From 7963a65a88a034372c274894a4f179b7298ee477 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Wed, 8 May 2024 15:48:14 +0100
Subject: [PATCH] feat(profile): add support for terminal in flatpak app.

- Sandbox's security is managed by flatpak
- The app stays confined under the (not really strict) flatpak-app profile
- User shell runs unconfined (under the `user_unconfined` profile)

Running terminal as a flatpak app provides less security than as a normal app.
This is because the shell runs as user_unconfined profile that will purposely
not transition to any other profile. While a shell from a classic terminal will
transition to any profile it can, and thus would get restricted. In other words,
running `apt` inside flatpak would run under the `user_unconfined` while it
would use the `apt` profile outside the sandbox.

fix #314
---
 apparmor.d/abstractions/common/app             |  9 +++++++++
 apparmor.d/profiles-a-f/flatpak-app            |  6 ++++--
 apparmor.d/profiles-a-f/flatpak-session-helper | 12 ++++++++++--
 3 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/apparmor.d/abstractions/common/app b/apparmor.d/abstractions/common/app
index 965f7146..59d93c8f 100644
--- a/apparmor.d/abstractions/common/app
+++ b/apparmor.d/abstractions/common/app
@@ -37,6 +37,9 @@
         / r,
         /.* r,
         /*/ r,
+        @{bin}/ r,
+        @{lib}/ r,
+        /usr/local/bin/ r,
   owner /@{uuid}/ w,
   owner /_@{int}_/ w,
 
@@ -60,6 +63,7 @@
   @{run}/havahi-daemon/socket rw, # Allow access to avahi-daemon socket.
   @{run}/host/{,**} r,
   @{run}/pcscd/pcscd.comm rw, # Allow access to pcscd socket.
+  @{run}/utmp rk,
 
   @{sys}/ r,
   @{sys}/block/ r,
@@ -87,17 +91,22 @@
         @{PROC}/@{pid}/task/@{tid}/status r,
         @{PROC}/bus/pci/devices r,
         @{PROC}/driver/** r,
+        @{PROC}/pressure/cpu r,
+        @{PROC}/pressure/io r,
+        @{PROC}/pressure/memory r,
         @{PROC}/sys/fs/inotify/max_user_watches r,
         @{PROC}/sys/kernel/core_pattern r,
         @{PROC}/sys/kernel/osrelease r,
         @{PROC}/sys/kernel/pid_max r,
         @{PROC}/sys/kernel/yama/ptrace_scope r,
         @{PROC}/uptime r,
+        @{PROC}/version r,
         @{PROC}/zoneinfo r,
   owner @{PROC}/@{pid}/clear_refs w,
   owner @{PROC}/@{pid}/comm rw,
   owner @{PROC}/@{pid}/fd/@{int} rw,
   owner @{PROC}/@{pid}/io r,
+  owner @{PROC}/@{pid}/loginuid r,
   owner @{PROC}/@{pid}/net/if_inet6 r,
   owner @{PROC}/@{pid}/oom_score_adj rw,
   owner @{PROC}/@{pid}/statm r,
diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
index 1561e82c..27381245 100644
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@@ -43,10 +43,14 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   ptrace (read),
 
   signal (receive) set=(int) peer=flatpak-portal,
+  signal (receive) set=(int) peer=flatpak-session-helper,
 
   @{bin}/**                            rmix,
   @{lib}/**                            rmix,
   /app/**                              rmix,
+  /usr/plugins/**                      rmix,
+  /usr/share/flatpak/triggers/*        rix,
+  /usr/share/runtime/**                rmix,
   /var/lib/flatpak/app/*/**/@{bin}/**  rmix,
   /var/lib/flatpak/app/*/**/@{lib}/**  rmix,
 
@@ -60,8 +64,6 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
 
   /var/lib/flatpak/app/{,**} r,
 
-  /usr/share/flatpak/triggers/*     rix,
-
   /usr/.ref rk,
 
   /etc/**/ rw,
diff --git a/apparmor.d/profiles-a-f/flatpak-session-helper b/apparmor.d/profiles-a-f/flatpak-session-helper
index 4d347cc8..967787b3 100644
--- a/apparmor.d/profiles-a-f/flatpak-session-helper
+++ b/apparmor.d/profiles-a-f/flatpak-session-helper
@@ -13,19 +13,25 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
   include <abstractions/nameservice-strict>
   include <abstractions/p11-kit>
   include <abstractions/ssl_certs>
+  include <abstractions/consoles>
 
+  signal (send) set=(hup int) peer=user_unconfined,
   signal (send) set=(int) peer=@{p_systemd},
+  signal (send) set=(int) peer=flatpak-app,
 
   #aa:dbus own bus=session name=org.freedesktop.Flatpak
 
   @{exec_path} mr,
 
-  @{sh_path}                           rix,
+  @{shells_path}                       rUx -> user_unconfined,
   @{bin}/dbus-monitor                 rPUx,
+  @{bin}/env                           rix,
   @{bin}/flatpak                       rPx,
-  @{bin}/ps                            rPx,
+  @{bin}/test                          rix,
+  @{bin}/getent                        rix,
   @{bin}/p11-kit                       rix,
   @{bin}/pkexec                        rPx, # TODO: too wide, rCx.
+  @{bin}/ps                            rPx,
   @{lib}/p11-kit/p11-kit-remote        rix,
   @{lib}/p11-kit/p11-kit-server        rix,
   /var/lib/flatpak/app/*/**/@{bin}/**  rPx -> flatpak-app,
@@ -36,5 +42,7 @@ profile flatpak-session-helper @{exec_path} flags=(attach_disconnected) {
   
   owner @{PROC}/@{pids}/fd/ r,
 
+  /dev/ptmx rw,
+
   include if exists <local/flatpak-session-helper>
 }
\ No newline at end of file