Hi. On Sat, Apr 06, 2019 at 09:30:11PM +0300, Georgios wrote: > I would like to know how i can set up an apparmor profile of a > application i run through flatpak.
It seems impossible. For instance, I've executed: flatpak install flathub com.dosbox.DOSBox Along with the new whole root filesystem I've got this executable: /var/lib/flatpak/app/com.dosbox.DOSBox/x86_64/stable/aa1cdd7cf25ba150b5fbb0de0c46783ef0f645e99a48802a0d7194f60aafa8d2/files/bin/dosbox Upon running: flatpak run com.dosbox.DOSBox Along the other things I've got "dosbox" process with an executable pointing at: # ls -al /proc/6961/exe lrwxrwxrwx 1 user user 0 Apr 7 15:59 /proc/6961/exe -> /newroot/app/bin/dosbox Apparmor is written in such way that it requires an absolute pathname of the executable to apply its policy to. The problem is: aa-genprof /var/lib/flatpak/.../dosbox Produces zero effect. Alternative approaches such as: aa-genprof /newroot/app/bin/dosbox or nsenter -t 6961 aa-genprof /newroot/app/bin/dosbox rightfully complain that: ERROR: /newroot/app/bin/dosbox does not exists, please double-check the path Of course, what you could try is to apply Apparmor policy to /usr/bin/bwrap (which executes all flatpak 'containers'), but it fails to generate any useful policy for me. Reco
