Closed rugk closed 4 years ago
It could probably work without it but the command becomes very ugly:
flatpak run --file-forwarding ind.ie.Gnomit @@ /a/path @@
The network permission also seems unnecessary.
The network permission also seems unnecessary.
Good point, indeed!
but the command becomes very ugly
Yeah, but this is one value you set in your git config one time. That's it! And it strengthens the sandbox (not to say it fixes a big "loop hole"), so IMHO it is very much worth it.
Regarding not having the host file system permission: I don’t understand how that could work as the commit message editor is meant to work with any number of repositories on your machine and the commit message file that is passed to it is repository-specific. Having you re-register your editor per repository is not a tenable proposition. Am I missing something?
Regarding network permissions: I don’t see why that’s necessary either. I will test it without and remove it if it isn’t necessary.
Could not you just use relative paths? E.g. allow access to ./.git
or where the file is stored? And if you are in a subdir you may be able to just also whitelist ../.git
, ../../.git
and so on?
@aral The command I posted will grant access to any file passed to it. Since it only needs to open individual files it should work fine.
Is /a/path some sort of custom glob? I thought it would only grant access to, literally, /a/path
Aral
Sent from my iPhone
On 21 Oct 2018, at 15:24, TingPing notifications@github.com wrote:
@aral The command I posted will grant access to any file passed to it. Since it only needs to open individual files it should work fine.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread.
Its a file path, any file path...
Closing this as Sonny’s changes have now been merged.
…because this effectively allows a sandbox escape:
http://flatkill.org/
So it would be great, if it can be used without it.