From c817cfc4da8267cd6d53b6099f6066bd3cfec983 Mon Sep 17 00:00:00 2001 From: Tommy Date: Thu, 11 Jan 2024 01:53:58 -0700 Subject: [PATCH] Update flatpak override recommendation Signed-off-by: Tommy --- content/posts/linux/Desktop Linux Hardening.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index 834216b..e5ea578 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -99,7 +99,14 @@ Some sandboxing solutions for desktop Linux distributions do exist; however, the [Flatpak](https://flatpak.org) aims to be a distribution-agnostic package manager for Linux. One of its main goals is to provide a universal package format which can be used in most Linux distributions. It provides some [permission control](https://docs.flatpak.org/en/latest/sandbox-permissions.html). With that being said, [Flatpak sandboxing is quite weak](https://madaidans-insecurities.github.io/linux.html#flatpak). -You can restrict applications further by setting [Flatpak overrides](https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak-override). This can be done with the command line or by using [Flatseal](https://github.com/tchx84/Flatseal). Some sample overrides are provided by [me](https://github.com/tommytran732/Flatpak-Overrides) and [rusty-snake](https://github.com/rusty-snake/kyst/tree/main/flatpak). Note that this only helps with lax high‑level default permissions and cannot solve the low‑level issues like `/proc` and `/sys` access or an insufficient seccomp blacklist. +You can restrict applications further by setting [Flatpak overrides](https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak-override). This can be done with the command line or by using [Flatseal](https://github.com/tchx84/Flatseal). To deny common dangerous Flatpak permissions globally, run the following commands: + +```bash +sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset +flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset +``` + + Note that this only helps with lax high‑level default permissions and cannot solve the low‑level issues like `/proc` and `/sys` access or an insufficient seccomp blacklist. Some sensitive permissions of note: