• Bastien Nocera's avatar
    thumbnail: Sandbox thumbnailers on Linux · 8b1db18a
    Bastien Nocera authored
    On Linux systems, bubblewrap is now required to launch thumbnailers in a
    restricted environment.
    - Only /usr and the compilation ${prefix} of the gnome-desktop library
      will be available to the thumbnailer as read-only
    - The network is disabled
    - The filename of the file to thumbnail is hidden
    - Bubblewrap is not used if the application is already sandboxed in
      Flatpak as all privileges to create a new namespace are dropped when
      the initial one is created.
gnome-desktop-thumbnail-script.c 9.73 KB