Lock down flatpak software management

debian/security-misc-shared.displace

@@ -4,3 +4,4 @@
 /etc/securetty.security-misc
 /etc/security/faillock.conf.security-misc
 /etc/usbguard/usbguard-daemon.conf.security-misc
+/usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc

debian/security-misc-shared.hide

@@ -0,0 +1,6 @@
+## Copyright (C) 2025 - 2025 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
+## See the file COPYING for copying conditions.
+
+## Allows users in the 'sudo' group to install Flatpak software without
+## authorization. Breaks user/sysmaint separation, thus disabled.
+/usr/share/polkit-1/rules.d/org.freedesktop.Flatpak.rules

debian/security-misc-shared.install

@@ -127,6 +127,7 @@ usr/share/pam-configs/unix-faillock-security-misc#security-misc-shared => /usr/s
 usr/share/pam-configs/console-lockdown-security-misc#security-misc-shared => /usr/share/pam-configs/console-lockdown-security-misc
 usr/share/pam-configs/mkhomedir-security-misc#security-misc-shared => /usr/share/pam-configs/mkhomedir-security-misc
 usr/share/pam-configs/pam-abort-on-locked-password-security-misc#security-misc-shared => /usr/share/pam-configs/pam-abort-on-locked-password-security-misc
+usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc#security-misc-shared => /usr/share/polkit-1/actions/org.freedesktop.Flatpak.policy.security-misc
 usr/share/lintian/overrides/security-misc-shared#security-misc-shared => /usr/share/lintian/overrides/security-misc-shared
 usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf#security-misc-shared => /usr/share/security-misc/lkrg/30-lkrg-virtualbox.conf
 usr/share/security-misc/lkrg/lkrg-virtualbox#security-misc-shared => /usr/share/security-misc/lkrg/lkrg-virtualbox