removed host filesystem access, replaced with sane locations

[boredsquirrel]

it should not have host access

This is not hardening, its simply all the locations media file actually are at. Its a start for easier hardening also for users

• --filesystem=home
• --filesystem=/media
• --filesystem=/mnt
• --filesystem=/run/media
• --filesystem=/var/run/media
• --filesystem=/var/mnt

[tsdgeos]

Why can't I use gwenview to browse the icons at /usr/share/icons ?

[boredsquirrel]

@tsdgeos good point. Does the flatpak support polkit? Could it also modiy such icons?

[boredsquirrel]

I think simply granting host is not good practice, but it has to be able to open and modify what it can

[tsdgeos]

@tsdgeos good point. Does the flatpak support polkit? Could it also modiy such icons?

Why are you asking me instead of you trying it? You're the one proposing this change.

[boredsquirrel]

I am not asking you, I am proposing a change and here is the discussion, this is not set but open for changes.

I tried to save to a system dir, I am on ostree so /usr is read only, but etc seemed to work but it doesnt actually create a file. It seems broken, the Flatpak views a file in /run too, I guess this is a Flatpak limitation

So I dont know if this is an edge use case. I would propose to set host to read only and the rest to read-write.

But if this is wanted, for this app, reasonable or not, should be discussed first

[flathubbot]

Started test build 61896

[flathubbot]

Build 61896 was cancelled