- Sandbox's security is managed by flatpak
- The app stays confined under the (not really strict) flatpak-app profile
- User shell runs unconfined (under the `user_unconfined` profile)
Running terminal as a flatpak app provides less security than as a normal app.
This is because the shell runs as user_unconfined profile that will purposely
not transition to any other profile. While a shell from a classic terminal will
transition to any profile it can, and thus would get restricted. In other words,
running `apt` inside flatpak would run under the `user_unconfined` while it
would use the `apt` profile outside the sandbox.
fix#314
Sorry, in the previous commit I introduced an error in
abstractions/thumbnails-cache-read that prevented this abstractions
from working correctly after a restart and complete reload of
the profiles (after a new installation from Git).
This commit fixes the bug and with it must also pass the repository tests.
On default installation on Debian Stable (12) anacron run tasks
and when finish all them, run exim4 for send info via mail.
The actual profile don´t permit this behaviour and fail sending
info for all task finished for mail configurated.
exim4 profile access to /proc/sys/net/ipv6/conf/all/disable_ipv6
in read mode searching information over IPv6 connection in the host.
In the actual profile this access is denied, this change fix this
and reduce noise in log.
gsd-housekeepin in GNOME have access to @{user_cache_dirs} for
searching thumbnail files and executing one task
for cleaning these files every day.
The actual abstractions/thumbnails-cache-write fail in granted
this access, specially to various folders in
the thumbnail cache (ex: fail folder).
These changes fix this access. For convenience
abstractions/thumbnails-cache-read, have the same access
structure also for files/folders, but only read permissions.