From bde53921a660985c919124db2a8ce0ff0cc8934a Mon Sep 17 00:00:00 2001 From: Tommy Date: Sat, 26 Mar 2022 07:11:22 +0000 Subject: [PATCH] Mention portals in the Flatpak section (#787) Signed-off-by: Daniel Gray --- collections/_evergreen/linux-desktop.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/collections/_evergreen/linux-desktop.md b/collections/_evergreen/linux-desktop.md index 1fbe3522..8187c9d8 100644 --- a/collections/_evergreen/linux-desktop.md +++ b/collections/_evergreen/linux-desktop.md @@ -183,7 +183,7 @@ We generally recommend revoking access to: If an application works natively with Wayland (and not running through the [XWayland](https://wayland.freedesktop.org/xserver.html) compatibility layer), consider revoking its access to the X11 (`socket=x11`) and [Inter-process communications (IPC)](https://en.wikipedia.org/wiki/Unix_domain_socket) socket (`share=ipc`) as well. -We also recommend restricting broad filesystem permissions such as `filesystem=home` and `filesystem=host` which should be revoked and replaced with just the directories that the app needs to access. +We also recommend restricting broad filesystem permissions such as `filesystem=home` and `filesystem=host` which should be revoked and replaced with just the directories that the app needs to access. Some applications like [VLC](https://www.flathub.org/apps/details/org.videolan.VLC) implement the [Portals](https://docs.flatpak.org/en/latest/portal-api-reference.html) [API](https://en.wikipedia.org/wiki/API), which allows a file manager to pass files to the flatpak application (e.g. VLC) without direct filesystem access privileges. Security is increased because VLC is only able to access the specific file that the user wants to open, rather than any file at any time the application is open. Hard-coded access to some kernel interfaces like [`/sys`](https://en.wikipedia.org/wiki/Sysfs) and [`/proc`](https://en.wikipedia.org/wiki/Procfs#Linux) and weak [seccomp](https://en.wikipedia.org/wiki/Seccomp) filters unfortunately cannot be secured by the user with Flatpak.