Flatpak abstractions

These abstractions should only be used by the flatpak profiles. They provide the necessary rules to run Flatpak applications confined with AppArmor. They are designed to very closely match the Flatpak Sandbox Permissions. Therefore, they are different to they host equivalents, as flatpak apps do not have access to the full host filesystem.

flatpak/baseapp/org.chromium.Chromium¶

Required variables: appid,

flatpak/baseapp/org.mozilla.firefox¶

Required variables: appid,

flatpak/devices/all¶

Flatpack all devices gives full access to the system. To limit this, we explicitly list the devices allowed, using the abstractions for common devices.

As it may lead to issues, a future implementation will leverage apparmor prompts to request access to devices on demand.

flatpak/filesystem¶

Used by the generic flatpak app profile (fapp) to cover the filesystem access as defined in the flatpak doc. Dynamically generated flatpak profiles do not use this abstraction. As a generic profile cannot filter filesystem for each app, the flatpak/filesystem abstraction gives full access to the user's home, and read only acccess to host system files. In the limit of what is defined by flatpak. https://docs.flatpak.org/en/latest/sandbox-permissions.html#filesystem-access

flatpak/platform/org.freedesktop¶

Required variables: appid,