Comment by foresto
4 hours ago
Can fence wrap applications that do their namespace-based sandboxing?
This could allow finer control than the application's own sandbox offers. For example, Flatpak apps run in bubblewrap containers with all-or-nothing network permissions. Being able to restrict access by domain name would be useful.
Unfortunately nested bubblewrap sandboxes don't work.
When you run `fence flatpak run <app>`, Fence creates a bwrap sandbox with its own user namespace, Flatpak then tries to create another user namespace inside, so you'd get something like `bwrap: setting up uid map: Permission denied`.
The outer sandbox doesn't grant the capability for nested namespace creation (otherwise it would defeat much of the security), so Fence can't wrap Flatpak (or similar namespace-based sandbox tools) in a useful way. Ideally you'd need something at the network level outside any sandbox.
That said, open to suggestions if anyone knows of a feasible solution.
Steam creates its pressure-vessel containers using namespaces, and there is a Steam flatpak, which I think was made possible by some work a few years ago specifically for the purpose of nesting. I don't know if that work applied to flatpak, bubblewrap, or both. It might be worth investigating.
https://gitlab.steamos.cloud/steamrt/steam-runtime-tools/-/t...
https://github.com/flathub/com.valvesoftware.Steam