Linux

2954 readers

2 users here now

Shit, just linux.

Use this community for anything related to linux for now, if it gets too huge maybe there will be some sort of meme/gaming/shitpost spinoff. Currently though… go nuts

founded 2 years ago

MODERATORS

carrot

Do AppArmor and Flatpak have any weird interactions? (self.linux)

submitted 2 weeks ago by DeltaWingDragon to c/linux

5 comments fedilink hide all child comments

I'm trying to generate AppArmor policies to secure my "major/internet-facing" programs.
Most of those programs are Flatpaks.
Flatpaks already have their own sandboxing mechanism, which uses bwrap and XDG portals.
Does AppArmor have any weird interactions with Flatpak, e. g. blocking too much, or blocking too little, or being unable to block anything without rendering the whole program unusable?

you are viewing a single comment's thread
view the rest of the comments

[–] DeltaWingDragon 1 points 6 days ago (1 children)

If the applications are installed for a single user, then the executable will be different for each user. This means that one user runs the app with an Apparmor profile, another user runs it unconfined.

[–] [email protected] 1 points 6 days ago

Oh I understand now, you're referring to making AppArmor profiles to target a specific app. I just did a little research and it's possible to create AppArmor policies for binaries that are in a user's home folder.

Rather than hardcoding a specific user's home, you can instead say "@{HOME}". So you could create a profile for "@{HOME}/.local/share/flatpak/app/appID/current/active/files/bin/binaryName" that would confine the app for all users.