From e5607c74c685f0291ddcdcebc0524cebae4bb137 Mon Sep 17 00:00:00 2001 From: Tommy Date: Mon, 15 Jan 2024 01:14:53 -0700 Subject: [PATCH] Update flatpak overrides Signed-off-by: Tommy --- content/posts/linux/Desktop Linux Hardening.md | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/content/posts/linux/Desktop Linux Hardening.md b/content/posts/linux/Desktop Linux Hardening.md index e5ea578..e83f207 100644 --- a/content/posts/linux/Desktop Linux Hardening.md +++ b/content/posts/linux/Desktop Linux Hardening.md @@ -102,11 +102,17 @@ Some sandboxing solutions for desktop Linux distributions do exist; however, the You can restrict applications further by setting [Flatpak overrides](https://docs.flatpak.org/en/latest/flatpak-command-reference.html#flatpak-override). This can be done with the command line or by using [Flatseal](https://github.com/tchx84/Flatseal). To deny common dangerous Flatpak permissions globally, run the following commands: ```bash -sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset -flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset +sudo flatpak override --system --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all +flatpak override --user --nosocket=x11 --nosocket=fallback-x11 --nosocket=pulseaudio --unshare=network --unshare=ipc --nofilesystem=host:reset --nodevice=input --nodevice=shm --nodevice=all ``` - Note that this only helps with lax high‑level default permissions and cannot solve the low‑level issues like `/proc` and `/sys` access or an insufficient seccomp blacklist. +To allow Flatseal to function after applying the overrides above, run the following command: + +```bash +flatpak --user override com.github.tchx84.Flatseal --filesystem=/var/lib/flatpak/app:ro --filesystem=xdg-data/flatpak/app:ro --filesystem=xdg-data/flatpak/overrides:create +``` + +Note that this only helps with lax high‑level default permissions and cannot solve the low‑level issues like `/proc` and `/sys` access or an insufficient seccomp blacklist. Some sensitive permissions of note: