How to properly harden/isolate Chromium snap?

I want to harden my Chromium snap, to make it more isolated. I disabled the access for home and system files via the Ubuntu Sofwtare permissions tab. Let’s say I want to download images from Unsplash. When I click download button it blocks it with ‘Failed - Insufficient permissions’. However, if I just click with right button ‘Save image as’ I can save it wherever I want. Why is still possible?

Also, should I disconnect/disable chromium:x11 connection, my system is on Wayland?

This is because chromium is delegating the permission request and authorization to the desktop portal, which is run in a separate process and displays a file chooser where you can pick a destination for the file. Chromium itself isn’t allowed to browse your home directory or write directly to that destination, it will write the file to a special place instructed by the portal, which then mediates to move it to where you intended.

I’m not sure this would work with the default configuration. Chromium runs as an xwayland client by default. You can try running it as a native Wayland client by passing --ozone-platform-hint=auto on the command line, and in this case the connection to the x11 interface can probably be undone (but this hasn’t been thoroughly tested AFAIK).

1 Like