New serious permission entry for flatpak: "Can access full host system/circumvent sandbox/…"
The Atom flathub flatpak currently shows this:
However, as I e.g. demonstrated here https://github.com/flathub/io.atom.Atom/issues/43 it has a way more serious permission: It can talk to
org.freedesktop.Flatpak and thus can run
flatpak-spawn --host. Basically, it means this can circumvent any other permission and fully break out of the sandbox. This is not reflected in the user-visible details.
But it's a huge point…!
It is not only very inconsistent if different permissions are displayed, but actually also a security problem in this case of a very serious permission being forgotten.
Anyway, as such, do maybe also consider to somehow combine the code parts, so you do not have two places to maintain the same permission mappings. Could be useful, I guess…
Similarly, there is also:
- no warning for Xorg usage in the control center, while there is one in GNOME Software ("deprecated, insecure display system")