Web lists-archives.com

Re: Flatpak and apparmor.




	Hi.

On Sat, Apr 06, 2019 at 09:30:11PM +0300, Georgios wrote:
> I would like to know how i can set up an apparmor profile of a
> application i run through flatpak.

It seems impossible.

For instance, I've executed:

flatpak install flathub com.dosbox.DOSBox

Along with the new whole root filesystem I've got this executable:

/var/lib/flatpak/app/com.dosbox.DOSBox/x86_64/stable/aa1cdd7cf25ba150b5fbb0de0c46783ef0f645e99a48802a0d7194f60aafa8d2/files/bin/dosbox

Upon running:

flatpak run com.dosbox.DOSBox

Along the other things I've got "dosbox" process with an executable
pointing at:

# ls -al /proc/6961/exe
lrwxrwxrwx 1 user user 0 Apr  7 15:59 /proc/6961/exe -> /newroot/app/bin/dosbox


Apparmor is written in such way that it requires an absolute pathname of
the executable to apply its policy to.

The problem is:

aa-genprof /var/lib/flatpak/.../dosbox

Produces zero effect.

Alternative approaches such as:

aa-genprof /newroot/app/bin/dosbox

or

nsenter -t 6961
aa-genprof /newroot/app/bin/dosbox

rightfully complain that:

ERROR: /newroot/app/bin/dosbox does not exists, please double-check the path


Of course, what you could try is to apply Apparmor policy to
/usr/bin/bwrap (which executes all flatpak 'containers'), but it fails
to generate any useful policy for me.

Reco