Thanks for your help! So flatpak and apparmor are not compatible.
Well what about selinux? I was thinking moving from apparmor to selinux sooner or later but I already had a working system that I didn't want to mess. If selinux is supported I guess I should consider making the transition. On 4/7/19 4:06 PM, Reco wrote: > Hi. > > On Sat, Apr 06, 2019 at 09:30:11PM +0300, Georgios wrote: >> I would like to know how i can set up an apparmor profile of a >> application i run through flatpak. > > It seems impossible. > > For instance, I've executed: > > flatpak install flathub com.dosbox.DOSBox > > Along with the new whole root filesystem I've got this executable: > > /var/lib/flatpak/app/com.dosbox.DOSBox/x86_64/stable/aa1cdd7cf25ba150b5fbb0de0c46783ef0f645e99a48802a0d7194f60aafa8d2/files/bin/dosbox > > Upon running: > > flatpak run com.dosbox.DOSBox > > Along the other things I've got "dosbox" process with an executable > pointing at: > > # ls -al /proc/6961/exe > lrwxrwxrwx 1 user user 0 Apr 7 15:59 /proc/6961/exe -> > /newroot/app/bin/dosbox > > > Apparmor is written in such way that it requires an absolute pathname of > the executable to apply its policy to. > > The problem is: > > aa-genprof /var/lib/flatpak/.../dosbox > > Produces zero effect. > > Alternative approaches such as: > > aa-genprof /newroot/app/bin/dosbox > > or > > nsenter -t 6961 > aa-genprof /newroot/app/bin/dosbox > > rightfully complain that: > > ERROR: /newroot/app/bin/dosbox does not exists, please double-check the path > > > Of course, what you could try is to apply Apparmor policy to > /usr/bin/bwrap (which executes all flatpak 'containers'), but it fails > to generate any useful policy for me. > > Reco >
