When I install Brave flatpak version from Linux Mint it looks like Brave is not bubble wrapped properly (when I add a folder with :RO readonly in flatseal, brave is able to save images, bookmarks and downloads in that folder
When I repeat the same (e.g. setting /media/kees:ro) with ungoogled chromium or (normal) chromium those files are not saved. Chromium does seem to know that flatpak is first sandbox (see picture)
The difference between the screenshots is because Brave (like Chrome and all other chromium-based binaries) is using zypak, whereas Chromium is built from source and has been patched. Brave isn’t really using a SUID sandbox, that’s just how zypak injects itself.
Are you sure this isn’t just the file chooser portal granting access via the documents portal? You can check:
flatpak documents --columns=all com.brave.Browser
Also please share the output of flatpak info -M for both apps.
Chris, thanks for responding
When I enter flatpak documents --columns=all com.brave.Browser
I get a list from documents in my download and documents. While I have added xdg-download, I have added in flatseal /home/kees:ro
Example of one listed document
debf4f82 /run/user/1000/doc/debf4f82/Copilot plan 2.pdf /home/kees/Documents/Nakijken Voorjaar 2024/ONPR info/Copilot plan 2.pdf com.brave.Browser read write grant-permissions
Seems to me it should not have read write permission ?
You need to be more specific for the flatpak info -M command, here is a print of flatseal file system permissions
So that’s a file that you probably selected using the Open File dialog, which implicitly grants the app access to that file via the documents portal. The dialog is provided by the File Chooser portal running outside the sandbox. Only the files you specifically select are passed through.
It would be e.g. flatpak info -M com.brave.Browser
Chris again thanks for the help
_______________ output
kees@kees-HP-Laptop-15s-eq2xxx:~$ flatpak info -M com.brave.Browser
[Context]
shared=network;
sockets=x11;wayland;pulseaudio;cups;
devices=dri;all;
filesystems=!host-etc;~/.config/kioslaverc;~/.local/share/applications:create;/media/kees:ro;/run/.heim_org.h5l.kcm-socket;~/.config/dconf:ro;xdg-download;~/.local/share/icons:create;xdg-run/dconf;/home/kees:ro;xdg-run/pipewire-0;xdg-desktop;
persistent=.pki;
[Session Bus Policy]
org.freedesktop.secrets=talk
org.freedesktop.Notifications=talk
org.mpris.MediaPlayer2.brave.=own
org.kde.kwalletd5=talk
org.freedesktop.FileManager1=talk
org.freedesktop.ScreenSaver=talk
org.kde.kwalletd6=talk
org.gnome.Mutter.IdleMonitor.=talk
org.gnome.SessionManager=talk
ca.desrt.dconf=talk
[System Bus Policy]
org.freedesktop.Avahi=talk
org.freedesktop.UPower=talk
[Environment]
GSETTINGS_BACKEND=dconf
GIO_EXTRA_MODULES=/app/lib/gio/modules
GTK_PATH=/app/lib/gtkmodules
XCURSOR_PATH=/run/host/user-share/icons:/run/host/share/icons
DCONF_USER_CONFIG_DIR=.config/dconf
You can start a shell inside the sandbox & try to create or modify a file, this won’t work:
flatpak run --command=bash com.brave.Browser
# Inside sandbox
echo "Fails" > /home/kees/new-file-in-read-only-home
Martin, Thanks for your reply.
Entering the commands you suggested, shows that it has only read access.
Thank you for clearifying this, much appreciated
Hubert, thanks to Martin the question is answered (and according to Chris explanation the behaviour is explained)
Thanks to all for taking the time to respomd to this