# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Default profile for all flatpak applications. Ideally, this profile should be
# generated by flatpak itself with settings from the flatpak manifest.

# See abstractions/app/flatpak for more details about the security objectives.

abi <abi/4.0>,

include <tunables/global>

@{appid} = @{word}.@{word}.@{word}{,.@{word}}

@{att} = /att/fapp/
profile fapp  flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted,complain) {
  include <abstractions/attached/base>
  include <abstractions/app/flatpak>

  deny @{att}/ r,
  deny @{att}@{run}/.userns r,

  include if exists <local/fapp>
}

# vim:syntax=apparmor
