mirror of
https://github.com/PrivSec-dev/privsec.dev.git
synced 2024-12-14 10:14:49 -05:00
Update flatpak overrides
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
c817cfc4da
commit
e5607c74c6
@ -102,11 +102,17 @@ Some sandboxing solutions for desktop Linux distributions do exist; however, the
|
||||
You can restrict applications further by setting [Flatpak overrides](https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak-override). This can be done with the command line or by using [Flatseal](https://github.com/tchx84/Flatseal). To deny common dangerous Flatpak permissions globally, run the following commands:
|
||||
|
||||
```bash
|
||||
sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset
|
||||
flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset
|
||||
sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all
|
||||
flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all
|
||||
```
|
||||
|
||||
Note that this only helps with lax high‑level default permissions and cannot solve the low‑level issues like `/proc` and `/sys` access or an insufficient seccomp blacklist.
|
||||
To allow Flatseal to function after applying the overrides above, run the following command:
|
||||
|
||||
```bash
|
||||
flatpak --user override com.github.tchx84.Flatseal --filesystem=/var/lib/flatpak/app:ro --filesystem=xdg-data/flatpak/app:ro --filesystem=xdg-data/flatpak/overrides:create
|
||||
```
|
||||
|
||||
Note that this only helps with lax high‑level default permissions and cannot solve the low‑level issues like `/proc` and `/sys` access or an insufficient seccomp blacklist.
|
||||
|
||||
Some sensitive permissions of note:
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user