crabdancing
commented
4 months ago Aww, you're welcome!
I had this whole thing typed up to debug it, but I actually think I know exactly what's going on, more or less -- given the symptoms you've described. nixpak-flatpak-wrapper's only job is to trick the part of the stack that explicitly calls flatpak binary, into thinking that flatpak binary says it has such and such permissions to this or that.
It can't actually change the bwrap permissions. It just tricks the program into understanding that it can write to a given directory -- whether or not it actually can.
So the problem is likely with your nixpak config itself, based on my understanding of your situation.
Would adding (sloth.concat' sloth.homeDir "/Downloads") under bind.rw for your nixpak-packaged Chromium instance happen to fix this?
If not... sorry if I've misinterpreted something. If you paste the nixpak and nixpak-flatpak-wrapper parts of your system config, I'd be happy to take a look! :)
networkException
Hi!
Thanks a lot for going to the effort of actually implementing this. I've been somewhat successful at sandboxing chromium with nixpak, with the notable exception of downloads so far.
With your wrapper it seems to be more confident that it can actually download files (it doesn't show as deleted immediately after) but downloaded files still end up in a sandboxed directory (inspectable with
file://) rather than on the host.Have you experienced this before?