New serious permission entry: "Can access full host system/circumvent sandbox/…"
The Atom flathub flatpak currently shows this:
However, as I e.g. demonstrated here https://github.com/flathub/io.atom.Atom/issues/43 it has a way more serious permission: It can talk to org.freedesktop.Flatpak
and thus can run flatpak-spawn --host
. Basically, it means this can circumvent any other permission and fully break out of the sandbox.
This is not reflected in the user-visible details.
But it's a huge point…!
Edited by rugk