[pkg-apparmor] Bug#865206: [apparmor] Bug#865206: apparmor: Should apparmor abstractions allow flatpak directories?

Simon McVittie smcv at collabora.com
Mon Jul 3 12:02:07 UTC 2017 

On Fri, 30 Jun 2017 at 15:18:16 -0700, Diane Trout wrote:
> Though I also saw the tor-browser apparmor policy deny access to the
> flatpak resources, and so thought other software might also be scanning
> for flatpak resources. (And I just don't have them contained)

Flatpak inserts its exports directories into $XDG_DATA_DIRS, so that
anything that asks questions like "what applications do I have installed?",
"which applications can handle application/pdf files?" or "what is the icon
for Evince?" will take those exports directories into account when it
answers them. Applications like Firefox are not explicitly searching
for Flatpak, they are just searching for any launchable application.

There is not much conceptual difference between an app managed by
Flatpak (desktop file at
/var/lib/flatpak/exports/share/applications/org.gnome.Evince.desktop)
and an app managed by GNU stow or manual installation (desktop file at
/usr/local/share/applications/org.gnome.Evince.desktop). There is also
not a whole lot of conceptual difference between those and an app managed
by dpkg (/usr/share/applications/org.gnome.Evince.desktop).

Similar things are probably true for other app frameworks like Snap.

> Given the other abstractions like fonts or dbus, I thought a flatpak
> abstraction might make sense.

For the sake of a concrete example, I'm going to assume you are getting
AppArmor denials from Firefox because it accesses the .desktop file
for Evince, which you installed through Flatpak, when deciding how
to open a PDF. Please substitute as appropriate.

Whether Evince is managed and sandboxed by Flatpak is only a fact about
Evince, not a fact about Firefox and other apps that might see it when they
iterate through $XDG_DATA_DIRS. Firefox doesn't know or care about Flatpak:
all it wants to do is find something that it can invoke to view PDFs.

The more appropriate abstraction to include in Firefox's profile would be
something more like <abstractions/freedesktop-applications>, reflecting
the fact that Firefox uses the Desktop Entry Specification to find
potential file-opening handlers by looking up a MIME type.

    S

More information about the pkg-apparmor-team mailing list