top | item 46759794

(no title)

jy-tan | 1 month ago

Unfortunately nested bubblewrap sandboxes don't work.

When you run `fence flatpak run <app>`, Fence creates a bwrap sandbox with its own user namespace, Flatpak then tries to create another user namespace inside, so you'd get something like `bwrap: setting up uid map: Permission denied`.

The outer sandbox doesn't grant the capability for nested namespace creation (otherwise it would defeat much of the security), so Fence can't wrap Flatpak (or similar namespace-based sandbox tools) in a useful way. Ideally you'd need something at the network level outside any sandbox.

That said, open to suggestions if anyone knows of a feasible solution.

discuss

foresto|1 month ago

Steam creates its pressure-vessel containers using namespaces, and there is a Steam flatpak, which I think was made possible by some work a few years ago specifically for the purpose of nesting. I don't know if that work applied to flatpak, bubblewrap, or both. It might be worth investigating.

https://gitlab.steamos.cloud/steamrt/steam-runtime-tools/-/t...

https://github.com/flathub/com.valvesoftware.Steam