From 071da64bfde3f750a2e77b7d654572e7ea8cf95b Mon Sep 17 00:00:00 2001 From: "Cup.png" <232283931+Cup-png@users.noreply.github.com> Date: Tue, 10 Mar 2026 22:12:49 -0600 Subject: [PATCH 1/3] FEAT: Update FLATPAK with info about Flatpak Browsers.md --- content/articles/FLATPAK.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/content/articles/FLATPAK.md b/content/articles/FLATPAK.md index 45dadf9a..f8280c75 100644 --- a/content/articles/FLATPAK.md +++ b/content/articles/FLATPAK.md @@ -35,3 +35,9 @@ Note that this will not only undo the `ujust flatpak-permissions-lockdown` comma ``` ujust harden-flatpak ``` + +As shown by one of the [links](https://forum.vivaldi.net/topic/33411/flatpak-support/191) in the features page part of flatpak's security model involves [denying user namespaces via SECCOMP-BPF to flatpaks, including flatpak browsers](https://discussion.fedoraproject.org/t/is-it-better-to-have-a-browser-sand-boxed-with-flatpak-or-not/162425/17). This (weakly) isolates them from the system & other apps but breaks their sandboxing layer responsible for site and process isolation, leaving only Zypak + SECCOMP-BPF in its place; or in the case of Firefox/Gecko-based browsers, [outright disables most sandboxing processes entirely by having no Zypak equivalent](https://bugzilla.mozilla.org/show_bug.cgi?id=1756236). The sole known exception to this being the GNOME Web/Epiphany flatpak, whose site isolation is still behind in comparison to the implementations in native Chromium-based & Gecko-based browser packages. + +Therefore we've kept hidden flatpak browsers (aside from GNOME Web) from view on the software store frontends including [recently](https://github.com/secureblue/secureblue/pull/1898) on Bazaar to discourage their usage and directing the user to Trivalent. + +We have interest in shipping Trivalent as a flatpak in the future nonetheless for more availability but not until a solution like [nested namespaces](https://github.com/flatpak/flatpak/pull/6386) becomes usable to allow the browser to perform the necessary syscalls to execute its sandboxed processes properly. From 1b7a84935c63ea9a53fd91d74d7d82b5315530e3 Mon Sep 17 00:00:00 2001 From: "Cup.png" <232283931+Cup-png@users.noreply.github.com> Date: Tue, 10 Mar 2026 22:51:40 -0600 Subject: [PATCH 2/3] feat: Update FLATPAK.md -added possibly useful link --- content/articles/FLATPAK.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/articles/FLATPAK.md b/content/articles/FLATPAK.md index f8280c75..0b610e1c 100644 --- a/content/articles/FLATPAK.md +++ b/content/articles/FLATPAK.md @@ -36,7 +36,7 @@ Note that this will not only undo the `ujust flatpak-permissions-lockdown` comma ujust harden-flatpak ``` -As shown by one of the [links](https://forum.vivaldi.net/topic/33411/flatpak-support/191) in the features page part of flatpak's security model involves [denying user namespaces via SECCOMP-BPF to flatpaks, including flatpak browsers](https://discussion.fedoraproject.org/t/is-it-better-to-have-a-browser-sand-boxed-with-flatpak-or-not/162425/17). This (weakly) isolates them from the system & other apps but breaks their sandboxing layer responsible for site and process isolation, leaving only Zypak + SECCOMP-BPF in its place; or in the case of Firefox/Gecko-based browsers, [outright disables most sandboxing processes entirely by having no Zypak equivalent](https://bugzilla.mozilla.org/show_bug.cgi?id=1756236). The sole known exception to this being the GNOME Web/Epiphany flatpak, whose site isolation is still behind in comparison to the implementations in native Chromium-based & Gecko-based browser packages. +As shown by one of the [links](https://forum.vivaldi.net/topic/33411/flatpak-support/191) in the features page part of flatpak's security model involves [denying user namespaces via SECCOMP-BPF to flatpaks, including flatpak browsers](https://discussion.fedoraproject.org/t/is-it-better-to-have-a-browser-sand-boxed-with-flatpak-or-not/162425/17). This (weakly) isolates them from the system & other apps but breaks their sandboxing layer responsible for site and process isolation, leaving only Zypak + SECCOMP-BPF in its place; or in the case of Firefox/Gecko-based browsers, [outright disables most sandboxing processes entirely by having no Zypak equivalent](https://bugzilla.mozilla.org/show_bug.cgi?id=1756236). The sole known exception to this being the GNOME Web/Epiphany flatpak, whose site isolation is [still behind](https://github.com/RKNF404/chromium-hardening-guide/blob/main/pages/BROWSER_SELECTION.md#epiphanywebkitgtk) in comparison to the implementations in native Chromium-based & Gecko-based browser packages. Therefore we've kept hidden flatpak browsers (aside from GNOME Web) from view on the software store frontends including [recently](https://github.com/secureblue/secureblue/pull/1898) on Bazaar to discourage their usage and directing the user to Trivalent. From 062d4c77b9476421d5c9a7602d733dc68f6a4620 Mon Sep 17 00:00:00 2001 From: "Cup.png" <232283931+Cup-png@users.noreply.github.com> Date: Thu, 12 Mar 2026 18:11:56 -0600 Subject: [PATCH 3/3] Update FLATPAK.md -addressed comments --- content/articles/FLATPAK.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/content/articles/FLATPAK.md b/content/articles/FLATPAK.md index 0b610e1c..9d62dc0a 100644 --- a/content/articles/FLATPAK.md +++ b/content/articles/FLATPAK.md @@ -35,8 +35,7 @@ Note that this will not only undo the `ujust flatpak-permissions-lockdown` comma ``` ujust harden-flatpak ``` - -As shown by one of the [links](https://forum.vivaldi.net/topic/33411/flatpak-support/191) in the features page part of flatpak's security model involves [denying user namespaces via SECCOMP-BPF to flatpaks, including flatpak browsers](https://discussion.fedoraproject.org/t/is-it-better-to-have-a-browser-sand-boxed-with-flatpak-or-not/162425/17). This (weakly) isolates them from the system & other apps but breaks their sandboxing layer responsible for site and process isolation, leaving only Zypak + SECCOMP-BPF in its place; or in the case of Firefox/Gecko-based browsers, [outright disables most sandboxing processes entirely by having no Zypak equivalent](https://bugzilla.mozilla.org/show_bug.cgi?id=1756236). The sole known exception to this being the GNOME Web/Epiphany flatpak, whose site isolation is [still behind](https://github.com/RKNF404/chromium-hardening-guide/blob/main/pages/BROWSER_SELECTION.md#epiphanywebkitgtk) in comparison to the implementations in native Chromium-based & Gecko-based browser packages. +Part of flatpak's security model involves [denying user namespaces](https://forum.vivaldi.net/topic/33411/flatpak-support/191) [via SECCOMP-BPF](https://www.kernel.org/doc/html/v4.19/userspace-api/seccomp_filter.html) [to flatpaks, including flatpak browsers](https://discussion.fedoraproject.org/t/is-it-better-to-have-a-browser-sand-boxed-with-flatpak-or-not/162425/17). This is one way to isolate them from the system & other apps by preventing them from reaching certain kernel code paths that they would otherwise not be able to as unprivileged processes but breaks their sandboxing layer responsible for site and process isolation, leaving only [Zypak](https://github.com/refi64/zypak) + SECCOMP-BPF + [additional patches](https://github.com/flathub/org.chromium.Chromium/blob/master/patches/chromium/flatpak-Add-initial-sandbox-support.patch) in its place; or in the case of Firefox/Gecko-based browsers, [outright disables most sandboxing processes entirely by having no Zypak equivalent](https://bugzilla.mozilla.org/show_bug.cgi?id=1756236). The sole known exception to this being the GNOME Web/Epiphany flatpak, whose site isolation is [notably weaker](https://github.com/RKNF404/chromium-hardening-guide/blob/main/pages/BROWSER_SELECTION.md#epiphanywebkitgtk) in comparison to the implementations in native Chromium-based & Gecko-based browser packages. Therefore we've kept hidden flatpak browsers (aside from GNOME Web) from view on the software store frontends including [recently](https://github.com/secureblue/secureblue/pull/1898) on Bazaar to discourage their usage and directing the user to Trivalent.