secure global Flatpak configs to protect bubblejail home

[boredsquirrel]

Description

Afaik bubblejail protects it's home from other bubblejailed applications.

To complete this, Flatpak apps must not access the bubblejail directories either.

This can be accomplished like this:

cat >> ~/.local/share/flatpak/overrides/global <<EOF
[Context]
filesystems=!~/.local/share/flatpak/overrides;!~/.local/share/bubblejail
EOF

This blocks all flatpak apps from changing their own configurations, and from accessing the bubblejail homes or configs.

Or the more complete file that I use, to block pulseaudio, x11 and ipc to prevent apps sniffing each other.

cat >> ~/.local/share/flatpak/overrides/global <<EOF
[Context]
filesystems=xdg-run/pipewire-0:ro;!~/.local/share/flatpak/overrides;!~/.ssh;!~/.gnupg;!~/.local/share/bubblejail
sockets=!x11;!pulseaudio;wayland;
shared=!ipc;

[Environment]
QT_QPA_PLATFORM=wayland
ELECTRON_OZONE_PLATFORM_HINT=auto
EOF

[igo95862]

Interesting but I am not sure about messing with other applications settings.

Also wouldn't it only be relevant for flatpak applications that have complete access to home file system?

[rusty-snake]

My two cents about this,

• you need to also update firejail, sydbox, systemd, ... sandboxes otherwise it is an incomplete fix => use less theatre
• flatpaks with home or host access can also write to .bashrc, .config/systemd, ...