PR#1: Grant access to Kerberos in the host - flatpaks/firefox

flatpaks / firefox

#1 Grant access to Kerberos in the host

Merged 4 years ago by xhorak. Opened 4 years ago by feborges.

flatpaks/ feborges/firefox poke-kerberos-hole into master

Grant access to Kerberos in the host

Felipe Borges • 4 years ago

18f685f

container.yaml

file modified

		`@@ -15,6 +15,7 @@`
		`--device=dri`
		`--share=network`
		`--socket=pulseaudio`
		`+ --filesystem=/run/.heim_org.h5l.kcm-socket`
dustymabe commented 4 years ago Does this need any qualifier like `:ro` ?
		`--filesystem=~/.cache/firefox:create`
		`--filesystem=~/.mozilla:create`
		`--filesystem=home:ro`

feborges commented 4 years ago

This won't work on its own. It depends on the changes that landed
in https://gitlab.gnome.org/GNOME/gnome-build-meta/merge_requests/389
and should get propagated from the org.gnome.Platform//3.34 runtime
into the org.fedoraproject.Platform//f31 runtime.

Pull-Request has been merged by xhorak

4 years ago

dustymabe commented 4 years ago

Thanks @feborges! I really wish that file had a more obvious name. Is there any way to communicate to the user that it's for kerberos without them knowing what the kerberos filenames look like? For example if we could add a description to each mount to describe what it was for, that may help.

dustymabe commented on line 5 of container.yaml 4 years ago

Does this need any qualifier like :ro ?

rishi commented 4 years ago

I really wish that file had a more obvious name. Is there any way to communicate
to the user that it's for kerberos without them knowing what the kerberos filenames
look like? For example if we could add a description to each mount to describe what
it was for, that may help.

Maybe we could have --socket=kerberos-kcm instead? Like we do for other well known sockets like Pulseaudio, Wayland, X11, etc..

However, I don't know how feasible it would be to implement it because /run/.heim_org.h5l.kcm-socket is just the default value of kcm_socket in krb5.conf(5). If the KCM cache is backed by SSSD, then you can also query the path using systemctl show --value --property Listen sssd-kcm.socket.