Why does Wire run with --no-sandbox ?

[Mikaela]

I was testing if flatpak run com.wire.WireDesktop --startup is the method for starting Wire in the background and looked into htop to see how it affects my memory usage and happened to notice that Wire gets parameter --no-sandbox and I started wondering why? Is Flatpak so well sandboxed that it's unnecessary to have sandboxing in Wire? I think the permissions already look a bit wide.

com.wire.WireDesktop/com.wire.WireDesktop.json

Lines 12 to 24 in 258bf19

	"finish-args": [
	"--device=all",
	"--device=dri",
	"--filesystem=home",
	"--share=ipc",
	"--share=network",
	"--socket=pulseaudio",
	"--socket=wayland",
	"--socket=x11",
	"--talk-name=com.canonical.AppMenu.Registrar",
	"--talk-name=org.freedesktop.Notifications",
	"--talk-name=org.freedesktop.secrets"
	],

[Mikaela]

This appears to come from Wire upstream judging by wireapp/wire-desktop#2507.

[TingPing]

Also the Chrome sandbox can't run inside Flatpak anyway.

[fermulator]

Why did this get closed? (the question has not been answered) - #2507 is not related

[TingPing]

It is impossible to run the current Chromium sandbox inside of Flatpak. So the upstream answer doesn't even matter anyway.

[Mikaela]

It is impossible to run the current Chromium sandbox inside of Flatpak.

Why? Is there an issue about that somewhere? Is Flatpak sandbox more secure than the Chromium one, does it render the Chromium one unrequired?

[TingPing]

The namespace API is considered insecure so its part of the syscall blacklist.

Chromium would have to be ported to use flatpak-spawn.

No the situation is not more secure.