Set home filesystem access to read only #146
Conversation
Add overrides for config files and download directory.
|
Started test build 18022 |
|
Build 18022 successful |
|
Started test build 18034 |
|
Build 18034 successful |
|
This will conflict with #143; please don't merge this one. This app needs that to suppress the operating system check. |
| "--filesystem=home:ro", | ||
| "--filesystem=xdg-download", | ||
| "--filesystem=xdg-config/zoomus.conf:create", | ||
| "--filesystem=~/.zoom:create" |
There was a problem hiding this comment.
Won't this result in the zoom directory being created in the (real) user's $HOME?
There was a problem hiding this comment.
I m currently using the zoom flatpak with out this PR, and that directory is already there and being used.
|
Yeah, and that's the issue: flatpaks should not dump arbitrary files into `$HOME`. If an app misbehaves and litters `$HOME`, it's best to not expose that to the host.
|
|
@WhyNotHugo I very much agree. As far as I can tell, the only thing zoom needs in terms of static host filesystem acces is xdg-download:create, as zoom should be using xdg-desktop-portal's file chooser. Of course, since this is not the case, the only real solution at the moment is to simply deny zoom the ability to open files, and figure out a way to get the ~/Documents directory in the sandbox to point to the host's xdg-download directory, ideally in :create mode somehow. If anyone really needs zoom to be able to handle uploading/downloading files in an even somewhat secure way, my advice is to switch to the web client and never look back. |
Add overrides for config files and download directory.
Fix #18 similar to com.skype.Client flatpak.