fix(profile): merge flatpak-bwrap & flatpak-app.

See #264
2025-01-18 08:58:15 +01:00 · 2023-12-15 18:07:18 +00:00 · 2023-12-15 18:07:18 +00:00 · d2fc3c3325
commit d2fc3c3325
parent a1b86b56d2
5 changed files with 75 additions and 90 deletions
--- a/apparmor.d/profiles-a-f/flatpak
+++ b/apparmor.d/profiles-a-f/flatpak
@ -20,6 +20,7 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
  capability dac_override,
  capability dac_read_search,
  capability net_admin,
  capability sys_ptrace,
  network inet dgram,
  network inet6 dgram,
@ -29,9 +30,11 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
  mount fstype=fuse.revokefs-fuse options=(rw, nosuid, nodev) -> /var/tmp/flatpak-cache-*/*/,
  ptrace (read) peer=flatpak-app,
  @{exec_path} mr,
-  @{bin}/bwrap               rPx -> flatpak-bwrap, 
+  @{bin}/bwrap               rPx -> flatpak-app, 
  @{bin}/fusermount{,3}      rCx -> fusermount,
  @{bin}/gpg                 rCx -> gpg,
  @{bin}/gpgconf             rCx -> gpg,
@ -67,9 +70,11 @@ profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain
  owner /dev/shm/flatpak*/{,**} rw,
  owner /tmp/ostree-gpg-*/{,**} rw,
        @{run}/.userns r,
        @{run}/user/@{uid}/.dbus-proxy/ w,
        @{run}/user/@{uid}/dconf/user rw,
  owner @{run}/user/@{uid}/.dbus-proxy/* rw,
  owner @{run}/user/@{uid}/.flatpak-cache rw,
  owner @{run}/user/@{uid}/.flatpak/ rw,
  owner @{run}/user/@{uid}/.flatpak/** rwlk -> @{run}/user/@{uid}/.flatpak/**,
  owner @{run}/user/@{uid}/app/ w,
--- a/apparmor.d/profiles-a-f/flatpak-app
+++ b/apparmor.d/profiles-a-f/flatpak-app
@ -3,7 +3,18 @@
 # SPDX-License-Identifier: GPL-2.0-only
 # Default profile for all flatpak applications. Ideally, this profile should be
-# generated by flatpak itself with settings from the flatpak manifest.
+# generated by flatpak itself with settings from the flatpak manifest and 
 # fully separated from bwrap.
 # Note: This profile used to be split in two (flatpak-bwrap & flatpak-app) in order
 # to separate bwrap from the sandboxed app itself. It was generating issue with 
 # zypak-sandbox, therefore the profiles have been merged. Meanwhile, to install
 # some applications, flatpak needs write access to the sandbox content. This is
 # done through bwrap and therefore in this profile.
 #
 # 1. All of this will have to be improved. However, as of today, it is the only way
 # to not break some (major) flatpak app.
 # 2. It is not a big deal as flatpak is responsible for the sandbox anyway.
 abi <abi/3.0>,
@ -13,18 +24,34 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/bwrap-app>
  capability dac_override,
  capability dac_read_search,
  capability net_admin,
  capability setpcap,
  capability sys_admin,
  capability sys_ptrace,
  capability sys_resource,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink dgram,
  network netlink raw,
-  ptrace (read),
+  mount options=(rw, silent, rslave) -> /,
-  ptrace peer=flatpak-app//&flatpak-bwrap,
+  mount fstype=tmpfs -> /tmp/,
  mount -> /newroot/{,**},
  mount -> /oldroot/,
  mount -> /tmp/newroot/,
  umount /{,oldroot/},
-  signal peer=flatpak-app//&flatpak-bwrap,
+  pivot_root oldroot=/newroot/ -> /newroot/,
  pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
  ptrace (read),
  signal (receive) set=(int) peer=flatpak-portal,
  @{bin}/**                            rmix,
  @{lib}/**                            rmix,
@ -32,9 +59,44 @@ profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
  /var/lib/flatpak/app/*/**/@{bin}/**  rmix,
  /var/lib/flatpak/app/*/**/@{lib}/**  rmix,
  @{bin}/gtk{,4}-update-icon-cache     rPx -> flatpak-app//&gtk-update-icon-cache,
  @{bin}/update-desktop-database       rPx -> flatpak-app//&update-desktop-database,
  @{bin}/update-mime-database          rPx -> flatpak-app//&update-mime-database,
  @{bin}/xdg-dbus-proxy                rPx -> flatpak-app//&xdg-dbus-proxy,
  /var/lib/flatpak/app/{,**} r,
-  @{run}/flatpak/{,**} r,
+  /usr/share/flatpak/triggers/*     rix,
  /usr/.ref rk,
  /etc/shells rw,
  /app/.ref k,
  /app/extra/** rw,
  /bindfile@{rand6} rw,
  /newroot/{,**} rw,
  /tmp/newroot/ w,
  /tmp/oldroot/ w,
  /var/lib/flatpak/app/{,**} r,
  /var/lib/flatpak/exports/** rw,
  /var/tmp/etilqs_@{hex} rw,
        @{run}/.userns r,
  owner @{run}/flatpak/{,**} rk,
  owner @{run}/flatpak/app/*/*ipc* rw,
  owner @{run}/ld-so-cache-dir/* rw,
        @{PROC}/@{pid}/fd/ r,
        @{PROC}/sys/kernel/overflowgid r,
        @{PROC}/sys/kernel/overflowuid r,
        @{PROC}/sys/user/max_user_namespaces w,
  owner @{PROC}/@{pid}/gid_map rw,
  owner @{PROC}/@{pid}/setgroups rw,
  owner @{PROC}/@{pid}/uid_map rw,
  deny /apparmor/.null rw,
  include if exists <usr/flatpak-app.d>
  include if exists <local/flatpak-app>
--- a/apparmor.d/profiles-a-f/flatpak-bwrap
+++ b/apparmor.d/profiles-a-f/flatpak-bwrap
@ -1,81 +0,0 @@
 # apparmor.d - Full set of apparmor profiles
 # Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
 # SPDX-License-Identifier: GPL-2.0-only
 abi <abi/3.0>,
 include <tunables/global>
 profile flatpak-bwrap flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/bwrap-app>
  include <abstractions/dbus>
  capability dac_override,
  capability dac_read_search,
  capability net_admin,
  capability setpcap,
  capability sys_admin,
  capability sys_ptrace,
  capability sys_resource,
  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,
  mount options=(rw, silent, rslave) -> /,
  mount fstype=tmpfs -> /tmp/,
  mount -> /newroot/{,**},
  mount -> /oldroot/,
  mount -> /tmp/newroot/,
  umount /{,oldroot/},
  pivot_root oldroot=/newroot/ -> /newroot/,
  pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
  ptrace peer=flatpak-app//&flatpak-bwrap,
  signal peer=flatpak-app//&flatpak-bwrap,
  @{bin}/**                         rmix,
  @{lib}/**                         rmix,
  /app/**                           rm,
  @{bin}/gtk{,4}-update-icon-cache  rPx -> flatpak-bwrap//&gtk-update-icon-cache,
  @{bin}/update-desktop-database    rPx -> flatpak-bwrap//&update-desktop-database,
  @{bin}/update-mime-database       rPx -> flatpak-bwrap//&update-mime-database,
  @{bin}/xdg-dbus-proxy             rPx -> flatpak-bwrap//&xdg-dbus-proxy,
  /app/**                           rPx -> flatpak-bwrap//&flatpak-app,
  /usr/share/flatpak/triggers/*     rix,
  /usr/.ref rk,
  /etc/shells rw,
  /app/.ref k,
  /app/extra/** rw,
  /bindfile@{rand6} rw,
  /newroot/{,**} rw,
  /tmp/newroot/ w,
  /tmp/oldroot/ w,
  /var/lib/flatpak/app/{,**} r,
  /var/lib/flatpak/exports/** rw,
  /var/tmp/etilqs_@{hex} rw,
  owner @{run}/flatpak/{,**} rk,
  owner @{run}/ld-so-cache-dir/* rw,
        @{PROC}/sys/kernel/overflowgid r,
        @{PROC}/sys/kernel/overflowuid r,
        @{PROC}/sys/user/max_user_namespaces w,
  owner @{PROC}/@{pid}/gid_map rw,
  owner @{PROC}/@{pid}/setgroups rw,
  owner @{PROC}/@{pid}/uid_map rw,
  include if exists <usr/flatpak-bwrap.d>
  include if exists <local/flatpak-bwrap>
 }
--- a/apparmor.d/profiles-a-f/flatpak-portal
+++ b/apparmor.d/profiles-a-f/flatpak-portal
@ -15,9 +15,9 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
  network netlink raw,
-  ptrace (read),
+  ptrace read,
-  signal (send) peer=unconfined,
+  signal send,
  @{exec_path} mr,
--- a/dists/flags/main.flags
+++ b/dists/flags/main.flags
@ -114,7 +114,6 @@ firefox-kmozillahelper complain
 firefox-vaapitest complain
 flatpak attach_disconnected,mediate_deleted,complain
 flatpak-app attach_disconnected,mediate_deleted,complain
 flatpak-bwrap attach_disconnected,mediate_deleted,complain
 flatpak-oci-authenticator complain
 flatpak-portal attach_disconnected,complain
 flatpak-session-helper attach_disconnected,complain