# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2025 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only
# LOGPROF-SUGGEST: no
# NEEDS-VARIABLE: appid
# NEEDS-VARIABLE: att
# NEEDS-VARIABLE: profile_dbus

# Default rules for all flatpak applications. Ideally, they should be
# generated with settings from the flatpak metadata.
#
# Security objectives:
#
# 1. Split the sandbox handler (bwrap) from the app profile (fapp)
# 2. Provide defence in depth, as flatpak already provides a sandbox
# 3. The main purpose of this profile is to ensure all processes are confined
#
# Notable security improvements over no profile at all:
#
# - No capabilities (except `dac_override` & `dac_read_search`)
# - Restrict unix socket to profiles defined in apparmor.d
# - Limit dbus system communication to profiles defined in apparmor.d
# - Ensure flatpak-spawn and host-spawn are confined too
# - Filter `/proc/`, `/sys/` access
#
# Keep in mind that the profile is still common for all apps and is therefore
# way more permissive than a per-app profile would be.
#
# Abstractions in `abstractions/flatpak/` closelly follow the sandbox defined by
# flatpak, and are therefore different to they host equivalents, as flatpak apps
# do not have access to the full host filesystem.

  abi <abi/4.0>,

  include <abstractions/flatpak/base>

  # The app base platform, similar to our desktop abstraction, but with flatpak paths
  include <abstractions/flatpak/platform/org.freedesktop>

  # Base app specific rules, they are all included as it is for a generic profile
  include <abstractions/flatpak/baseapp/com.valvesoftware.Steam>
  include <abstractions/flatpak/baseapp/org.chromium.Chromium>
  include <abstractions/flatpak/baseapp/org.mozilla.firefox>

  # Flatpak devices '--device='
  include <abstractions/flatpak/devices/all>
  include <abstractions/flatpak/devices/shm>

  # Flatpack share (IPC, network) with the host '--share='
  include <abstractions/flatpak/shared/ipc>
  include <abstractions/flatpak/shared/network>

  # Flatpack sockets '--socket='
  include <abstractions/flatpak/sockets/cups>
  include <abstractions/flatpak/sockets/fallback-x11>
  include <abstractions/flatpak/sockets/gpg-agent>
  include <abstractions/flatpak/sockets/inherit-wayland-socket>
  include <abstractions/flatpak/sockets/pcsc>
  include <abstractions/flatpak/sockets/pulseaudio>
  include <abstractions/flatpak/sockets/session-bus>
  include <abstractions/flatpak/sockets/ssh-auth>
  include <abstractions/flatpak/sockets/system-bus>
  include <abstractions/flatpak/sockets/wayland>
  include <abstractions/flatpak/sockets/x11>

  # Flatpak features '--feature='
  include <abstractions/flatpak/features/bluetooth>
  include <abstractions/flatpak/features/canbus>
  include <abstractions/flatpak/features/devel>
  include <abstractions/flatpak/features/multiarch>
  include <abstractions/flatpak/features/per-app-dev-shm>

  # Flatpak filesystem access '--filesystem='
  # As a generic profile cannot filter filesystem for each app, this gives
  # full access to the user's home, and read only acccess to host system files.
  # In the limmit of what is allowed by flatpak.
  include <abstractions/flatpak/filesystem>

  # System bus: all system dbus interfaces a flatpak app can access
  include <abstractions/avahi-observe>
  include <abstractions/bluetooth-observe>
  include <abstractions/bus/system/org.freedesktop.hostname1>
  include <abstractions/bus/system/org.freedesktop.login1>
  include <abstractions/bus/system/org.freedesktop.systemd1.Manager>
  include <abstractions/bus/system/org.freedesktop.UDisks2>
  include <abstractions/network-manager-observe>
  include <abstractions/upower-observe>

  signal (send receive) peer=fapp,
  signal (send receive) peer=fapp//&fbwrap,
  signal (send receive) peer=fbwrap,

  ptrace read peer=fapp,
  ptrace read peer=fapp//&fbwrap,
  ptrace read peer=fbwrap,
  ptrace trace peer=fapp,
  ptrace trace peer=fapp//&fbwrap,
  ptrace trace peer=fbwrap,

  unix (bind listen) type=seqpacket addr=@*,
  unix type=dgram     peer=(label=fbwrap),
  unix type=seqpacket peer=(label=fbwrap),
  unix type=stream    peer=(label=fbwrap),
  unix type=stream    peer=(label=flatpak),
  unix type=stream    peer=(label=gnome-keyring-daemon),
  unix type=stream    peer=(label=unconfined),
  unix type=stream    peer=(label=xdg-desktop-portal),

  # As a generic profile, we cannot restrict the session bus, and we trust flatpak on this.
  dbus bus=session,

  # apply_extra
  /app/extra/** w,

  include if exists <abstractions/app/flatpak.d>

# vim:syntax=apparmor
