication towards FlatPak containers | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Matthias Gerstner <matthias.gerstner> |
| Component: | Audits | Assignee: | Matthias Gerstner <matthias.gerstner> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Minor | ||
| Priority: | P5 - None | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Matthias Gerstner
2023-11-06 10:10:22 UTC
I took a closer look onto this set of D-Bus services. These services are running by default on Tumbleweed. They offer a vast interface which is documented here: https://flatpak.github.io/xdg-desktop-portal/docs Part of this interface is a kind of rights management system similar to what we know from smartphones like "allow application to take screenshots?". Not all interfaces are protected this way. For example the OpenURI interface allows to open arbitrary URLs in the browser without user interaction. Reviewing this in-depth doesn't seem to make sense since the security depends a lot upon the actual Flatpak application used and also how the user interacts with it. Overall I'd say this underlines that Flatpak cannot really be seen as an isolation layer. It is only a convenient package manager without root access requirements. |