From 07f018f614b4d527565a3f54e66beb50af01eb5e Mon Sep 17 00:00:00 2001 From: Tommy Date: Tue, 2 Apr 2024 17:04:05 -0700 Subject: [PATCH] Add --no-talk-name=org.freedesktop.Flatpak Signed-off-by: Tommy --- content/posts/linux/Desktop Linux Hardening.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index 9c41a2a..c685080 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -102,8 +102,8 @@ Some sandboxing solutions for desktop Linux distributions do exist; however, the You can restrict applications further by setting [Flatpak overrides](https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak-override). This can be done with the command line or by using [Flatseal](https://github.com/tchx84/Flatseal). To deny common dangerous Flatpak permissions globally, run the following commands: ```bash -sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all -flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all +sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak +flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all --no-talk-name=org.freedesktop.Flatpak ``` To allow Flatseal to function after applying the overrides above, run the following command: @@ -120,6 +120,7 @@ Some sensitive permissions of note: - `--socket=pulseaudio`: the PulseAudio socket, grants access to all audio devices (including inputs) - `--device=all`: access to all devices (including webcams) - `--talk-name=org.freedesktop.secrets`: D‑Bus access to secrets stored on your keychain +- `--talk-name=org.freedesktop.Flatpak`: D‑Bus access to run `flatpak run`. This D‑Bus is a sandbox escape. If an application works natively with Wayland (*not* running through the [XWayland](https://wayland.freedesktop.org/xserver.html) compatibility layer), consider revoking its access to X11 (`--nosocket=x11`) and the [inter‑process communications (IPC)](https://en.wikipedia.org/wiki/Unix_domain_socket) socket (`--unshare=ipc`) as well.