It is quite possible that these Landlock rules are unnecessarily permissive, but all of the paths to which read and execute access is granted are part of the root filesystem and therefore assumed to be public knowledge. Removing access from any of them would only increase the risk of accidental breakage in the future, and would not provide any security improvements. seccomp *could* provide some improvements, but the effort needed is too high for now. Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com> --- .../template/data/service/xdg-desktop-portal-spectrum-host/run | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run index d2bf78cefc3837b5d5369dbab819606e71bf1fc5..c3d67b6520d490c71bdce0f1056b2960115108b3 100755 --- a/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run +++ b/host/rootfs/image/etc/s6-linux-init/run-image/service/vm-services/template/data/service/xdg-desktop-portal-spectrum-host/run @@ -12,4 +12,12 @@ s6-ipcserver-socketbinder -a 0700 /run/vm/by-id/${VM}/vsock_219 if { fdmove 1 3 echo } fdclose 3 +unshare -inu -- +setpriv + --landlock-access fs + --landlock-rule path-beneath:read-file,execute:/nix/store + --landlock-rule path-beneath:read-file,execute:/usr/bin + --landlock-rule path-beneath:read-file,execute:/usr/lib + --landlock-rule path-beneath:read-file:/run/vm/by-id/${VM}/portal-bus + -- xdg-desktop-portal-spectrum-host --- base-commit: 59cda41acc455513cf9936e99b8d97647955ac07 change-id: 20251212-sandbox-dbus-portal-4f98ba29c23a -- Sincerely, Demi Marie Obenour (she/her/hers)