http://bugs.winehq.org/show_bug.cgi?id=59767 --- Comment #6 from Aaron Rainbolt <arraybolt3@gmail.com> ---
That is the issue. Flatpak and Snap are not true sandbox if they let the app run code outside of the sandbox.
That depends on the kind of code though. If a user downloads a Word document with a sandboxed Firefox, then clicks the "Open" button in the browser to open it, the user would naturally expect that a) the file should open, and b) opening the file won't run arbitrary code within the file. To open the file, the sandboxed browser needs to either bundle an office suite within its own sandbox (which is unrealistic for per-app sandbox systems like Flatpak), or it needs to tell something outside the sandbox to open the file. That "something" is xdg-desktop-portal-gtk, and the way it determines how to open the file is by MIME handlers. This is a safe operation if the documentation that says "never register a MIME handler that blindly runs code from a file" is followed, it's an unsafe operation otherwise. I don't see how Wine doing something the documentation explicitly says to not do makes Flatpak "not a true sandbox". If there was a way to register MIME handlers with a warning on them that says "this will run arbitrary code", then I would agree with you, but there is a mechanism like that already, binfmt-misc. If that was used instead of MIME, it would allow people to double-click EXE files in their file manager and run them, while also not allowing a sandboxed app to break out. By using MIME, Wine is telling the system "Hi, I can open EXE files without running them", when in reality it does run them. binfmt-misc would let Wine say "Hi, I can open EXE files, but I will run them in the process", which is more in line with what Wine actually does. -- Do not reply to this email, post in Bugzilla using the above URL to reply. You are receiving this mail because: You are watching all bug changes.