Re: Flatpak and apparmor.
On Sat, Apr 06, 2019 at 09:30:11PM +0300, Georgios wrote:
> I would like to know how i can set up an apparmor profile of a
> application i run through flatpak.
It seems impossible.
For instance, I've executed:
flatpak install flathub com.dosbox.DOSBox
Along with the new whole root filesystem I've got this executable:
flatpak run com.dosbox.DOSBox
Along the other things I've got "dosbox" process with an executable
# ls -al /proc/6961/exe
lrwxrwxrwx 1 user user 0 Apr 7 15:59 /proc/6961/exe -> /newroot/app/bin/dosbox
Apparmor is written in such way that it requires an absolute pathname of
the executable to apply its policy to.
The problem is:
Produces zero effect.
Alternative approaches such as:
nsenter -t 6961
rightfully complain that:
ERROR: /newroot/app/bin/dosbox does not exists, please double-check the path
Of course, what you could try is to apply Apparmor policy to
/usr/bin/bwrap (which executes all flatpak 'containers'), but it fails
to generate any useful policy for me.