[gnome-photos/wip/rishi/sandbox-settings: 3/3] flatpak: Sandbox GSettings use by dropping the dconf permissions



commit e7d50a358fac0758b45366585c10af5d0d45e188
Author: Debarshi Ray <debarshir gnome org>
Date:   Sat Mar 28 13:26:18 2020 +0100

    flatpak: Sandbox GSettings use by dropping the dconf permissions
    
    Since GLib 2.60.x, GSettings' keyfile backend is capable enough to be
    the default backend for Flatpak applications. If a Flatpak doesn't
    have the necessary permissions to access dconf, GSettings will
    automatically switch to using the keyfile backend.
    
    This is good because dconf isn't suited for sandboxing. It uses a
    single database shared across all applications - they are free to read
    and write anything, and settings are left behind even after an
    application has been uninstalled. This leaves plenty of room for
    mischief and accidents. In comparison, the keyfile backend uses a
    separate isolated file for each Flatpak that's removed when the
    application is uninstalled.
    
    https://gitlab.gnome.org/GNOME/gnome-photos/-/merge_requests/122

 flatpak/org.gnome.Photos.json | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)
---
diff --git a/flatpak/org.gnome.Photos.json b/flatpak/org.gnome.Photos.json
index 7262e44d..bdbe45ef 100644
--- a/flatpak/org.gnome.Photos.json
+++ b/flatpak/org.gnome.Photos.json
@@ -7,18 +7,15 @@
     "tags": [ "nightly" ],
     "desktop-file-name-prefix": "(Nightly) ",
     "finish-args": [
-        "--env=DCONF_USER_CONFIG_DIR=.config/dconf",
         "--env=TRACKER_SPARQL_BACKEND=bus",
-        "--filesystem=~/.config/dconf:ro",
         "--filesystem=xdg-download",
         "--filesystem=xdg-pictures",
-        "--filesystem=xdg-run/dconf",
+        "--metadata=X-DConf=migrate-path=/org/gnome/photos/",
         "--share=ipc",
         "--share=network",
         "--socket=fallback-x11",
         "--socket=wayland",
         "--socket=x11",
-        "--talk-name=ca.desrt.dconf",
         "--talk-name=org.freedesktop.FileManager1",
         "--talk-name=org.freedesktop.Tracker1",
         "--talk-name=org.freedesktop.Tracker1.Miner.Extract",


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]