Bugzilla – Bug 1216902
AUDIT-1: xdg-desktop-portal: D-Bus interface supporting communication towards FlatPak containers
Last modified: 2024-04-19 07:19:07 UTC
Our autostart monitoring has come up with xfce4-session which is autostarting the xdg-desktop-portal D-Bus session service. Turns out this is a FlatPak component: > A portal frontend service for Flatpak and other desktop containment frameworks. > > xdg-desktop-portal works by exposing a series of D-Bus interfaces known as portals under a well-known name (org.freedesktop.portal.Desktop) and object path (/org/freedesktop/portal/desktop). > > The portal interfaces include APIs for file access, opening URIs, printing and others. https://github.com/flatpak/xdg-desktop-portal It sounds like this interface is a candidate for violating container isolation. The code base is rather big > 20.000 lines of C code. It is a candidate for a low priority audit.
I took a closer look onto this set of D-Bus services. These services are running by default on Tumbleweed. They offer a vast interface which is documented here: https://flatpak.github.io/xdg-desktop-portal/docs Part of this interface is a kind of rights management system similar to what we know from smartphones like "allow application to take screenshots?". Not all interfaces are protected this way. For example the OpenURI interface allows to open arbitrary URLs in the browser without user interaction. Reviewing this in-depth doesn't seem to make sense since the security depends a lot upon the actual Flatpak application used and also how the user interacts with it. Overall I'd say this underlines that Flatpak cannot really be seen as an isolation layer. It is only a convenient package manager without root access requirements.