this post was submitted on 20 Aug 2023
261 points (88.5% liked)

linuxmemes

21677 readers
1345 users here now

Hint: :q!

Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules

2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of "peasantry" to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
    • 3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
    • 4. No recent reposts
  • Everybody uses Arch btw, can't quit Vim, and wants to interject for a moment. You can stop now.
    •  

    Please report posts and comments that break these rules!

    Important: never execute code or follow advice that you don't understand or can't verify, especially here. The word of the day is credibility. This is a meme community -- even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don't fork-bomb your computer.

    founded 2 years ago
    MODERATORS
    poopsmith
    zephyr
    rtxn
    261
    Flatpak integration is still not great (lemmy.world)
    submitted 1 year ago* (last edited 1 year ago) by dorumon to c/linuxmemes
    133 comments fedilink hide all child comments
     

    Its even worse when you force Firefox to use wayland its icon doesn't even show.

    Edit: Oh since everyone now is confused; I only have the flatpak version of Firefox installed yet it doesn't use the pinned icon and doesn't even use the firefox icon under wayland at all.

    you are viewing a single comment's thread
    view the rest of the comments
    [–] Intralexical 5 points 1 year ago* (last edited 1 year ago)

    bwrap is so much better without Flatpak.

    To start you off: $ bwrap --dev-bind / / --tmpfs ~ bash

    This basically gives you a shell in a clean virtual home directory (but no meaningful security improvement yet). You can test new builds of software as if you have only the default settings. If you need to access files, move them to /tmp/.

    To see the clean virtual home directory, replace --tmpfs ~ with --bind "$(mktemp -d)" ~. You can browse it where mktemp puts it (usually /tmp/*).

    To start to lock down security, replace the --dev-bind with --ro-bind, and add various --new-session, --uid/--gid, and --unshare-all/--unshare-* flags. You can run untrusted and semi-trusted/less-trusted applications with less security risk this way (as long as you're aware of pitfalls, such as the /tmp/.X11-unix/X0 socket and other possible avenues of escape).

    To block network access, use --unshare-net or --unshare-all. To virtualize /dev and /proc, use --dev /dev and --proc /proc.

    Some programs might need --dev-bind /dev/dri /dev/dri for graphics driver access, or similar constructs.

    EDIT: …I actually created a way to create completely portable application executables for Linux by using bwrap (or proot, as a fallback) to virtualize a Nix root from inside an AppImage, earlier this year. bwrap offers a lot of granularity in modifying and containing the virtual environment, to the degree that you can basically emulate an entire guest OS/distro on top of the host distro, without even needing root privileges— And without even needing bwrap itself to be installed, since it can work using entirely standard Linux kernel features.