Comment on Do AppArmor and Flatpak have any weird interactions?
DeltaWingDragon@sh.itjust.works 2 weeks agoDoesn’t Flatpak store separate applications for every user? I could see that causing trouble (the Firefox profile only confines on Alice’s account, Bob runs it without any Apparmor profile)
that_leaflet@lemmy.world 2 weeks ago
I don’t fully understand what you mean.
With flatpak, you have the option of installing applications on the system (/var/lib/flatpak) or for a single user (~.local/share/flatpak). And application data for each gets stored in ~/.var/app.
AppArmor should confine the same regardless of which user is running the package. Besides, the flatpak’s main sandboxing comes from bubblewrap. Though the distro’s default AppArmor profiles can further be used to sandbox more stuff.
DeltaWingDragon@sh.itjust.works 2 weeks ago
If the applications are installed for a single user, then the executable will be different for each user. This means that one user runs the app with an Apparmor profile, another user runs it unconfined.
that_leaflet@lemmy.world 2 weeks ago
Oh I understand now, you’re referring to making AppArmor profiles to target a specific app. I just did a little research and it’s possible to create AppArmor policies for binaries that are in a user’s home folder.
Rather than hardcoding a specific user’s home, you can instead say “@{HOME}”. So you could create a profile for “@{HOME}/.local/share/flatpak/app/appID/current/active/files/bin/binaryName” that would confine the app for all users.