Re: Flatpak and apparmor.
Hi.
On Sat, Apr 06, 2019 at 09:30:11PM +0300, Georgios wrote:
> I would like to know how i can set up an apparmor profile of a
> application i run through flatpak.
It seems impossible.
For instance, I've executed:
flatpak install flathub com.dosbox.DOSBox
Along with the new whole root filesystem I've got this executable:
/var/lib/flatpak/app/com.dosbox.DOSBox/x86_64/stable/aa1cdd7cf25ba150b5fbb0de0c46783ef0f645e99a48802a0d7194f60aafa8d2/files/bin/dosbox
Upon running:
flatpak run com.dosbox.DOSBox
Along the other things I've got "dosbox" process with an executable
pointing at:
# ls -al /proc/6961/exe
lrwxrwxrwx 1 user user 0 Apr 7 15:59 /proc/6961/exe -> /newroot/app/bin/dosbox
Apparmor is written in such way that it requires an absolute pathname of
the executable to apply its policy to.
The problem is:
aa-genprof /var/lib/flatpak/.../dosbox
Produces zero effect.
Alternative approaches such as:
aa-genprof /newroot/app/bin/dosbox
or
nsenter -t 6961
aa-genprof /newroot/app/bin/dosbox
rightfully complain that:
ERROR: /newroot/app/bin/dosbox does not exists, please double-check the path
Of course, what you could try is to apply Apparmor policy to
/usr/bin/bwrap (which executes all flatpak 'containers'), but it fails
to generate any useful policy for me.
Reco
Reply to: