Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2026-01-23 17:56:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Secure Sandbox for VSCode at Debian 13 amd64. Part 2.

Browse source 
Thanks to xet7 !
This commit is contained in:
Lauri Ojansivu 2026-01-22 02:18:25 +02:00
parent f503b7f517
commit cc8b771eb4
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

80
.vscode/README.md vendored
View file

@ -1,80 +0,0 @@
# Secure Sandbox: VSCode at Debian 13 amd64
## 1) Install Debian
Install Debian with username `wekan`, so that WeKan repo here, only directory where VSCode will have access:
```
/home/wekan/repos/wekan
```
## 2) Install Flatpak and VSCode
```
sudo apt install flatpak
sudo apt install gnome-software-plugin-flatpak
flatpak remote-add --if-not-exists flathub https://dl.flathub.org/repo/flathub.flatpakrepo
sudo reboot
flatpak install flathub com.visualstudio.code
```
## 3) Edit VSCode desktop icon
```
nano ~/.local/share/applications/wekan-vscode.desktop
```
Content:
```
[Desktop Entry]
Name=VS Code - Wekan
Comment=Open the Weka project with Flatpak
Exec=flatpak run com.visualstudio.code /home/wekan/repos/wekan
Icon=com.visualstudio.code
Terminal=false
Type=Application
Categories=Development;IDE;
StartupWMClass=code
```
## 4) Force VS Code to use the internal (isolated) browser
This setting is also added as git commit to VSCode settings.
This is the most important step. If this is "native", it will use the operating system window that sees everything.
1. Open VS Code.
2. Press `Ctrl + ,` (options).
3. Type in search: **Dialogs: Custom**
4. Change the `Files: Simple Dialog` setting to **on** (check the box).
5. Restart VS Code.
## 5) Set the strictest sandbox possible (in Terminal)
Run these two commands (the first clears everything, the second sets limits):
```bash
# Reset previous attempts
sudo flatpak override --reset com.visualstudio.code
# Block EVERYTHING except the display and the wekan folder
sudo flatpak override com.visualstudio.code \
--nofilesystem=home \
--nofilesystem=host \
--nofilesystem=xdg-run/gvfs \
--nofilesystem=xdg-run/gvfsd \
--filesystem=~/repos/wekan:rw \
--device=all \
--socket=wayland \
--socket=x11
```
## 6) Test "File -> Open Folder"
Now when you go to **File -> Open Folder**:
1. You will no longer see the fancy system file window, but VS Code's own, simple list.
2. If you try to go to the parent folder or somewhere else, **the list is empty** or it only shows `~/repos/wekan`.