Re: request to backport calibre 4.16.0
On Mon, 18 May 2020 at 21:21:15 -0400, Nicholas D Steeves wrote:
> Do you know if there would be problems with a flatpack in combination
> with apparmor? Specifically I'm worried that dbus, udisk, and USB plug
> and unplug detection will break.
Flatpak works fine on systems that use AppArmor, and Flatpak apps with
appropriate Flatpak permissions can connect to the system dbus-daemon
and communicate with any service (including udisks). I don't specifically
know whether USB plug/unplug detection works, but
https://github.com/flathub/com.calibre_ebook.calibre exists, so presumably
it works well enough...
(Looking at its metadata, it isn't particularly meaningfully-sandboxed:
it has full access to the host filesystem. But it sounds as though you're
looking for Flatpak-as-compatibility-layer rather than Flatpak-as-sandbox,
so that maybe doesn't matter.)
The way Flatpak sets up its containers means that trying to apply AppArmor
profiles to Flatpak apps doesn't work well: AppArmor is path-based,
but Flatpak changes an app's view of the filesystem, so all the paths
have a different meaning. As a result, it's probably best to leave it
unconfined at the AppArmor level, and rely on Flatpak's sandboxing to
limit its access.
smcv
Reply to: