Skip to content

--run commands in a sandbox #362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 20, 2025
Merged

--run commands in a sandbox #362

merged 1 commit into from
Oct 20, 2025

Conversation

@cxrvh
Copy link
Contributor

@cxrvh cxrvh commented Sep 25, 2020

Closes: #348

@rh-atomic-bot
Copy link

Can one of the admins verify this patch?
I understand the following commands:

  • bot, add author to whitelist
  • bot, test pull request
  • bot, test pull request once

@bbhtt
Copy link
Contributor

bbhtt commented Sep 2, 2025

imo, the thing to fix here is flatpak-build I'm not sure if I have found a reason as to why it gives access to home by default.

See flatpak/flatpak#6231

@cxrvh
Copy link
Contributor Author

cxrvh commented Sep 2, 2025

I think I was following all other commands which explicitly add --nofilesystem=host (I guess it should now be --nofilesystem=host:reset).

Quick search & I haven't checked if it's really the correct line, but I guess host access was explicitly added:
flatpak/flatpak@3a20c07
https://github.com/flatpak/flatpak/blob/5eea3304146964ccf044d6c76e872b3c333a1112/app/flatpak-builtins-build.c#L439

@swick
Copy link
Contributor

swick commented Sep 3, 2025

I could certainly remove the special casing in flatpak build. The question really is if it breaks things.

@swick
Copy link
Contributor

swick commented Sep 3, 2025

FWIW, I opened a PR for flatpak: flatpak/flatpak#6308

@bbhtt
Copy link
Contributor

bbhtt commented Sep 4, 2025
edited
Loading

I think we would want this PR too along with the Flatpak change. Latest Flatpak builder can be run against an old version of Flatpak.

As this is backwards incompatible change, probably whenever 1.5.0 starts

@bbhtt bbhtt added this to the 1.5.0 milestone Sep 9, 2025
@bbhtt
Copy link
Contributor

bbhtt commented Oct 14, 2025

the subject should be something like manifest: Disable all filesystem access in flatpak-builder --run sandbox

@cxrvh
manifest: Disable all filesystem access in flatpak-builder --run sandbox
6767565 
Just as any other build commands, add --nofilesystem=host:reset
to remove any filesystem permissions when running commands.

Closes: flatpak#348
@bbhtt bbhtt merged commit d3c4c31 into flatpak:main Oct 20, 2025
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bbhtt bbhtt bbhtt approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

1.5.0

Development

Successfully merging this pull request may close these issues.

--run allows access to home directory by default

4 participants

@cxrvh @rh-atomic-bot @bbhtt @swick