I’m trying to generate AppArmor policies to secure my “major/internet-facing” programs.
Most of those programs are Flatpaks.
Flatpaks already have their own sandboxing mechanism, which uses bwrap
and XDG portals.
Does AppArmor have any weird interactions with Flatpak, e. g. blocking too much, or blocking too little, or being unable to block anything without rendering the whole program unusable?
Do AppArmor and Flatpak have any weird interactions?
Submitted 3 weeks ago by DeltaWingDragon@sh.itjust.works to linux@sh.itjust.works
that_leaflet@lemmy.world 2 weeks ago
In general, they don’t interfere. The only major issues I’ve seen are with in development versions of Ubuntu, which have a strange habit of breaking flatpak, but it gets fixed before release.
DeltaWingDragon@sh.itjust.works 2 weeks ago
Doesn’t Flatpak store separate applications for every user? I could see that causing trouble (the Firefox profile only confines on Alice’s account, Bob runs it without any Apparmor profile)
that_leaflet@lemmy.world 2 weeks ago
I don’t fully understand what you mean.
With flatpak, you have the option of installing applications on the system (/var/lib/flatpak) or for a single user (~.local/share/flatpak). And application data for each gets stored in ~/.var/app.
AppArmor should confine the same regardless of which user is running the package. Besides, the flatpak’s main sandboxing comes from bubblewrap. Though the distro’s default AppArmor profiles can further be used to sandbox more stuff.