[gnome-photos/wip/rishi/sandbox-settings: 4/4] flatpak: Sandbox GSettings use by dropping the dconf permissions

From: Debarshi Ray <debarshir src gnome org>
To: commits-list gnome org
Cc:
Subject: [gnome-photos/wip/rishi/sandbox-settings: 4/4] flatpak: Sandbox GSettings use by dropping the dconf permissions
Date: Mon, 30 Mar 2020 15:46:42 +0000 (UTC)

commit e352db1aa26f60c4c20b5d9dc355723cbc6acf15
Author: Debarshi Ray <debarshir gnome org>
Date:   Sat Mar 28 13:26:18 2020 +0100

    flatpak: Sandbox GSettings use by dropping the dconf permissions
    
    Since GLib 2.60.x, GSettings' keyfile backend is capable enough to be
    the default backend for Flatpak applications. If a Flatpak doesn't
    have the necessary permissions to access dconf, GSettings will
    automatically switch to using the keyfile backend.
    
    This is good because dconf isn't suited for sandboxing. It uses a
    single database shared across all applications - they are free to read
    and write anything, and settings are left behind even after an
    application has been uninstalled. This leaves plenty of room for
    mischief and accidents. In comparison, the keyfile backend uses a
    separate isolated file for each Flatpak that's removed when the
    application is uninstalled.
    
    https://gitlab.gnome.org/GNOME/gnome-photos/-/merge_requests/122

 flatpak/org.gnome.Photos.json | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)
---
diff --git a/flatpak/org.gnome.Photos.json b/flatpak/org.gnome.Photos.json
index debee5f5..12a6c69f 100644
--- a/flatpak/org.gnome.Photos.json
+++ b/flatpak/org.gnome.Photos.json
@@ -7,18 +7,15 @@
     "tags": [ "nightly" ],
     "desktop-file-name-prefix": "(Nightly) ",
     "finish-args": [
-        "--env=DCONF_USER_CONFIG_DIR=.config/dconf",
         "--env=TRACKER_SPARQL_BACKEND=bus",
-        "--filesystem=~/.config/dconf:ro",
         "--filesystem=xdg-download",
         "--filesystem=xdg-pictures",
-        "--filesystem=xdg-run/dconf",
+        "--metadata=X-DConf=migrate-path=/org/gnome/photos/",
         "--share=ipc",
         "--share=network",
         "--socket=fallback-x11",
         "--socket=wayland",
         "--socket=x11",
-        "--talk-name=ca.desrt.dconf",
         "--talk-name=org.freedesktop.FileManager1",
         "--talk-name=org.freedesktop.Tracker1",
         "--talk-name=org.freedesktop.Tracker1.Miner.Extract",

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]