Skip to content

Flatpak abstractions

These abstractions should only be used by the flatpak profiles. They provide the necessary rules to run Flatpak applications confined with AppArmor. They are designed to very closely match the Flatpak Sandbox Permissions. Therefore, they are different to they host equivalents, as flatpak apps do not have access to the full host filesystem.

flatpak/base

attach_disconnected: tweak the build system to replace attached abstractions

Required variables: appid,att,profile_dbus,

flatpak/baseapp/org.chromium.Chromium

Required variables: appid,

flatpak/baseapp/org.mozilla.firefox

Required variables: appid,

flatpak/devices/all

Flatpack all devices gives full access to the system. To limit this, we explicitly list the devices allowed, using the abstractions for common devices.

As it may lead to issues, a future implementation will leverage apparmor prompts to request access to devices on demand.

flatpak/features/bluetooth

The bluetooth feature allows the application to use bluetooth (AF_BLUETOOTH) sockets. Note, for bluetooth to fully work you must also have network access.

flatpak/features/canbus

The canbus feature allows the application to use canbus (AF_CAN) sockets. Note, for this work you must also have network access.

flatpak/features/devel

The devel feature allows the application to access certain syscalls such as ptrace(), and perf_event_open().

flatpak/features/multiarch

The multiarch feature allows the application to execute programs compiled for an ABI other than the one supported natively by the system. For example, for the x86_64 architecture, 32-bit x86 binaries will be allowed as well.

flatpak/features/per-app-dev-shm

The per-app-dev-shm feature shares a single instance of /dev/shm between the application, any unrestricted subsandboxes that it creates, and any other instances of the application that are launched while it is running. We should theoretically allow all access of /dev/shm/ here. However, as it is a potential source of information leaks and confinement escapes, we only allow, we only allow some well-known paths that are used by the application. Baseapp can be used to allow access to more paths if needed.

flatpak/filesystem

Used by the generic flatpak app profile (fapp) to cover the filesystem access as defined in the flatpak doc. Dynamically generated flatpak profiles do not use this abstraction. As a generic profile cannot filter filesystem for each app, the flatpak/filesystem abstraction gives full access to the user's home, and read only acccess to host system files. In the limit of what is defined by flatpak. https://docs.flatpak.org/en/latest/sandbox-permissions.html#filesystem-access

flatpak/platform/org.freedesktop

Required variables: appid,