What exactly is this “built in sandbox”, and what does it protect against? How does it compare with Flatpak disallowing access to filesystem?
Could we get a source for the claim of sandbox being crippled? Or more details? Documentation? Build scripts?
I had a look at flatpaks I have installed:
Firefox (org.mozilla.firefox): no access to ~
Thunderbird (org.mozilla.Thunderbird): no access to ~
Element (im.riot.Riot): no access to ~
Beyond All Reason (info.beyondallreason.bar) - no access to ~
Steam (com.valvesoftware.Steam) - no access to ~, and (best of all) Steam runs a ton of untrusted code in games, which will inherit this restriction.
Wolfenstein: Blade of Agony (com.realm667.Wolfenstein_Blade_of_Agony) - no access to ~
Chromium (com.github.Eloston.UngoogledChromium): allows access to ~ by default. It’s one click to disable, or I could shop around for another one, like org.chromium.Chromium.
OpenTTD (org.openttd.OpenTTD) - allows access to ~
Thus, yeah, some apps neglect to restrrict ~, thankfully it’s easy to fix. It’s not a disadvantage, though, it’s a lack of advantage.
Interesting, could you please elaborate?
I had a look at flatpaks I have installed:
Firefox (org.mozilla.firefox): no access to ~
Thunderbird (org.mozilla.Thunderbird): no access to ~
Element (im.riot.Riot): no access to ~
Beyond All Reason (info.beyondallreason.bar) - no access to ~
Steam (com.valvesoftware.Steam) - no access to ~, and (best of all) Steam runs a ton of untrusted code in games, which will inherit this restriction.
Wolfenstein: Blade of Agony (com.realm667.Wolfenstein_Blade_of_Agony) - no access to ~
Chromium (com.github.Eloston.UngoogledChromium): allows access to ~ by default. It’s one click to disable, or I could shop around for another one, like org.chromium.Chromium.
OpenTTD (org.openttd.OpenTTD) - allows access to ~
Thus, yeah, some apps neglect to restrrict ~, thankfully it’s easy to fix. It’s not a disadvantage, though, it’s a lack of advantage.