I’m not entirely sure, but aren’t you spawning a new process ping that has internet access? So all commands you run in a flatpak terminal have all permissions. Even if the terminal itself doesn’t have them.
I might be badly mistaken so don’t take my answer as authoritative, but I think you may be misunderstanding the role of a Terminal Emulator (and how that differs from a shell or the cli programs you interact with within that shell).
My very basic understanding is that the Terminal Emulator is just the GUI desktop application you use to interact with the shell. The shell is the CLI (command-line interface), and the command ping is actually its own application. You are interacting with it via the CLI and interacting with the CLI through your Terminal Emulator.
You’ve restricted Contour from the network permission. But in your example, you are using Contour to interact with a separate application (called ping) from the CLI. You’ve restricted your terminal emulator from network access, but it doesn’t need it because it’s just being used to run a local application called ping (located at /usr/bin/ping)
Right. What the others tried to explain is that the tty itself is not accessing the network: the package ping is accessing it. It’s a package preinstalled on Fedora and other distros, and it’s not installed via Flatpak.
Your permissions for the tty (terminal emulator you installed) Flatpak include access to 3 session bus instances: KDE, Freedesktop and and something by Canonical which I don’t know what it is or why you have it on Fedora - but that’s just my incomplete knowledge.
This allows your tty to communicate with the shell. Because without that permission it’s useless, right? So, it uses its session bus access to do just that. It is then the processes like ping or whatever else you tell the shell to activate that do the stuff you want them to do. Their work has nothing to do with the tty’s Flatpak permissions.
To put it more simply, your permissions are just right, from what I can see. It’s the minimum that the tty needs to communicate with your shell. All the other stuff is the work of the shell. Hope this helps :3
For a nice explanation about what a session bus is and how it’s different from system bus, I’d recommend this blog post.
ETA2: oh and it has access to Wayland socket in order to properly display the GUI elements like its window on your screen.
Hey - just wanted to say - big up for this comment, I wish I had read this explained so well at the time when I was trying to figure this exact part out, earlier in my Linux journey.
Some websites/courses do explain Linux more or less well but there is definitely a lot of jargon and slight gotchas in that realm that you can pass by yes.
@foolclown@xe3 Thank you for your explanations. I understand the technical explanations. But my concern is not about terminal app. I want to learn how to block other Flatpak apps. For example I don’t trust Calibre. But it is the only apps which can open many different formats. I installed it via Flatpak and I disable many permissions. But with which permissions I can be sure that Calibre can not access internet. Thats my problem.
Calibre was a simple example. There are many apps like this. But If they can not access internet I will be safe enough.
Needs to be checked, if this could also be used as a sandbox escape. Purely speculating from its name it might be able to generate menu entries which could contain arbitrary commands.
Many permissions could theoretically be abused as a sandbox escape to gain network access. A simple example is home folder write access.
