flatpak¶
fapp¶
Default profile for all flatpak applications. Ideally, this profile should be
generated by flatpak itself with settings from the flatpak manifest.
See abstractions/app/flatpak for more details about the security objectives.
flatpak-app¶
Warning
This profile is deprecated and will be removed in future releases. It is only used when using apparmor < 4.1 See fapp and fbwrap profiles instead.
Default profile for all flatpak applications. Ideally, this profile should be generated by flatpak itself with settings from the flatpak manifest and fully separated from bwrap. Note: This profile used to be split in two (flatpak-bwrap & flatpak-app) in order to separate bwrap from the sandboxed app itself. It was generating issue with zypak-sandbox, therefore the profiles have been merged. Meanwhile, to install some applications, flatpak needs write access to the sandbox content. This is done through bwrap and therefore in this profile.
- All of this will have to be improved. However, as of today, it is the only way to not break some (major) flatpak app.
- It is not a big deal as flatpak is responsible for the sandbox anyway. This this only defence in depth.
- The main purpose of this profile is to ensure all processes are confined.