New serious permission entry for flatpak: "Can access full host system/circumvent sandbox/…"
The Atom flathub flatpak currently shows this:
However, as I e.g. demonstrated here https://github.com/flathub/io.atom.Atom/issues/43 it has a way more serious permission: It can talk to org.freedesktop.Flatpak
and thus can run flatpak-spawn --host
. Basically, it means this can circumvent any other permission and fully break out of the sandbox. This is not reflected in the user-visible details.
But it's a huge point…!
This is a copy/paste/has already been fixed in GNOME Software as per gnome-software#704 (closed), in MR gnome-software!258 (merged), but apparently not in GNOME settings.
It is not only very inconsistent if different permissions are displayed, but actually also a security problem in this case of a very serious permission being forgotten.
Anyway, as such, do maybe also consider to somehow combine the code parts, so you do not have two places to maintain the same permission mappings. Could be useful, I guess…
Similarly, there is also:
- no warning for Xorg usage in the control center, while there is one in GNOME Software ("deprecated, insecure display system")