Web lists-archives.com

Re: Flatpak and apparmor.





On 4/7/19 5:45 PM, David Wright wrote:
>> On 4/7/19 10:20 AM, didier gaumet wrote:
>>> Disclaimer: I have never used Apparmor nor SELinux,
> 
> Ditto. I've only explored the Debian profile for evince in order to see
> how it's possible to click on a link and call a program that's run via
> a wrapper that sets PYTHONPATH, GUILE_LOAD_PATH and LD_LIBRARY_PATH.
> 
> On Sun 07 Apr 2019 at 12:32:31 (+0300), Georgios wrote:
>> Thanks for your reply.
>>
>> I'm using apparmor the last 2 years and I made my own profiles for my
>> applications.
>>
>> The problem I'm having is that since flatpak is a bit different i do not
>> have any idea how to combine it with apparmor or if its even possible.
> 
> Reading around, it does seem that you've bitten off a big problem to
> chew while you are laid up. (Hope it's all going well for you.)

Everything is fine thanks!

> It looks as if the raison d'être of flatpak is ease of deployment,
> and so a developer might expect to write an application, say foo, that
> can be installed on different versions of linux by means of flatpak.
> Flatpak is meant to be able to sandbox foo for security, but this
> method seems to come in for a lot of criticism.

It depends what kind of sandboxing we are talking about. I think MAC
model is a better option.

> However, to run foo in an apparmor environment, you've either got to
> write a profile before/as you run it, or the profile is going to have
> to be supplied readymade along with foo. In the latter case, you're
> placing its security in the hands of foo's authors/developers rather
> than the packaging team at Debian, and who do you trust more?
> 
Good question. I would trust debian team but i would certainly feel the
need to take a look.

As far as I can see
https://github.com/flatpak/flatpak/wiki/Sandbox
They are planing to sandbox each application in its own selinux context.
That means that probably there are no plans for apparmor or apparmor
profiles.

Not a big surprise i guess.

Anyway
thanks for your replies!
:D

>> On 4/7/19 10:20 AM, didier gaumet wrote:
>>> Here are the lists of Apparmor applications profiles included in Debian:
>>> base: https://packages.debian.org/stretch/all/apparmor-profiles/filelist
>>> extra:
>>> https://packages.debian.org/stretch/all/apparmor-profiles-extra/filelist
>>>
>>> So if your app in the lists and the packages installed, you probably
>>> have nothing more to do.
> 
> AFAICT, there are also apparmor profiles bundled into the packages
> themselves, like the one I was interested in, evince.
> 
>>> There is an Apparmor section in the Debian Handbook that should be of
>>> help if you need to create a profile:
>>>  https://debian-handbook.info/browse/stable/sect.apparmor.html
>>>
>>> And there is a tool to ease the creation of Apparmor rules:
>>>  https://packages.debian.org/stretch/apparmor-easyprof
> 
> I take it that this is the method to use, but on the application, foo,
> that's installed by flatpak rather than on flatpak itself. It sounds
> as if you're (OP) familiar with doing that.
> 
> Cheers,
> David.
>