From d2fc3c33251872f520729a67af44dc76403b5ad7 Mon Sep 17 00:00:00 2001
From: Alexandre Pujol <alexandre@pujol.io>
Date: Fri, 15 Dec 2023 18:07:18 +0000
Subject: [PATCH] fix(profile): merge flatpak-bwrap & flatpak-app.

See #264
---
 apparmor.d/profiles-a-f/flatpak        |  7 ++-
 apparmor.d/profiles-a-f/flatpak-app    | 72 +++++++++++++++++++++--
 apparmor.d/profiles-a-f/flatpak-bwrap  | 81 --------------------------
 apparmor.d/profiles-a-f/flatpak-portal |  4 +-
 dists/flags/main.flags                 |  1 -
 5 files changed, 75 insertions(+), 90 deletions(-)
 delete mode 100644 apparmor.d/profiles-a-f/flatpak-bwrap

diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak
index 8554edc9..e9e01ec6 100644
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@@ -20,6 +20,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   capability dac_override,
   capability dac_read_search,
   capability net_admin,
+  capability sys_ptrace,
 
   network inet dgram,
   network inet6 dgram,
@@ -29,9 +30,11 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
 
   mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
 
+  ptrace (read) peer=flatpak-app,
+
   @{exec_path} mr,
 
-  @{bin}/bwrap               rPx -> flatpak-bwrap, 
+  @{bin}/bwrap               rPx -> flatpak-app, 
   @{bin}/fusermount{,3}      rCx -> fusermount,
   @{bin}/gpg                 rCx -> gpg,
   @{bin}/gpgconf             rCx -> gpg,
@@ -67,9 +70,11 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
   owner /dev/shm/flatpak*/{,**} rw,
   owner /tmp/ostree-gpg-*/{,**} rw,
 
+        @{run}/.userns r,
         @{run}/user/@{uid}/.dbus-proxy/ w,
         @{run}/user/@{uid}/dconf/user rw,
   owner @{run}/user/@{uid}/.dbus-proxy/* rw,
+  owner @{run}/user/@{uid}/.flatpak-cache rw,
   owner @{run}/user/@{uid}/.flatpak/ rw,
   owner @{run}/user/@{uid}/.flatpak/** rwlk -> @{run}/user/@{uid}/.flatpak/**,
   owner @{run}/user/@{uid}/app/ w,
diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
index a6d575ca..f8ac3858 100644
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@@ -3,7 +3,18 @@
 # SPDX-License-Identifier: GPL-2.0-only
 
 # Default profile for all flatpak applications. Ideally, this profile should be
-# generated by flatpak itself with settings from the flatpak manifest.
+# generated by flatpak itself with settings from the flatpak manifest and 
+# fully separated from bwrap.
+
+# Note: This profile used to be split in two (flatpak-bwrap & flatpak-app) in order
+# to separate bwrap from the sandboxed app itself. It was generating issue with 
+# zypak-sandbox, therefore the profiles have been merged. Meanwhile, to install
+# some applications, flatpak needs write access to the sandbox content. This is
+# done through bwrap and therefore in this profile.
+#
+# 1. All of this will have to be improved. However, as of today, it is the only way
+# to not break some (major) flatpak app.
+# 2. It is not a big deal as flatpak is responsible for the sandbox anyway.
 
 abi <abi/3.0>,
 
@@ -13,18 +24,34 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   include <abstractions/base>
   include <abstractions/bwrap-app>
 
+  capability dac_override,
+  capability dac_read_search,
+  capability net_admin,
+  capability setpcap,
+  capability sys_admin,
   capability sys_ptrace,
+  capability sys_resource,
 
   network inet dgram,
   network inet6 dgram,
   network inet stream,
   network inet6 stream,
+  network netlink dgram,
   network netlink raw,
 
-  ptrace (read),
-  ptrace peer=flatpak-app//&flatpak-bwrap,
+  mount options=(rw, silent, rslave) -> /,
+  mount fstype=tmpfs -> /tmp/,
+  mount -> /newroot/{,**},
+  mount -> /oldroot/,
+  mount -> /tmp/newroot/,
+  umount /{,oldroot/},
 
-  signal peer=flatpak-app//&flatpak-bwrap,
+  pivot_root oldroot=/newroot/ -> /newroot/,
+  pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
+
+  ptrace (read),
+
+  signal (receive) set=(int) peer=flatpak-portal,
 
   @{bin}/**                            rmix,
   @{lib}/**                            rmix,
@@ -32,9 +59,44 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
   /var/lib/flatpak/app/*/**/@{bin}/**  rmix,
   /var/lib/flatpak/app/*/**/@{lib}/**  rmix,
 
+  @{bin}/gtk{,4}-update-icon-cache     rPx -> flatpak-app//&gtk-update-icon-cache,
+  @{bin}/update-desktop-database       rPx -> flatpak-app//&update-desktop-database,
+  @{bin}/update-mime-database          rPx -> flatpak-app//&update-mime-database,
+  @{bin}/xdg-dbus-proxy                rPx -> flatpak-app//&xdg-dbus-proxy,
+
   /var/lib/flatpak/app/{,**} r,
 
-  @{run}/flatpak/{,**} r,
+  /usr/share/flatpak/triggers/*     rix,
+
+  /usr/.ref rk,
+
+  /etc/shells rw,
+
+  /app/.ref k,
+  /app/extra/** rw,
+  /bindfile@{rand6} rw,
+  /newroot/{,**} rw,
+  /tmp/newroot/ w,
+  /tmp/oldroot/ w,
+
+  /var/lib/flatpak/app/{,**} r,
+  /var/lib/flatpak/exports/** rw,
+  /var/tmp/etilqs_@{hex} rw,
+
+        @{run}/.userns r,
+  owner @{run}/flatpak/{,**} rk,
+  owner @{run}/flatpak/app/*/*ipc* rw,
+  owner @{run}/ld-so-cache-dir/* rw,
+
+        @{PROC}/@{pid}/fd/ r,
+        @{PROC}/sys/kernel/overflowgid r,
+        @{PROC}/sys/kernel/overflowuid r,
+        @{PROC}/sys/user/max_user_namespaces w,
+  owner @{PROC}/@{pid}/gid_map rw,
+  owner @{PROC}/@{pid}/setgroups rw,
+  owner @{PROC}/@{pid}/uid_map rw,
+
+  deny /apparmor/.null rw,
 
   include if exists <usr/flatpak-app.d>
   include if exists <local/flatpak-app>
diff --git a/apparmor.d/profiles-a-f/flatpak-bwrap b/apparmor.d/profiles-a-f/flatpak-bwrap
deleted file mode 100644
index 0a9290d5..00000000
--- a/apparmor.d/profiles-a-f/flatpak-bwrap
+++ /dev/null
@@ -1,81 +0,0 @@
-# apparmor.d - Full set of apparmor profiles
-# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
-# SPDX-License-Identifier: GPL-2.0-only
-
-abi <abi/3.0>,
-
-include <tunables/global>
-
-profile flatpak-bwrap flags=(attach_disconnected,mediate_deleted) {
-  include <abstractions/base>
-  include <abstractions/bwrap-app>
-  include <abstractions/dbus>
-
-  capability dac_override,
-  capability dac_read_search,
-  capability net_admin,
-  capability setpcap,
-  capability sys_admin,
-  capability sys_ptrace,
-  capability sys_resource,
-
-  network inet dgram,
-  network inet6 dgram,
-  network inet stream,
-  network inet6 stream,
-  network netlink raw,
-
-  mount options=(rw, silent, rslave) -> /,
-  mount fstype=tmpfs -> /tmp/,
-  mount -> /newroot/{,**},
-  mount -> /oldroot/,
-  mount -> /tmp/newroot/,
-  umount /{,oldroot/},
-
-  pivot_root oldroot=/newroot/ -> /newroot/,
-  pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
-
-  ptrace peer=flatpak-app//&flatpak-bwrap,
-
-  signal peer=flatpak-app//&flatpak-bwrap,
-
-  @{bin}/**                         rmix,
-  @{lib}/**                         rmix,
-  /app/**                           rm,
-
-  @{bin}/gtk{,4}-update-icon-cache  rPx -> flatpak-bwrap//&gtk-update-icon-cache,
-  @{bin}/update-desktop-database    rPx -> flatpak-bwrap//&update-desktop-database,
-  @{bin}/update-mime-database       rPx -> flatpak-bwrap//&update-mime-database,
-  @{bin}/xdg-dbus-proxy             rPx -> flatpak-bwrap//&xdg-dbus-proxy,
-  /app/**                           rPx -> flatpak-bwrap//&flatpak-app,
-
-  /usr/share/flatpak/triggers/*     rix,
-
-  /usr/.ref rk,
-
-  /etc/shells rw,
-
-  /app/.ref k,
-  /app/extra/** rw,
-  /bindfile@{rand6} rw,
-  /newroot/{,**} rw,
-  /tmp/newroot/ w,
-  /tmp/oldroot/ w,
-
-  /var/lib/flatpak/app/{,**} r,
-  /var/lib/flatpak/exports/** rw,
-  /var/tmp/etilqs_@{hex} rw,
-
-  owner @{run}/flatpak/{,**} rk,
-  owner @{run}/ld-so-cache-dir/* rw,
-
-        @{PROC}/sys/kernel/overflowgid r,
-        @{PROC}/sys/kernel/overflowuid r,
-        @{PROC}/sys/user/max_user_namespaces w,
-  owner @{PROC}/@{pid}/gid_map rw,
-  owner @{PROC}/@{pid}/setgroups rw,
-  owner @{PROC}/@{pid}/uid_map rw,
-
-  include if exists <usr/flatpak-bwrap.d>
-  include if exists <local/flatpak-bwrap>
-}
diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal
index 0c3ae9ee..088b0186 100644
--- a/apparmor.d/profiles-a-f/flatpak-portal
+++ b/apparmor.d/profiles-a-f/flatpak-portal
@@ -15,9 +15,9 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  ptrace (read),
+  ptrace read,
 
-  signal (send) peer=unconfined,
+  signal send,
 
   @{exec_path} mr,
 
diff --git a/dists/flags/main.flags b/dists/flags/main.flags
index 61db07b4..b2f594ba 100644
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@@ -114,7 +114,6 @@ firefox-kmozillahelper complain
 firefox-vaapitest complain
 flatpak attach_disconnected,mediate_deleted,complain
 flatpak-app attach_disconnected,mediate_deleted,complain
-flatpak-bwrap attach_disconnected,mediate_deleted,complain
 flatpak-oci-authenticator complain
 flatpak-portal attach_disconnected,complain
 flatpak-session-helper attach_disconnected,complain