• novafunc@discuss.tchncs.de
    link
    fedilink
    arrow-up
    9
    ·
    edit-2
    1 day ago

    Certainly an interesting vulnerability, but one you shouldn’t worry about.

    If you do really care about sandbox security, the first thing I would recommend doing is globally blocking filesystem access to anywhere in your $HOME that runs script code, such as:

    • bash files like ~/.bashrc and ~/.bash_profile
    • ~/.local/bin and ~/bin
    • ~/.ssh

    I have a script that I use to control flatpak overrides and I do something like this:

    # paths to block
    GLOBAL_RESTRICTION_PATHS=(
        "~/.bash_logout"
        "~/.bash_profile"
        "~/.bashrc"
        "~/.profile"
        "~/.ssh"
        "~/.zshenv"
            "xdg-config/zsh"
        "~/.local/bin"
        "xdg-config/systemd"
    )
    
    # globally block these paths
    for path in "${GLOBAL_RESTRICTION_PATHS[@]}"; do
        flatpak --user override --nofilesystem="$path"
    done
    
    # but allow some apps like text editors to access them
    for path in "${GLOBAL_RESTRICTION_PATHS[@]}"; do
        flatpak --user override --filesystem="$path" org.gnome.TextEditor
    done