Published New Stable Branch Toolkit Flatpak 1.12 , which provides a system for assembling self-sufficient packets that are not tied to specific Linux distributions and performed in a special container, isolating the application from the rest of the system. FlatPAK package support is provided for Arch Linux, Centos , Debian, Fedora, Gentoo, Mageia, Linux Mint, Alt Linux and Ubuntu. Packages with FlatPAK are included in the Fedora repository and are supported in the standard GNOME application management program.
Key innovations in Branch Flatpak 1.12:
- Improved control of nested Sandbox-environments used in the FlatPAK package with the client for the Steam Game Delivery Service. In the subfed sandbox-ah, it is allowed to create individual Hieraters / usr and / App, which is used in Steam to run games in a separate container with its / usr section, isolated from the environment with a Steam client.
- in all instances of the packages with the same application identifier (App-ID) is provided to share the directory / TMP and $ xDG_Runtime_dir. Optionally, using the Flag “–allow = Per-App-DeV-SHM”, you can enable the use of a common catalog / dev / shm.
- improved application support with textual user interface (TUI), such as GDB.
- in the utility Build-Update-Repo Added a faster command implementation “ Ostree Prune ” optimized for working with repositories, located in archive mode.
- eliminated vulnerability CVE-2021-41133 in the implementation of the portal mechanism associated With the lack of Seccomp in the rules
Locking new system calls related to mounting sections. Vulnerability allowed the application to create an invested Sandbox to bypass the “portals” verification mechanisms, which are used to organize access to resources outside the container.As a result, attacing through the execution of mounted system calls could be bypassing the Sandbox-isolation mechanism in getting full access to content host environment. Operation of vulnerability is possible only in packages providing applications direct access to AF_UNIX sockets, which, for example, are used in Wayland, Pipewire and PipeWire-Pulse.
In the release of 1.12.0, the vulnerability was not completely eliminated, so hot pursuit released Update 1.12.1 .