Web lists-archives.com

Re: Flatpak and apparmor.




Thanks for your help!

So flatpak and apparmor are not compatible.

Well what about selinux?

I was thinking moving from apparmor to selinux sooner or later but I
already had a working system that I didn't want to mess.

If selinux is supported I guess I should consider making the transition.



On 4/7/19 4:06 PM, Reco wrote:
> 	Hi.
> 
> On Sat, Apr 06, 2019 at 09:30:11PM +0300, Georgios wrote:
>> I would like to know how i can set up an apparmor profile of a
>> application i run through flatpak.
> 
> It seems impossible.
> 
> For instance, I've executed:
> 
> flatpak install flathub com.dosbox.DOSBox
> 
> Along with the new whole root filesystem I've got this executable:
> 
> /var/lib/flatpak/app/com.dosbox.DOSBox/x86_64/stable/aa1cdd7cf25ba150b5fbb0de0c46783ef0f645e99a48802a0d7194f60aafa8d2/files/bin/dosbox
> 
> Upon running:
> 
> flatpak run com.dosbox.DOSBox
> 
> Along the other things I've got "dosbox" process with an executable
> pointing at:
> 
> # ls -al /proc/6961/exe
> lrwxrwxrwx 1 user user 0 Apr  7 15:59 /proc/6961/exe -> /newroot/app/bin/dosbox
> 
> 
> Apparmor is written in such way that it requires an absolute pathname of
> the executable to apply its policy to.
> 
> The problem is:
> 
> aa-genprof /var/lib/flatpak/.../dosbox
> 
> Produces zero effect.
> 
> Alternative approaches such as:
> 
> aa-genprof /newroot/app/bin/dosbox
> 
> or
> 
> nsenter -t 6961
> aa-genprof /newroot/app/bin/dosbox
> 
> rightfully complain that:
> 
> ERROR: /newroot/app/bin/dosbox does not exists, please double-check the path
> 
> 
> Of course, what you could try is to apply Apparmor policy to
> /usr/bin/bwrap (which executes all flatpak 'containers'), but it fails
> to generate any useful policy for me.
> 
> Reco
>