I’m trying to generate AppArmor policies to secure my “major/internet-facing” programs.
Most of those programs are Flatpaks.
Flatpaks already have their own sandboxing mechanism, which uses bwrap and XDG portals.
Does AppArmor have any weird interactions with Flatpak, e. g. blocking too much, or blocking too little, or being unable to block anything without rendering the whole program unusable?
In general, they don’t interfere. The only major issues I’ve seen are with in development versions of Ubuntu, which have a strange habit of breaking flatpak, but it gets fixed before release.
SELinux tends to have more issues.
Doesn’t Flatpak store separate applications for every user? I could see that causing trouble (the Firefox profile only confines on Alice’s account, Bob runs it without any Apparmor profile)
I don’t fully understand what you mean.
With flatpak, you have the option of installing applications on the system (/var/lib/flatpak) or for a single user (~.local/share/flatpak). And application data for each gets stored in ~/.var/app.
AppArmor should confine the same regardless of which user is running the package. Besides, the flatpak’s main sandboxing comes from bubblewrap. Though the distro’s default AppArmor profiles can further be used to sandbox more stuff.
If the applications are installed for a single user, then the executable will be different for each user. This means that one user runs the app with an Apparmor profile, another user runs it unconfined.
Oh I understand now, you’re referring to making AppArmor profiles to target a specific app. I just did a little research and it’s possible to create AppArmor policies for binaries that are in a user’s home folder.
Rather than hardcoding a specific user’s home, you can instead say “@{HOME}”. So you could create a profile for “@{HOME}/.local/share/flatpak/app/appID/current/active/files/bin/binaryName” that would confine the app for all users.
