From 55fcec88a60fda36a2d59fb7d562e2aff9948c0b Mon Sep 17 00:00:00 2001
From: Bernd Schoolmann <mail@quexten.com>
Date: Fri, 30 May 2025 16:03:53 +0200
Subject: [PATCH] Further restrict permissions

---
 apps/desktop/electron-builder.json                      | 7 ++++++-
 apps/desktop/resources/com.bitwarden.desktop.devel.yaml | 6 +++---
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/apps/desktop/electron-builder.json b/apps/desktop/electron-builder.json
index aa854240a6c..b44b17150e1 100644
--- a/apps/desktop/electron-builder.json
+++ b/apps/desktop/electron-builder.json
@@ -259,7 +259,12 @@
       {
         "personal-files": {
           "read": [],
-          "write": ["$HOME/.config/chromium", "$HOME/.config/google-chrome", "$HOME/.mozilla"]
+          "write": [
+            "$HOME/.config/chromium/NativeMessagingHosts/",
+            "$HOME/.config/microsoft-edge/NativeMessagingHosts/",
+            "$HOME/.config/google-chrome/NativeMessagingHosts",
+            "$HOME/.mozilla/"
+          ]
         }
       },
       "u2f-devices"
diff --git a/apps/desktop/resources/com.bitwarden.desktop.devel.yaml b/apps/desktop/resources/com.bitwarden.desktop.devel.yaml
index 6388568b7be..25d249c423e 100644
--- a/apps/desktop/resources/com.bitwarden.desktop.devel.yaml
+++ b/apps/desktop/resources/com.bitwarden.desktop.devel.yaml
@@ -29,9 +29,9 @@ finish-args:
   # Sockets are mounted in each app's directory
   #
   # Non-sandboxed
-  - --filesystem=xdg-config/google-chrome
-  - --filesystem=xdg-config/chromium
-  - --filesystem=xdg-config/microsoft-edge
+  - --filesystem=xdg-config/google-chrome/NativeMessagingHosts/
+  - --filesystem=xdg-config/chromium/NativeMessagingHosts/
+  - --filesystem=xdg-config/microsoft-edge/NativeMessagingHosts/
   - --filesystem=home/.mozilla
   # Flatpak-sandboxed
   - --filesystem=~/.var/app/org.chromium.Chromium/config/chromium/NativeMessagingHosts/