IMHO what is missing as a todo item for the sandbox, is FIDO U2F/WebAuthn abstraction for USB devices.
Problem
User story: I, as a user of a flatpak’ed browser, want to be able to login with my cool U2F/WebAuthn keys, because they are very convenient & secure & with increased adoption I may also be able to use a passwordless authentication.
So one could do so when you enable the --device=all
permission, but obviously (for isolation/sandboxing reasons, i.e. security reasons) one does not want to expose all USB devices to a browser application.
WebAuthn spec has recently been finalized: https://www.w3.org/TR/webauthn/
Support for U2F/WebAuthn is available in major browsers like Firefox and Chrome/ium.
Proposed solution
Another special abstraction (and permission) for U2F/WebAuthn access.
Actually, the security and isolation-focused distro Qubes OS does already have developed a model, abstraction and even software that can be used in their distro to abstract that: https://www.qubes-os.org/doc/u2f-proxy/
source code: https://github.com/QubesOS/qubes-app-u2f
The doc is really worth a read!
So maybe some kind of new portal? Or new permission?
Also discussed at
- GitHub of the experimental inofficial Firefox flatpaks, see https://github.com/xhorak/firefox-devedition-flatpak/issues/51 https://github.com/xhorak/firefox-devedition-flatpak/issues/87 https://github.com/xhorak/firefox-devedition-flatpak/issues/95
- Fedora Discourse regarding Fedora Silverblue: https://github.com/xhorak/firefox-devedition-flatpak/issues/95
Other useful links
(sponsored sites, but visibly nice)
https://webauthn.io/
Cross-posted from:
(Actually, I requested the idea there first. )