# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023-2024 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Default profile for all flatpak applications. Ideally, this profile should be
# generated by flatpak itself with settings from the flatpak manifest and
# fully separated from bwrap.

# Note: This profile used to be split in two (flatpak-bwrap & flatpak-app) in order
# to separate bwrap from the sandboxed app itself. It was generating issue with
# zypak-sandbox, therefore the profiles have been merged. Meanwhile, to install
# some applications, flatpak needs write access to the sandbox content. This is
# done through bwrap and therefore in this profile.
#
# 1. All of this will have to be improved. However, as of today, it is the only
#    way to not break some (major) flatpak app.
# 2. It is not a big deal as flatpak is responsible for the sandbox anyway.
#    This this only defence in depth.
# 3. The main purpose of this profile is to ensure all processes are confined.

abi <abi/4.0>,

include <tunables/global>

@{att} = /att/flatpak-app/
profile flatpak-app  flags=(attach_disconnected,attach_disconnected.path=@{att},mediate_deleted,complain) {
  include <abstractions/attached/base>
  include <abstractions/bus-system>
  include <abstractions/common/app>
  include <abstractions/bwrap>

  capability dac_override,
  capability dac_read_search,
  capability setuid,          # Needed when bwrap is setup with setuid privileges.
  capability sys_resource,

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink dgram,
  network netlink raw,
  network unix stream,

  ptrace read,
  ptrace trace peer=flatpak-app,

  signal receive peer=flatpak,
  signal receive set=(int term) peer=flatpak-portal,
  signal receive set=(int term) peer=flatpak-session-helper,

  unix type=seqpacket peer=(label=dbus-session),
  # unix type=seqpacket peer=(label=unconfined),
  unix type=seqpacket peer=(label=xdg-dbus-proxy),

  @{bin}/**                            rmix,
  @{lib}/**                            rmix,
  /app/**                              rmix,
  /usr/plugins/**                      rmix,
  /usr/share/flatpak/triggers/*        rix,
  /usr/share/runtime/**                rmix,
  /var/lib/flatpak/app/*/**/@{bin}/**  rmix,
  /var/lib/flatpak/app/*/**/@{lib}/**  rmix,

  @{run}/flatpak/app/*/.org.chromium.Chromium.@{rand6} rm,
  @{run}/flatpak/app/*/**so*           rm,
  @{run}/parent/@{bin}/**              rmix,
  @{run}/parent/@{lib}/**              rmix,
  @{run}/parent/app/**                 rmix,

  @{bin}/gtk{,4}-update-icon-cache     rpx -> flatpak-app//&gtk-update-icon-cache,
  @{bin}/update-desktop-database       rpx -> flatpak-app//&update-desktop-database,
  @{bin}/update-mime-database          rpx -> flatpak-app//&update-mime-database,
  @{bin}/xdg-dbus-proxy                rpx -> flatpak-app//&xdg-dbus-proxy,

  @{lib}/kf5/kioslave5                 rpx,
  @{lib}/kf6/kioworker                 rpx,

  /etc/**/ rw,
  /etc/shells rw,

  /app/.ref rk,
  /app/extra/** rw,
  /app/lib/** rk,
  /bindfile@{rand6} rw,
  /usr/.ref rk,

  /var/lib/flatpak/app/{,**} r,
  /var/lib/flatpak/exports/** rw,

  owner @{att}@{HOME}/.var/app/** rwlkmix,

        @{run}/parent/** r,
        @{run}/parent/app/.ref rk,
        @{run}/parent/usr/.ref rk,
  owner @{run}/flatpak/{,**} rk,
  owner @{run}/flatpak/app/** rw,
  owner @{run}/flatpak/doc/** rw,
  owner @{run}/ld-so-cache-dir/* rw,
  owner @{run}/user/ r,

  /dev/ntsync r,

  include if exists <usr/flatpak-app.d>
  include if exists <local/flatpak-app>
}

# vim:syntax=apparmor
