this post was submitted on 07 May 2025
8 points (100.0% liked)
Linux
2952 readers
2 users here now
Shit, just linux.
Use this community for anything related to linux for now, if it gets too huge maybe there will be some sort of meme/gaming/shitpost spinoff. Currently though… go nuts
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
In general, they don’t interfere. The only major issues I’ve seen are with in development versions of Ubuntu, which have a strange habit of breaking flatpak, but it gets fixed before release.
SELinux tends to have more issues.
Doesn't Flatpak store separate applications for every user? I could see that causing trouble (the Firefox profile only confines on Alice's account, Bob runs it without any Apparmor profile)
I don't fully understand what you mean.
With flatpak, you have the option of installing applications on the system (/var/lib/flatpak) or for a single user (~.local/share/flatpak). And application data for each gets stored in ~/.var/app.
AppArmor should confine the same regardless of which user is running the package. Besides, the flatpak's main sandboxing comes from bubblewrap. Though the distro's default AppArmor profiles can further be used to sandbox more stuff.
If the applications are installed for a single user, then the executable will be different for each user. This means that one user runs the app with an Apparmor profile, another user runs it unconfined.
Oh I understand now, you're referring to making AppArmor profiles to target a specific app. I just did a little research and it's possible to create AppArmor policies for binaries that are in a user's home folder.
Rather than hardcoding a specific user's home, you can instead say "@{HOME}". So you could create a profile for "@{HOME}/.local/share/flatpak/app/appID/current/active/files/bin/binaryName" that would confine the app for all users.