Certainly an interesting vulnerability, but one you shouldn’t worry about.
If you do really care about sandbox security, the first thing I would recommend doing is globally blocking filesystem access to anywhere in your $HOME that runs script code, such as:
bash files like ~/.bashrc and ~/.bash_profile
~/.local/bin and ~/bin
~/.ssh
I have a script that I use to control flatpak overrides and I do something like this:
# paths to block
GLOBAL_RESTRICTION_PATHS=(
"~/.bash_logout""~/.bash_profile""~/.bashrc""~/.profile""~/.ssh""~/.zshenv""xdg-config/zsh""~/.local/bin""xdg-config/systemd"
)
# globally block these pathsfor path in "${GLOBAL_RESTRICTION_PATHS[@]}"; do
flatpak --user override --nofilesystem="$path"
done
# but allow some apps like text editors to access themfor path in "${GLOBAL_RESTRICTION_PATHS[@]}"; do
flatpak --user override --filesystem="$path" org.gnome.TextEditor
done
Certainly an interesting vulnerability, but one you shouldn’t worry about.
If you do really care about sandbox security, the first thing I would recommend doing is globally blocking filesystem access to anywhere in your $HOME that runs script code, such as:
I have a script that I use to control flatpak overrides and I do something like this:
# paths to block GLOBAL_RESTRICTION_PATHS=( "~/.bash_logout" "~/.bash_profile" "~/.bashrc" "~/.profile" "~/.ssh" "~/.zshenv" "xdg-config/zsh" "~/.local/bin" "xdg-config/systemd" ) # globally block these paths for path in "${GLOBAL_RESTRICTION_PATHS[@]}"; do flatpak --user override --nofilesystem="$path" done # but allow some apps like text editors to access them for path in "${GLOBAL_RESTRICTION_PATHS[@]}"; do flatpak --user override --filesystem="$path" org.gnome.TextEditor done