Hello Flatpak enthusiasts,

One question down below. We are facing an unusual challenge, on one device, sandboxing fully stopped. The challenge is that all installed Flathub Flatpak sandboxed applications have access to all folders and files outside their sandbox. The needed end result is that those apps should not have access to any folder or file outside their sandbox. Per both the Flatpak global and per Flatpak app configuration.

For the past years, that sandboxing was very successful on that same device. No challenge. Then, for the last few days, all the same sandboxed applications have access to all folders and files outside their sandboxes.

Question: Beside what we already tried, which is listed down below, what could potentially be causing this challenge above?

-– — — — — — — — — — — — — — — —

Below is the same message as above. But with details if you’re interested in those.

-– — — — — — — — — — — — — — — —

Using

• Flatpak: 1.14.10

• Debian: 12 Bookworm

• Type: x86_64

• Display: Wayland

-– — — — — — — — — — — — — — — —

Steps to reproduce

1. Install Flatpak 1.14.10

2. Using Flathub, install apps

3. Sandboxing is successful for months. Sandboxes apps do not have access to any folder or file outside their sandbox. Joy. So no challenge yet.

4. One day, on the same device all the same sandboxed applications have access to all folders and files. Regardless of Flatpak app’s global configuration or per app configuration. Those app should not have access to any file or folder outside their sandbox. That we know of we have not changed anything to the configurations on that device.

5. This challenge can always be reproduced. For all Flatpak apps. But only with the same device. We are not able to reproduce this challenge on any other devices.

6. The needed end result is that, on that device, Flatpak sandboxed apps should not have access to any folders and files outside their sandboxes. Per both the Flatpak global and per app configuration.

By “access to all folders and all files” , I mean this, for exemple:

___ 1. Install this Kwriter Flatpak app from https://flathub.org/en/apps/org.kde.kwrite

___ 2. Using Flatseal from https://flathub.org/en/apps/com.github.tchx84.Flatseal configure the sandboxe access permissions like this:

______ Global:

_________ “Filesystem” group:

____________“filesystem=host” DENIED

____________“filesystem=host-os” DENIED

____________“filesystem=host-etc” DENIED

____________“filesystem=home” DENIED

__________ Kwriter (org.kde.kwrite) app:

____________“Filesystem” group:

_______________“filesystem=host” DENIED

_______________“filesystem=host-os” DENIED

_______________“filesystem=host-etc” DENIED

_______________“filesystem=home” DENIED

____________ “Other file” group:

_______________/home//Documents/

___ 3. Reboot device

___ 4. Using Kwriter try to read or writer a file stored in any folder OUTSIDE Kwriter sandbox. Kwriter has both read and write access to those files and folders. This is the challenge. Why? Because that folder is outside the sandbox:

______ /home//Downloads/test.txt

______ /home//media///test.txt

___ 5. Using Kwriter try to read or writer a file stored in the only folder INSIDE Kwriter sandbox at

______ /home//Documents/test.text

______ Kwriter has access to both reading and writing to this folder above. Which is a success because this folder is inside its sandbox. In other words, the app is ALLOW read and write access to “filesystem=home”. This is the challenge.

___ 6. This challenge above can be reproduce with all Flatpak apps. Not just Kwriter.

-– — — — — — — — — — — — — — — —

What we tried that did not resolved this challenge

• Restarted device

• Double-checked permissions for ALL apps (global). Using:

•___ Flatseal

• Double-checked permissions PER app. Using:

___• Command: flatpak info --show-permissions <APP.NAME> ___• Flatseal

• Installed new Flatpak app. Which was never installed before. Denied its access to any file or folder. That app also has access to all files and folders.

• This challenge can always be reproduced. For all Flatpak apps. But only with one and same device. We are not able to reproduce this challenge on any other devices. Still on that device, sandboxing was successful. But then, somehow stopped. Beside what we already tried, which his listed down below, what could potentially be causing this challenge?

• Searched tickets at [https://github.com/flatpak/flatpak/issues\\] and Found no result.

• Created a ticket with Flatpak engine. A maintainer replied. The maintainer claimed to not understand that ticket. Then, close that ticket without asking any question at https://github.com/flatpak/flatpak/issues/6667 We are assuming good faith from that maintainer. Maybe my ticket was not clear.

-– — — — — — — — — — — — — — — —

ID

Ignore this line. This is a note to myself: ID_E3T4Z2C4