Skip to content

App abstractions

app/bus

Minimal set of rules for dbus-send or dbus-launch.

app/bwrap-glycin

Base set of rules for glycin-loaders sandboxed with bwrap.

  • It is very safe to use when used like in the glycin profile.
  • It is not safe to use when used by a profile stacking glycin

See https://github.com/roddhjav/apparmor.d/issues/881 for more details.

app/chromium

A full set of rules for all chromium based browsers. It works as a function and requires some variables to be provided as arguments and set in the header of the calling profile. Example: AAA

apparmor.d/groups/browsers/chromium

@{name} = chromium
@{domain} = org.chromium.Chromium
@{lib_dirs} = @{lib}/chromium
@{config_dirs} = @{user_config_dirs}/chromium
@{cache_dirs} = @{user_cache_dirs}/chromium

If your application requires chromium to run use common/chromium or common/electron instead.

Required variables: name,domain,lib_dirs,config_dirs,cache_dirs,

app/firefox

Full set of rules for all firefox based browsers. It works as a function and requires some variables to be provided as arguments and set in the header of the calling profile. Example:

@{name} = firefox{,.sh,-esr,-bin}
@{lib_dirs} = @{lib}/@{name} /opt/@{name}
@{config_dirs} = @{HOME}/.mozilla/
@{cache_dirs} = @{user_cache_dirs}/mozilla/

Required variables: name,lib_dirs,config_dirs,cache_dirs,

app/flatpak

Default rules for all flatpak applications. Ideally, they should be generated with settings from the flatpak metadata.

Security objectives:

  1. Split the sandbox handler (bwrap) from the app profile (fapp)
  2. Provide defence in depth, as flatpak already provides a sandbox
  3. The main purpose of this profile is to ensure all processes are confined

Notable security improvements over no profile at all:

  • No capabilities (except dac_override & dac_read_search)
  • Restrict unix socket to profiles defined in apparmor.d
  • Limit dbus system communication to profiles defined in apparmor.d
  • Ensure flatpak-spawn and host-spawn are confined too
  • Filter /proc/, /sys/ access

Keep in mind that the profile is still common for all apps and is therefore way more permissive than a per-app profile would be.

Abstractions in abstractions/flatpak/ closelly follow the sandbox defined by flatpak, and are therefore different to they host equivalents, as flatpak apps do not have access to the full host filesystem.

attach_disconnected: tweak the build system to replace attached abstractions

Required variables: appid,att,

app/fusermount

Minimal set of rules for fusermount subprofiles. Path to mount/unmount should be defined in the calling profile.

app/open

Full set of rules for desktop generic open-* used in child-open-* profiles.

app/pager

Minimal set of rules for pagers.

app/pgrep

Minimal set of rules for pgrep/pkill.

app/pkexec

Minimal set of rules for pkexec.

app/sudo

Minimal set of rules for sudo.

app/sudo-rs

Minimal set of rules for sudo-rs.