Simon McVittie
Simon McVittie
> it's better to be fixed upstream The upstream for the libglnx copylib is .
Please review/test https://gitlab.gnome.org/GNOME/libglnx/-/merge_requests/57. This is not going to be fixed as a Flatpak-specific change, but it can be fixed by fixing libglnx and then updating Flatpak's copy.
The whole existence of the `--filesystem` permission is an unwelcome but necessary compromise. Ideally it would not exist at all, and all apps' accesses to all files would go through...
> reporting the distro would be nice Nice for whom, and for what purpose?
The seccomp filter is functionally necessary, and removing it would be a sandbox escape (see [CVE-2021-41133](https://github.com/flatpak/flatpak/security/advisories/GHSA-67h7-w3jq-vh4q)) for anything that doesn't already have permissions that allow the sandbox to be escaped....
Please could you say more in the commit message about precisely what "access to /sys/ is blocked" means in the system you're targeting? (chmod 0700 on `/sys/block`, etc.? chmod 0700...
> We really should try to get rid of `/sys` in general (is mesa the only user?) I gave a concrete example of another user of `/sys` two comments above...
> This specific use case is when setting `chmod 0700 /sys` which is what was done previously in whonix. This is intentionally disabling an intended feature of the Linux kernel...
> I get the same error on my other Alpine machine. Not on machines running other operating systems. > I had this issue too. … Alpine Edge Because this seems...
I would suggest talking to Alpine's support channels, specifically the packagers responsible for its `flatpak` package.