Create flatpak

flatpak.md

@@ -0,0 +1,68 @@
+# Introduction
+
+Flatpak uses bubblewrap to sandbox its applications. Unfortunately bubblewrap causes several problems for AppArmor and makes use of AppArmor with flatpaks more difficult than regular applications.
+
+# Confining Bubble wrap applications
+
+## Discovering flatpak application paths
+
+Flatpak applications are launched using the flatpak command. To discover
+
+```
+flatpak list
+```
+
+```
+flatpak run org.gnome.Aisleriot
+```
+
+```
+include <tunables/kernelvars>
+
+profile flatpak /usr/bin/flatpak flags=(complain, attach_disconnected) {
+
+  rwmk /{**,},
+  unix,
+
+  cx /usr/bin/bwrap -> bwrap,
+
+  profile bwrap flags=(attach_disconnected) {
+    capability sys_admin,
+    capability sys_ptrace,
+    capability setpcap,
+    capability net_admin,
+    capability dac_override,
+
+    ptrace peer=flatpak//bwrap,
+    mount,
+    umount,
+    pivot_root,
+
+    rwmk /{**,},
+    unix,
+    network netlink,
+
+    # either inherit or stack because of no-new-privs
+    px /usr/bin/xdg-dbus-proxy -> flatpak//bwrap//&flatpak//dbus-proxy,
+
+  }
+
+  profile dbus-proxy flags=(complain, attach_disconnected) {
+    rwmk /**,
+    unix,
+  }
+
+}
+
+```
+
+##
+
+
+
+##
+
+
+# Issues
+- namespacing
+- no-new-privs