feat(flatpak): add flatpak integration.

- Add flatpak profile - Add flatpak-bwrap subprofile: it manage the sandbox creation & has some larger access. - Add flatpak-app, default profile for sandboxed app. See Full system policy #252
roddhjav · Nov 26, 2023 · aa15533 · aa15533
1 parent e41779f
commit aa15533
Show file tree

Hide file tree

Showing 5 changed files with 219 additions and 3 deletions.
diff --git a/apparmor.d/profiles-a-f/flatpak b/apparmor.d/profiles-a-f/flatpak
@@ -0,0 +1,97 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+@{exec_path} = @{bin}/flatpak
+profile flatpak @{exec_path} flags=(attach_disconnected,mediate_deleted,complain) {
+  include <abstractions/base>
+  include <abstractions/consoles>
+  include <abstractions/dconf-write>
+  include <abstractions/freedesktop.org>
+  include <abstractions/nameservice-strict>
+  include <abstractions/openssl>
+  include <abstractions/ssl_certs>
+  include <abstractions/X-strict>
+
+  capability dac_override,
+  capability dac_read_search,
+  capability net_admin,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  @{exec_path} mr,
+
+  @{bin}/bwrap    rPx -> flatpak-bwrap, 
+  @{bin}/gpg      rCx -> gpg,
+  @{bin}/gpgconf  rCx -> gpg,
+  @{bin}/gpgsm    rCx -> gpg,
+
+  /usr/share/gvfs/remote-volume-monitors/*.monitor r,
+  /usr/share/flatpak/{,**} r,
+
+  /etc/flatpak/{,**} r,
+  /etc/pulse/client.conf r,
+
+  /var/lib/flatpak/{,**} rwlk,
+  /var/tmp/#@{int} rw,
+
+  / r,
+
+  owner @{HOME}/.var/ w,
+  owner @{HOME}/.var/app/{,**} rw,
+
+  owner @{user_cache_dirs}/flatpak/{,**} rw,
+  owner @{user_config_dirs}/pulse/client.conf r,
+  owner @{user_config_dirs}/user-dirs.dirs r,
+
+        @{user_share_dirs}/flatpak/{,**} r,
+  owner @{user_share_dirs}/flatpak/{,**} rw,
+
+        /tmp/#@{int} rw,
+  owner /dev/shm/flatpak*/{,**} rw,
+  owner /tmp/ostree-gpg-*/{,**} rw,
+
+        @{run}/user/@{uid}/.dbus-proxy/ w,
+        @{run}/user/@{uid}/dconf/user rw,
+  owner @{run}/user/@{uid}/.dbus-proxy/* rw,
+  owner @{run}/user/@{uid}/.flatpak/ rw,
+  owner @{run}/user/@{uid}/.flatpak/** rwlk -> @{run}/user/@{uid}/.flatpak/**,
+  owner @{run}/user/@{uid}/app/ w,
+  owner @{run}/user/@{uid}/app/*/ w,
+
+  @{sys}/module/nvidia/version r,
+
+  owner @{PROC}/@{pid}/stat r,
+
+  deny @{user_share_dirs}/gvfs-metadata/* r,
+
+  /dev/tty rw,
+  /dev/tty@{int} rw,
+
+  profile gpg {
+    include <abstractions/base>
+
+    capability dac_read_search,
+
+    @{bin}/gpg{,2}  mr,
+    @{bin}/gpgconf  mr,
+    @{bin}/gpgsm    mr,
+
+    @{HOME}/@{XDG_GPG_DIR}/*.conf r,
+
+    owner /tmp/ostree-gpg-*/ rw,
+    owner /tmp/ostree-gpg-*/** rwkl -> /tmp/ostree-gpg-*/**,
+
+    include if exists <local/flatpak_gpg>
+  }
+
+  include if exists <local/flatpak>
+}
diff --git a/apparmor.d/profiles-a-f/flatpak-app b/apparmor.d/profiles-a-f/flatpak-app
@@ -0,0 +1,36 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+# Default profile for all flatpak applications. Ideally, this profile should be
+# generated by flatpak itself with settings from the flatpak manifest.
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
+  include <abstractions/base>
+  include <abstractions/bwrap-app>
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  ptrace peer=flatpak-bwrap//&flatpak-app,
+
+  signal peer=flatpak-bwrap//&flatpak-app,
+
+  @{bin}/**                       rmix,
+  @{lib}/**                       rmix,
+  /app/**                         rmix,
+
+  /var/lib/flatpak/app/{,**} r,
+
+  @{run}/flatpak/{,**} r,
+
+  include if exists <usr/flatpak-app.d>
+  include if exists <local/flatpak-app>
+}
diff --git a/apparmor.d/profiles-a-f/flatpak-bwrap b/apparmor.d/profiles-a-f/flatpak-bwrap
@@ -0,0 +1,77 @@
+# apparmor.d - Full set of apparmor profiles
+# Copyright (C) 2023 Alexandre Pujol <[email protected]>
+# SPDX-License-Identifier: GPL-2.0-only
+
+abi <abi/3.0>,
+
+include <tunables/global>
+
+profile flatpak-bwrap flags=(attach_disconnected,mediate_deleted) {
+  include <abstractions/base>
+  include <abstractions/bwrap-app>
+  include <abstractions/dbus>
+
+  capability dac_override,
+  capability dac_read_search,
+  capability net_admin,
+  capability setpcap,
+  capability sys_admin,
+  capability sys_ptrace,
+  capability sys_resource,
+
+  network inet dgram,
+  network inet6 dgram,
+  network inet stream,
+  network inet6 stream,
+  network netlink raw,
+
+  mount,
+  umount,
+
+  pivot_root oldroot=/newroot/ -> /newroot/,
+  pivot_root oldroot=/tmp/oldroot/ -> /tmp/,
+
+  ptrace peer=flatpak-bwrap//&flatpak-app,
+
+  signal peer=flatpak-bwrap//&flatpak-app,
+
+  @{bin}/**                         rmix,
+  @{lib}/**                         rmix,
+  /app/**                           rm,
+
+  @{bin}/gtk{,4}-update-icon-cache  rPx -> flatpak-bwrap//&gtk-update-icon-cache,
+  @{bin}/update-desktop-database    rPx -> flatpak-bwrap//&update-desktop-database,
+  @{bin}/update-mime-database       rPx -> flatpak-bwrap//&update-mime-database,
+  @{bin}/xdg-dbus-proxy             rPx -> flatpak-bwrap//&xdg-dbus-proxy,
+  /app/**                           rPx -> flatpak-bwrap//&flatpak-app,
+
+  /usr/share/flatpak/triggers/*     rix,
+
+  /usr/.ref rk,
+
+  /etc/shells rw,
+
+  /app/.ref k,
+  /app/extra/** rw,
+  /bindfile@{rand6} rw,
+  /newroot/{,**} rw,
+  /tmp/newroot/ w,
+  /tmp/oldroot/ w,
+
+  /var/lib/flatpak/app/{,**} r,
+  /var/lib/flatpak/exports/** rw,
+  /var/tmp/etilqs_@{hex} rw,
+
+  owner @{run}/flatpak/{,**} rk,
+  owner @{run}/ld-so-cache-dir/* rw,
+
+        @{PROC}/sys/kernel/overflowgid r,
+        @{PROC}/sys/kernel/overflowuid r,
+        @{PROC}/sys/user/max_user_namespaces w,
+  owner @{PROC}/@{pid}/gid_map rw,
+  owner @{PROC}/@{pid}/setgroups rw,
+  owner @{PROC}/@{pid}/uid_map rw,
+
+  include if exists <usr/flatpak-bwrap.d>
+  include if exists <local/flatpak-bwrap>
+}
diff --git a/apparmor.d/profiles-a-f/flatpak-portal b/apparmor.d/profiles-a-f/flatpak-portal
@@ -15,13 +15,13 @@ profile flatpak-portal @{exec_path} flags=(attach_disconnected) {
 
   network netlink raw,
 
-  ptrace (read) peer=xdg-dbus-proxy,
+  ptrace (read),
 
   signal (send) peer=unconfined,
 
   @{exec_path} mr,
 
-  @{bin}/flatpak rUx,
+  @{bin}/flatpak rPx,
 
   /usr/share/mime/mime.cache r,
   /usr/share/xdg-desktop-portal/portals/{,*.portal} r,

diff --git a/dists/flags/main.flags b/dists/flags/main.flags
@@ -101,7 +101,13 @@ file-roller complain
 firefox-glxtest complain
 firefox-kmozillahelper complain
 firefox-vaapitest complain
-flatpak-session-helper complain
+flatpak attach_disconnected,mediate_deleted,complain
+flatpak-app attach_disconnected,mediate_deleted,complain
+flatpak-bwrap attach_disconnected,mediate_deleted,complain
+flatpak-portal attach_disconnected,complain
+flatpak-session-helper attach_disconnected,complain
+flatpak-system-helper complain
+flatpak-validate-icon complain
 fsck-ext4 complain
 fuse-overlayfs complain
 fusermount complain