Flatpak 1.12 Released - Better Sub-Sandbox Handling To Benefit Steam

Flatpak 1.12 was just released along with issuing Flatpak 1.10.4 to address a security vulnerability in the portal support.

Flatpak 1.10.4 arrived to fix a security vulnerability in the portal code that as a result of some new Linux kernel system calls not being blocked by SECCOMP rules, applications could create sub-sandboxes to confuse the sandboxing verification mechanisms of the portal. The vulnerability disclosure explained, "An anonymous reporter discovered that Flatpak apps with direct access to AF_UNIX sockets such as those used by Wayland, Pipewire or pipewire-pulse can trick portals and other host-OS services into treating the Flatpak app as though it was an ordinary, non-sandboxed host-OS process, by manipulating the VFS using recent mount-related syscalls that are not blocked by Flatpak's denylist seccomp filter, in order to substitute a crafted /.flatpak-info or make that file disappear entirely."

Flatpak 1.12 was also released this morning as the newest stable feature release. Notable with Flatpak 1.12 is better control around sub-sandboxes which most notably is being used by the Steam Flatpak.

More details on the Flatpak 1.12 update via GitHub.