Bugzilla

*"The sandbox either uses user namespaces or setuid namespaces"*

The sandbox consists of 2 layers, one of which is user namespaces, the other being seccomp-bpf filtering. There's a lot of relevant comments in bug 1756236 FWIW.

I'm not sure it makes much sense to try to quantify Flatpak as "equally/more/less secure" as the native browser. It's different because you end up with a sandboxed parent process as well (which can cause different problems sometimes, sigh). I think it makes more sense to spend time on bug 1756236 after bug 1609882 ships.

*"The sandbox either uses user namespaces or setuid namespaces"*

The sandbox consists of 2 layers, one of which is user namespaces, the other being seccomp-bpf filtering. There's a lot of relevant comments in bug 1756236 FWIW.

I'm not sure it makes much sense to try to quantify Flatpak as "equally/more/less secure" as the native browser. It's different because you end up with a sandboxed parent process as well (which can cause different problems sometimes, sigh), and some of the isolation that the namespace is used for is perhaps already present in the Flatpak sandbox. 

I think it makes more sense to spend time on bug 1756236 after bug 1609882 ships rather than trying to do quantify this, but that's just me.

*"The sandbox either uses user namespaces or setuid namespaces"*

The sandbox consists of 2 layers, one of which is user namespaces, the other being seccomp-bpf filtering. There's a lot of relevant comments in bug 1756236 FWIW.

I'm not sure it makes much sense to try to quantify Flatpak as "equally/more/less secure" as the native browser. It's different because you end up with a sandboxed parent process as well (which can cause different problems sometimes, sigh), and some of the isolation that the namespace is used for is perhaps already present in the Flatpak sandbox. 

I think it makes more sense to spend time on bug 1756236 after bug 1609882 ships rather than trying to quantify this, but that's just me.