The sun sucks, being forced to shower like every 4 hours just to not feeling sweaty, the fucking mosquitoes, the fact you can’t wear anything that you want anymore due the heat, the people outside… The fucking beach. I try to avoid it… The fucking sand, not a fan of it. Is scratchy, harsh, annoying and it infiltrates in...
libseccomp is a long established security “firewall for syscalls”, it allows to restrict what actions programs can perform on the system.
I dont know what exactly these are, often low level stuff I guess, but one of these actions is “create an unprivileged user namespace”.
Flatpak uses a single, “badness enumerating” seccomp filter, which means they block the syscalls “A”, “B” and “C” for all programs. All others are allowed, and (see the issue) programs cannot define a more restrictive one.
user namespaces
A namespace is a virtual filesystem on top of the “real” one, where certain real system files are mounted to. This means unprivileged programs can suddenly do “OS stuff”, needed to create this filesystem.
contra user namespaces
Many distros like Debian (and Arch) didnt enable this feature for a long time, because user namespaces mean that unprivileged userspace programs, like your browser, can suddenly access low level system components like the filesystem.
If there now is a bug in such a component, user namespaces allow the program to directly access a way more privileged area, escape here and thus have privilege escalation.
This would not be possible when not using user namespaces.
Flatpak has a seccomp filter that blocks the creation of user namespaces, to avoid this low level system access. Which is a very good thing, but the missing modularity doesnt allow anything else!
pro usernamespaces
Over time even slow pacing distros like Debian enabled user namespaces.
Today they are the core feature of bubblewrap, podman, docker, (and thus distrobox and toolbox)…
The concept is that a rootless binary, running in userspace, can access system components which would normally require root.
Firejail is the opposite example, it is a root binary and sandboxes apps also when user namespaces are disabled. Chromium has a fallback suid sandbox which also is a root, same with bubblewrap after the modification by 34N0 implemented in the “no userns” images of secureblue.
The problem is, a root binary has root access. If there is a flaw in it, which was the case with firejail, the “nice and secure isolated app” could now use the root binary to escalate its privileges to root level, more than what it could have done without it.
Browsers and Sandboxes
A browser is basically a platform to run “apps” on. Nearly all websites nowadays require executable code, which means browsers are the attack surface for malware. Scrap your verified Flathub or well maintained distro repository, a single website could use a weakness and break your system.
This was a thing back in the time… crazy huh?
Chromium (Chrome, Edge, Brave, Vivaldi, Opera, …) has the said rootful sandbox as a fallback, I guess implemented back when user namespace sandboxes were not adopted enough.
But is normally uses a user namespace sandbox for process isolation, every tab runs in a different process, on Android too.
Firefox also uses user namespace sandboxes for tabs, but additionally uses seccomp-bpf to restrict the syscalls that the isolated tabs/processes can execute.
Flatpak and Chromium
Chromium relies exclusively on the ability to create sandboxes, with a root binary (the strange not really used fallback method) or with user namespaces.
So much that it straight up doesnt run if it cannot do that. The same goes for Electron apps, which are a browser platform running a single or very few processes.
This is why zypak was created. It redirects the calls of Chromium to flatpak, so it uses the builtin Flatpak sandbox instead.
As I said, all Flatpak apps (and thus all processes) use the same seccomp filter, so I assume that zypak is less secure than the native sandbox, which is battle tested by Google, Microsoft and more companies.
But it uses a sandbox, it is rootless and uses user namespaces. It just needs a little testing, a security audit, a bit of pentesting.
At the current stage I would honestly not trust it, so Flatpak Chromium browsers are not recommended for “production”.
Right now we just fork(), so replacing that with flatpak-spawn would cause a massive increase in memory usage? You would no longer have CoW sharing of memory.
So Firefox would need big architectural changes to support a sandbox like Flatpak’s. It uses copy-on-write to save Memory and be more efficient.
For some reason Chromium works just fine with zypak.
it’s not clear to me the “Flatpak Sandbox” it’s creating is comparable to what we have now (even with just seccomp-bpf). We launch our subprocesses with specific, nailed down sandboxes.
They should absolutely compare their seccomp filters. But this indicates the same issue as the one at the beginning, always using the same seccomp filter is not suited for an entire platform like a browser.
Fair usage in Flatpak
To sum it up:
Electron apps are likely fine to be ran as Flatpaks. The zypak sandbox may not isolate the processes from another as well as the normal one does, but they are controlled and known code.
Electron uses Chromium because of laziness, not because it needs the security of the platform. Daniel Micay, the creator of GrapheneOS, would also list a few very technical things why Electron has crippled security features of Chromium.
Thunderbird is using Firefox similar to Electron, just as a platform for known code, so this will be fair too.
Flatpak Firefox… is probably okay secure. If you use UBlock Origin with some filterlists, and an opt-in NoScript setup (which I highly recommend for privacy and security), the risk is even lower.
But the risk is literally getting malware, losing all your data, getting breached or intruded. So why leave out this security measurement.
But, its true, Flatpak isolates the browsers from the system, which is really nice. If there is a weakness in the browser platform, a process could not just escalate and access everything Firefox can.
Bubblejail
So isolating the browser from the system using Bubblewrap, a modern and rootless sandboxing tool, sounds like a good idea.
The only issue is the always-the-same seccomp filter. The best solution would be a fix for the issue at the beginning, but for now we can use bubblejail.
It is a tool that makes the creation of bubblewrap and seccomp filters easy, and adds Desktop entries to launch existing apps through that sandbox.
For some reason it doesnt work at all anymore for me… but it did in the past. It is certainly not ready, but with some helping hands it can fix all the gaps, where system apps are needed for certain abilities.
May that me a VPN app, Nextcloud-client adding icons to your task manager, an IDE like VSCodium, Zed, Lapce, Kate… or isolating all your system apps!
So currently I use Fedora Firefox, which is very well maintained and checked for security build flags.
I will continue making bubblejail work, which will be a good solution for this problem.
@cheeaun I agree. Before finding Phanpy I hated using Mastodon and only came here occassionally. Since installing the Phanpy PWA on my phone and loading as a widget to my Vivaldi browser I'm here every day.
Sigh, I tried Firefox on Android and no links in apps work (eg Gmail, LinkedIn). Vivaldi and Chrome work fine. I would love to switch but that's so broken
I’ve also been a Vivaldi user for a few years now, and like that they don’t snoop, and that there is no bundling LLMs/ “AI” or crypto-crapto in the browser. Vivaldi is owned by its employees (all of them, including cleaner and office manager) and has no external investors, so there’s a good chance of keeping that culture.
A partire da oggi le estensioni di Chrome non saranno più le stesse. Manifest V3 inizia a fare sul serio
I permessi per le estensioni del browser passano definitivamente nelle mani di #ManifestV3. Per ora solo per gli utenti beta di #Chrome, ma nei prossimi mesi raggiungeranno tutti gli utenti
Per quanto riguarda quella lista. È utile diffondere le alternative, e soprattutto mettere Firefox (e non un browser chromium) come prima alternativa, però ci sono alcune imprecisioni.
La prima è suggerire che Vivaldi non sia basato su chromium, per quanto il browser sia molto diverso (a mio avviso, migliore) di Chrome, usa comunque il motore chromium. Inoltre, anche se non è un errore, aggiungerei l'essere closed source tra i contro [cont.]
@informapirata@eticadigitale@lealternative
[Cont.] La seconda, e meno importante perché erano più che altro "honorable mentions", è che ne Midori ne Floorp sono open source.
Sì, il loro codice è disponibile, quindi non si può chiamare closed source (come invece Vivaldi e Chrome), ma per il codice aggiunto da loro usano la licenza floorp, che proibisce la ridistribuzione ad uso commerciale, che invece deve essere concessa per considerare un programma open source. [Cont.]
@edinbruh@informapirata@eticadigitale ciao la prima frase per Vivaldi è: "usa lo stesso motore di Google Chrome", se pensi però che ci possano essere altre frasi che possano lasciar intendere quanto dici dimmi pure quali cosi provo a vedere e a eventualmente riformulare il modo in cui sono scritte! Grazie intanto per i commenti, sono sempre benvenuti
The Vivaldi team is working hard to gut the Google spyware in Chromium on every update. Because of this only security patches are in realtime, all other updates are 1-2 weeks behind. The rest remains as user choice in the settings (save browsing, Chrome Store (without Vivaldi isn’t even recognized as Chromium), G DNS and little else). Therefore, Vivaldi can be seen a hard fork. No data sended to Google, nor other third party companies (excepting naturally extensions and search engines you use, they can be not so private in any browser, Mullvad also recommend to use less extensions possibles).
@kuketzblog Auf Android benutze ich Vivaldi. Ich hatte performance und Akku Probleme mit Firefox, darum hab ich Vivaldi ausprobiert und dann gemerkt, dass das UI/UX von Vivaldi unfassbar viel besser ist, als alles andere was ich bisher am Handy probiert habe.
Des weiteren finde ich gut, dass sie keine telemtrics einsetzen und eine Norwegische Firma sind die den Angestellten gehört.
Sanity check: Vivaldi high CPU usage
Before I dive headlong into debugging and throwing bug tickets around, I just needed a sanity check from someone else…...
Summer is the worst season of the year, isn't?
The sun sucks, being forced to shower like every 4 hours just to not feeling sweaty, the fucking mosquitoes, the fact you can’t wear anything that you want anymore due the heat, the people outside… The fucking beach. I try to avoid it… The fucking sand, not a fan of it. Is scratchy, harsh, annoying and it infiltrates in...
Flatpak Firefox (and forks) very slow to start
While other flatpak apps have no problems. Any suggestions?
I speed tested a few browsers here are the results (feddit.uk)
Put any recommendations in the comments
Oh tell me again how it loads faster and takes up less resources