Do AppArmor and Flatpak have any weird interactions?

Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ by ⁨DeltaWingDragon@sh.itjust.works⁩ to ⁨linux@sh.itjust.works⁩

I’m trying to generate AppArmor policies to secure my “major/internet-facing” programs.
Most of those programs are Flatpaks.
Flatpaks already have their own sandboxing mechanism, which uses bwrap and XDG portals.
Does AppArmor have any weird interactions with Flatpak, e. g. blocking too much, or blocking too little, or being unable to block anything without rendering the whole program unusable?

source

Comments

Sort:hotnew top

that_leaflet@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
In general, they don’t interfere. The only major issues I’ve seen are with in development versions of Ubuntu, which have a strange habit of breaking flatpak, but it gets fixed before release.

source
- DeltaWingDragon@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
  Doesn’t Flatpak store separate applications for every user? I could see that causing trouble (the Firefox profile only confines on Alice’s account, Bob runs it without any Apparmor profile)
  
  source
  - that_leaflet@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
    I don’t fully understand what you mean.
    
    With flatpak, you have the option of installing applications on the system (/var/lib/flatpak) or for a single user (~.local/share/flatpak). And application data for each gets stored in ~/.var/app.
    
    AppArmor should confine the same regardless of which user is running the package. Besides, the flatpak’s main sandboxing comes from bubblewrap. Though the distro’s default AppArmor profiles can further be used to sandbox more stuff.
    
    source
    -> View More Comments