- Sandbox's security is managed by flatpak
- The app stays confined under the (not really strict) flatpak-app profile
- User shell runs unconfined (under the `user_unconfined` profile)
Running terminal as a flatpak app provides less security than as a normal app.
This is because the shell runs as user_unconfined profile that will purposely
not transition to any other profile. While a shell from a classic terminal will
transition to any profile it can, and thus would get restricted. In other words,
running `apt` inside flatpak would run under the `user_unconfined` while it
would use the `apt` profile outside the sandbox.
fix#314
Sorry, in the previous commit I introduced an error in
abstractions/thumbnails-cache-read that prevented this abstractions
from working correctly after a restart and complete reload of
the profiles (after a new installation from Git).
This commit fixes the bug and with it must also pass the repository tests.
gsd-housekeepin in GNOME have access to @{user_cache_dirs} for
searching thumbnail files and executing one task
for cleaning these files every day.
The actual abstractions/thumbnails-cache-write fail in granted
this access, specially to various folders in
the thumbnail cache (ex: fail folder).
These changes fix this access. For convenience
abstractions/thumbnails-cache-read, have the same access
structure also for files/folders, but only read permissions.
This commit fix two issues for abstractions/app/chromium
1.- Access to /dev/video (not merged in last commit)
2.- Access to /etc/opensc/opensc.conf in Debian (and derivates)
This commit add new profile for Microsoft Edge browser and variants (beta,dev).
The new profile is based in actual chrome profile. Tested with actual Edge, in
Debian Stable and enforced rules. All ok using GPU Rasterization and Vulkan, not
HWAccel for encoding video because this is very unstable yet in all Chromium based
browsers.
Add support for libpam-tmpdir for abstractions/app/chromium and all browser using
this absctractions (Chrome, Chromium, Edge, and others). This fix access and use
of browser with libpam-tmpdir installed (Debian and Whonix)
Fix a denied access to RADV user cache (Vulkan-amdgpu) in abstractions/app/chromium
(Vulkan is optional in Chromium-based browser, but the backend is
perfectly usable now).
