Update flatpak

flatpak.md

@@ -6,17 +6,32 @@ Flatpak uses bubblewrap to sandbox its applications. Unfortunately bubblewrap ca
 
 ## Discovering flatpak application paths
 
-Flatpak applications are launched using the flatpak command. To discover
+Flatpak applications are launched using the flatpak command. However the name passed to the flatpak command is different than the actual binary name. For the following example we will use Aisleriot from flathub.
+
+To see the application name use the ```flatpak list``` command
 
 ```
-flatpak list
+$ flatpak list
+Name                   Application ID              Version Branch Installation
+Mesa                   …esktop.Platform.GL.default 21.1.7  20.08  system
+openh264               …edesktop.Platform.openh264 2.1.0   2.0    system
+Aisleriot Solitaire    org.gnome.Aisleriot         3.22.13 stable system
+GNOME Application Pla… org.gnome.Platform                  40     system
+
 ```
 
+To run it use the ```flatpak run``` command with Application ID
+
 ```
 flatpak run org.gnome.Aisleriot
 ```
 
+This however does not reveal the application name that is needed to setup a profile to confine the application.
+
+To do this we can setup a basic profile on flatpak itself
+
 ```
+$ cat flatpak.profile
 include <tunables/kernelvars>
 
 profile flatpak /usr/bin/flatpak flags=(complain, attach_disconnected) {
@@ -53,12 +68,52 @@ profile flatpak /usr/bin/flatpak flags=(complain, attach_disconnected) {
   }
 
 }
-
 ```
 
-##
+The profile can be loaded using the ```apparmor_parser``` 
+```
+sudo apparmor_parser -r flatpak.profile
+```
 
+or by putting the profile in ```/etc/apparmor.d/``` and either reloading policy using your systems init system. Eg. for systemd
 
+```
+systemctl reload apparmor
+```
+
+or rebooting your system. Once the profile is loaded the ```flatpak run``` command can be used to discover the actual application path
+
+```
+$ flatpak run org.gnome.Aisleriot
+$ sudo dmesg | grep DENIED
+[13373.719982] audit: type=1400 audit(1633083236.125:4724): apparmor="DENIED" operation="exec" profile="flatpak//bwrap" name="/app/bin/sol" pid=6365 comm="bwrap" requested_mask="x" denied_mask="x" fsuid=1000 ouid=0
+```
+
+A profile for the flatpak can now be created.
+
+## Creating a profile for a flatpak application
+
+After discovering the application path it is possible to create a profile. The flatpak, and bwrap profiles can be removed from the kernel or left in place. If left in place they will need to be updated to include a stacking transition for the applications profile. For the AisleRot application the new transition rule would be added to the bwrap profile and would look like
+
+```
+px /app/bin/sol -> flatpak//bwrap//&sol,
+```
+
+Leaving the flatpak profile in place could also have other affects on profile rule for the application not covered here so it is recommended that the flatpack profile be removed when not discovering flatpak application paths.
+
+```
+$ sudo apparmor_parser -R flatpak.profile
+```
+
+### Create the base profile
+
+An empty profile in complain mode can now be created and loaded into the kernel, and regular policy development techniques can be used. It is important to note that flatpak applications require the ```attach_disconneted``` profile flag.
+
+```
+profile sol flags=(complain, attach_disconnected) {
+
+}
+```
 
 ##