mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Update flatpak

John Johansen 2021-10-02 05:12:22 +00:00
parent 8f9b33627b
commit 1920e423f9
1 changed files with 30 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
flatpak.md

@ -1,8 +1,15 @@
# Introduction
Flatpak uses bubblewrap to sandbox its applications. Unfortunately bubblewrap causes several problems for AppArmor and makes use of AppArmor with flatpaks more difficult than regular applications.
[Flatpak](https://docs.flatpak.org/en/latest/index.html) uses bubblewrap to sandbox its applications. Unfortunately bubblewrap causes several problems for AppArmor and makes use of AppArmor with flatpaks more difficult than regular applications.
It should also be noted that if an application is designed to use portals with flatpak, some permission access occur outside of the applications confinement and then are passed back in to the confined application. This may result in certain apparmor rules appearing like they are not applied. See the [issues](flatpak#issues) section below.
When confining flatpak applications there are 4 main issues that must be dealt with.
- Indirect start of Applications
- [portals](https://github.com/flatpak/xdg-desktop-portal) and a higher level [summary](https://blogs.gnome.org/mclasen/2018/07/19/flatpak-a-look-behind-the-portal/)
- [namespacing](https://man7.org/linux/man-pages/man7/namespaces.7.html)
- [no_new_privs](https://man7.org/linux/man-pages/man2/prctl.2.html)
These are explained in more detail below in the [issues](flatpak#issues) section after the basic tutorial on what needs to be done to get AppArmor confinement working without having to understand the issues indepth.
# Confining Bubble wrap applications
@ -121,5 +128,24 @@ profile sol /app/bin/sol flags=(complain, attach_disconnected) {
# Issues
- namespacing
- no-new-privs
## bubblewwrap
- has support for apparmor but flatpak doesn't allow calling with params
- need to investigate more
## Indirect launch
## Portals
It should also be noted that if an application is designed to use portals with flatpak, some permission access occur outside of the applications confinement and then are passed back in to the confined application. This may result in certain apparmor rules appearing like they are not applied. See the [issues](flatpak#issues) section below.
## Namespaces
## no_new_privs
How they are handled and