qubes-mirage-firewall VS Flatseal

2) https://github.com/mirage/qubes-mirage-firewall is by far a better firewall for Qubes than OpenBSD ever will be - unikernels are far more secure than a traditional operating system is and you can read all about it on https://mirageos.org/

That's correct. It does mean that the closest to a self-contained program you can run is a unikernel like the mirage-firewall, unfortunately. On the upside, those remain easily portable to essentially anything that can run VMs so long as you adjust the image format.

That sounds similar to a unikernel. There are actual uses for those in seL4 and Qubes OS such as a firewall-qube (in theory unikernel qubes should be able to take far less system resources to run than full Linux+distro qubes).

Here's one that is "production" ready: the Mirage-Firewall microkernel running on Qubes OS.[0]

[0] : https://github.com/mirage/qubes-mirage-firewall

sys-net, sys-firewall and other administrative vms should slowly migrate to unikernels instead of running linux, which should help with ram usage. The mirage.io project seems to build a couple qubes vms, for example https://github.com/mirage/qubes-mirage-firewall is a firewall which they indicate to give 64Mb of ram.

And not only that, the idea of portals is, IMO, misguided. See this view/bugreport when a flatseal user understands that even though they restricted permissions to access a certain area, the flatpak, itself, can ask to open files there and if OK'd that will be allowed. Their expectation is that with the overrides say "no access" it means "no access even if the flatpak asks very nicely". https://github.com/tchx84/Flatseal/issues/196

Since you installed the programme via Flatpak, you should simply lack the necessary rights (https://docs.flatpak.org/en/latest/sandbox-permissions.html). You can extend the rights quite easily with https://github.com/tchx84/flatseal.

Yes, filed https://github.com/tchx84/Flatseal/issues/196 a while ago, got no joy.

One design feature than can turn into an issue in some scenarios (usually dev tools) is the permissions of a flatpak. In case I need to tweak things, I use Flatseal. I know you can manually do this from the command line but I don’t change permissions that often so I don’t bother learning how to do that.

Does the Flatpak Permissions Settings replace a tool like Flatseal?

What about flatseal then ? https://github.com/tchx84/Flatseal

https://github.com/tchx84/Flatseal (Also on Discover. For security reasons, the Discover store installs apps as sandboxed "flatpak" apps. This one is used to view what each up can do and change the permissions of apps. May be required if the sandboxing breaks something, though usually not required.)

I believe it does. As an example if I try running Godot from the Steam flatpak, it won't be able to see any of the contents of my ~/Projects folder unless I explicitly allow the steam flatpak access to that directory that via flatpak's CLI options or using Flatseal