Hacker News new | past | comments | ask | show | jobs | submit login

Not sure how good bubblewrap is, to my knowledge it only refuses unprivileged actions and doesn’t really have a way of “negotiation” between the sandbox and the app running. I do know that flatpak does have this option for at least the file picker dialog, which is a good direction, but ideally the mobile OS’s permission system should be adapted in some way.

My gripe with flatpak is that it mixes up a (imo bad) way of packaging with sandboxing.




Yes, I agree flatpak is a bad way of packaging. Note, bubblewrap is independent of flatpak.

In fact there are some proposals to add sandboxing to nix, which is the antithesis of flatpak, using bubblewrap.

Firejail is a more usable alternative and comes with very sane default rules, e.g. only allow Firefox to see the Downloads directory in home.

However, it has a much larger attack surface than bubblewrap [1].

[1] https://github.com/netblue30/firejail/discussions/4522




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: