Upstream review of sandboxing code?

[cjao]

First of all, thanks for your work in packaging this! I notice that you have written a patch to adapt Chromium to Flatpak's sandbox. Are you planning to submit this upstream for review? I appreciate your work in building this package, but it's really important to not compromise the quality of the sandbox.

[Erick555]

AFAIK upstream stated they aren't interested in adopting flatpak sandbox support atm.

[refi64]

Indeed at least for now, there is no interest in another sandbox, and I doubt the current global situation would do much to encourage this given that the Chromium team is probably still WFH.

That being said, it's worth noting Chromium's sandbox is two layers, the second being a rather strict BPF sandbox, and that one is entirely unmodified. The first layer is primarily to block filesystem access, which has been tested and confirmed to work here (partly because we've had files end up missing that we needed to be able to access 😅)