# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Default profile for all flatpak applications. Ideally, this profile should be
# generated by flatpak itself with settings from the flatpak manifest and
# fully separated from bwrap.

# Note: This profile used to be split in two (flatpak-bwrap & flatpak-app) in order
# to separate bwrap from the sandboxed app itself. It was generating issue with
# zypak-sandbox, therefore the profiles have been merged. Meanwhile, to install
# some applications, flatpak needs write access to the sandbox content. This is
# done through bwrap and therefore in this profile.
#
# 1. All of this will have to be improved. However, as of today, it is the only
#    way to not break some (major) flatpak app.
# 2. It is not a big deal as flatpak is responsible for the sandbox anyway.
#    This this only defence in depth.
# 3. The main purpose of this profile is to ensure all processes are confined.

abi <abi/4.0>,

include <tunables/global>

@{appid} = @{word}.@{word}.@{word}{,.@{word}}

@{exec_path} = @{bin}/bwrap
@{att} = /att/flatpak-app/
profile flatpak-app  flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted,complain) {
  include <abstractions/attached/base>
  include <abstractions/app/flatpak>
  include <abstractions/bwrap>

  capability sys_resource,
  capability setuid,          # Needed when bwrap is setup with setuid privileges.

  signal receive peer=flatpak,
  signal receive set=(int term) peer=flatpak-portal,
  signal receive set=(int term) peer=flatpak-session-helper,

  unix type=seqpacket peer=(label=dbus-session),
  unix type=seqpacket peer=(label=xdg-dbus-proxy),

  @{exec_path} mr,

  @{bin}/**                            rmix,
  @{lib}/**                            rmix,
  /app/**                              rmix,
  /usr/plugins/**                      rmix,
  /usr/share/flatpak/triggers/*        rix,
  /usr/share/runtime/**                rmix,

  @{run}/parent/@{bin}/**              rmix,
  @{run}/parent/@{lib}/**              rmix,
  @{run}/parent/app/**                 rmix,

  @{lib}/kf5/kioslave5                 rpx,
  @{lib}/kf6/kioworker                 rpx,

  /etc/**/ rw,
  /etc/shells rw,

  /app/.ref rk,
  /usr/.ref rk,

  /bindfile@{rand6} rw,

  include if exists <usr/flatpak-app.d>
  include if exists <local/flatpak-app>
}

# vim:syntax=apparmor
