• 2 Posts
  • 7 Comments
Joined 7 months ago
cake
Cake day: April 30th, 2024

help-circle



  • I’d say about half of what I do is command-line (VMs, host OS being Windows). I am liking tumbleweed but I need to actually install it to see how it plays with my graphics card.

    Since they’re new to me, how easy can/how often are malicious flatpaks introduced to the ecosystem and are they vetted somehow? It’s my understanding (at least for docker) that they aren’t virtualized so they share kernel functionality meaning any image is just a priv esc away from moving outside the container.




  • Thanks for the reply. Unfortunately it seems things haven’t changed much in the last decade as far as hardening is concerned, seems like you have to come from an infosec background and constantly read log files or set up new yara rules (or have some software do it which comes with its own set of concerns). I was recently under the impression that docker images were virtualized until I learned they’re free to break out at any time with kernel vulnerabilities which are much more numerous than hypervisor escapes, so it doesn’t surprise me there are issues with flatpaks/bubblewrap/firejail. Sandboxing solutions seem much more mature on Windows unfortunately, with both Sandboxie/Windows Sandbox and Kaspersky (I know) having their own versions of scope-specific apps and limits. But I think I have a lot more reading to do before assuming.