Harden Permission - Githubissues

flathub / io.gitlab.librewolf-community

https://flathub.org/apps/details/io.gitlab.librewolf-community

15 stars 11 forks source link

Harden Permission #101

Open czhang03 opened 7 months ago

czhang03 commented 7 months ago

remove download file permission to use file chooser portal instead
move .mozilla folder to app sandbox from the user home folder, by adding it as a persistent folder.

flathubbot commented 7 months ago

Started test build 111245

flathubbot commented 7 months ago

Build 111245 successful To test this build, install it from the testing repository:

flatpak install --user https://dl.flathub.org/build-repo/94061/io.gitlab.librewolf-community.flatpakref

guihkx commented 5 months ago

remove download file permission to use file chooser portal instead

This change will likely break automatic downloads.

move .mozilla folder to app sandbox from the user home folder, by adding it as a persistent folder.

But LibreWolf doesn't seem to read or write from such folder, though?

czhang03 commented 5 months ago

But LibreWolf doesn't seem to read or write from such folder, though?

On my machine, it does. I have put the folder in the app sandbox, and it now has content. Since all my app is flatpak, I think only librewolf has access to that folder.

flathubbot commented 5 months ago

Started test build 124812

flathubbot commented 5 months ago

Build 124812 successful To test this build, install it from the testing repository:

flatpak install --user https://dl.flathub.org/build-repo/107778/io.gitlab.librewolf-community.flatpakref

guihkx commented 4 months ago

On my machine, it does. I have put the folder in the app sandbox, and it now has content. Since all my app is flatpak, I think only librewolf has access to that folder.

Well, I don't know, but it sounds unlikely to me that LibreWolf would even be touching the .mozilla folder, which is owned by Firefox.

Let's see what maintainers think.

lainedfles commented 4 months ago

I'm not a maintainer but based on the LibreWolf source patch, LibreWolf shouldn't use .mozilla by default. Are you setting the -profile option?

Omission of --filesystem=xdg-download:rw should result in a request to the XDG Desktop Portal file chooser but if broad compatibility is intended, this may not be a good idea since it seems that file chooser capability hasn't been implemented for a few of the backends. Although, Flatpak permissions are trivial to override manually or via utilities like Flatseal, perhaps this is something that should continue to match upstream Firefox? 🤷🏻