The Flatpak open-source GNU/Linux application sandboxing and distribution framework has been updated with a new feature that should harden its security.
Alex Larsson has recently released Flatpak versions 0.9.6 and 0.8.7, which comes about two weeks after their previous point releases to implement a new feature that will avoid creating world-writable directories or setuid files, including in the Flatpak export functionality.
“Previously, if you installed to a system-wide repository, the files created for an application were as specified by the remote repo, but owned by root, which could include problematic permissions like setuid or world-writable,” explains Alexander Larsson. “We now never create such problematic files or directories on disk.”
Additionally, the Flatpak developers made it possible for all newly created flatpak installations to use a “bare-user-only” mode for the repositories. In other words, users can now install Flatpak apps even if the file system of GNU/Linux distribution you’re using doesn’t support extended attributes.
OSTree 2017.7 is required for building Flatpak 0.9.6
Among some other improvements that were implemented in Flatpak 0.9.6, we can mention multiple updates to flatpak builder, such as a new “inherit-extensions” feature to copy extension information from the parent runtime and support for setting the CPPFLAGS environment variable.
Furthermore, the build-export component is now capable of recording the Flatpak version in the commit message, and the “flatpak info –show-metadata” command will now only display the metadata in a machine parseable way. Lastly, OSTree 2017.7 is required for building Flatpak 0.9.6.
On the other hand, Flatpak 0.8.7 is a minor security update to implement the new feature that was explained in the first part of the article, as well as to fix a handful of bugs. You can download both Flatpak 0.9.6 and 0.8.7 source tarballs right now from the project’s GitHub repository.