So i was installing a repack on my linux system, using bottles because of its flatpak sandbox.
As the install was wrapping, it asked the standard question about redirecting the websites, I (probably thinking nothing will happen) didn’t uncheck anything, and to my surprise, it opened the Firefox browser on my main system and launched the website: giving me quite the spook
doesn’t this mean that anything i install on bottles can somehow still ping home even if I disable networking from Flatseal?
am I being paranoid or is this a serious security flaw?
After a quick read over some parts of the article, and looking into the Bottles flatpak manifest, I don’t think the sandbox escapes listed apply to Bottles - as long as you are exclusively using Wayland-compatible apps besides your games.
Sadly electron is still a pita, so closing Discord and VSCode while gaming would be necessary (or restrict their host access, which would break sharing files in Discord and many more things in VSCode).
So yes, I sadly have to agree, don’t rely on a sandbox, unless your not running X11.
Luckily wine will soon support Wayland, so removing X11 access from Bottles would break this specific sandbox escape. Otherwise I do think flatpak/bubblewrap sandboxing is pretty solid.