From 3d4f6992f5917036d48e797ba8ea043398f3872c Mon Sep 17 00:00:00 2001
From: John Johansen <john@jjmx.net>
Date: Fri, 1 Oct 2021 09:58:27 +0000
Subject: [PATCH] Create flatpak

---
 flatpak.md | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 flatpak.md

diff --git a/flatpak.md b/flatpak.md
new file mode 100644
index 0000000..e7d4c44
--- /dev/null
+++ b/flatpak.md
@@ -0,0 +1,68 @@
+# Introduction
+
+Flatpak uses bubblewrap to sandbox its applications. Unfortunately bubblewrap causes several problems for AppArmor and makes use of AppArmor with flatpaks more difficult than regular applications.
+
+# Confining Bubble wrap applications
+
+## Discovering flatpak application paths
+
+Flatpak applications are launched using the flatpak command. To discover
+
+```
+flatpak list
+```
+
+```
+flatpak run org.gnome.Aisleriot
+```
+
+```
+include <tunables/kernelvars>
+
+profile flatpak /usr/bin/flatpak flags=(complain, attach_disconnected) {
+
+  rwmk /{**,},
+  unix,
+
+  cx /usr/bin/bwrap -> bwrap,
+
+  profile bwrap flags=(attach_disconnected) {
+    capability sys_admin,
+    capability sys_ptrace,
+    capability setpcap,
+    capability net_admin,
+    capability dac_override,
+
+    ptrace peer=flatpak//bwrap,
+    mount,
+    umount,
+    pivot_root,
+
+    rwmk /{**,},
+    unix,
+    network netlink,
+
+    # either inherit or stack because of no-new-privs
+    px /usr/bin/xdg-dbus-proxy -> flatpak//bwrap//&flatpak//dbus-proxy,
+
+  }
+
+  profile dbus-proxy flags=(complain, attach_disconnected) {
+    rwmk /**,
+    unix,
+  }
+
+}
+
+```
+
+##
+
+
+
+##
+
+
+# Issues
+- namespacing
+- no-new-privs