Web lists-archives.com

Re: Flatpak and apparmor.




> On 4/7/19 10:20 AM, didier gaumet wrote:
> > Disclaimer: I have never used Apparmor nor SELinux,

Ditto. I've only explored the Debian profile for evince in order to see
how it's possible to click on a link and call a program that's run via
a wrapper that sets PYTHONPATH, GUILE_LOAD_PATH and LD_LIBRARY_PATH.

On Sun 07 Apr 2019 at 12:32:31 (+0300), Georgios wrote:
> Thanks for your reply.
> 
> I'm using apparmor the last 2 years and I made my own profiles for my
> applications.
> 
> The problem I'm having is that since flatpak is a bit different i do not
> have any idea how to combine it with apparmor or if its even possible.

Reading around, it does seem that you've bitten off a big problem to
chew while you are laid up. (Hope it's all going well for you.)
It looks as if the raison d'être of flatpak is ease of deployment,
and so a developer might expect to write an application, say foo, that
can be installed on different versions of linux by means of flatpak.
Flatpak is meant to be able to sandbox foo for security, but this
method seems to come in for a lot of criticism.

However, to run foo in an apparmor environment, you've either got to
write a profile before/as you run it, or the profile is going to have
to be supplied readymade along with foo. In the latter case, you're
placing its security in the hands of foo's authors/developers rather
than the packaging team at Debian, and who do you trust more?

> On 4/7/19 10:20 AM, didier gaumet wrote:
> > Here are the lists of Apparmor applications profiles included in Debian:
> > base: https://packages.debian.org/stretch/all/apparmor-profiles/filelist
> > extra:
> > https://packages.debian.org/stretch/all/apparmor-profiles-extra/filelist
> > 
> > So if your app in the lists and the packages installed, you probably
> > have nothing more to do.

AFAICT, there are also apparmor profiles bundled into the packages
themselves, like the one I was interested in, evince.

> > There is an Apparmor section in the Debian Handbook that should be of
> > help if you need to create a profile:
> >  https://debian-handbook.info/browse/stable/sect.apparmor.html
> > 
> > And there is a tool to ease the creation of Apparmor rules:
> >  https://packages.debian.org/stretch/apparmor-easyprof

I take it that this is the method to use, but on the application, foo,
that's installed by flatpak rather than on flatpak itself. It sounds
as if you're (OP) familiar with doing that.

Cheers,
David.