AppArmor

Merge lp://qastaging/~intrigeri/apparmor/flatpak-exports into lp://qastaging/apparmor/2.12

  1. flatpak-exports
  2. Merge into master
Proposed by intrigeri
Status: Work in progress
Proposed branch: lp://qastaging/~intrigeri/apparmor/flatpak-exports
Merge into: lp://qastaging/apparmor/2.12
Diff against target: 53 lines (+16/-14)
1 file modified
profiles/apparmor.d/abstractions/freedesktop.org (+16/-14)
To merge this branch: bzr merge lp://qastaging/~intrigeri/apparmor/flatpak-exports
Reviewer Review Type Date Requested Status
intrigeri Disapprove
AppArmor Developers Pending
Review via email: mp+331056@code.qastaging.launchpad.net
To post a comment you must log in.
lp://qastaging/~intrigeri/apparmor/flatpak-exports updated
3711. By intrigeri

abstractions/freedesktop.org: fixup.

Revision history for this message
Christian Boltz (cboltz) wrote :

Minor nitpicking: The .../share/icons/ rules are the only one where you use separate rules instead of alternations. If there isn't a special reason for this, I'd prefer to use the same style everywhere ;-)

Reply
Revision history for this message
Simon McVittie (smcv) wrote :

> + /{usr,usr/local,var/lib/flatpak/exports}/share/applications/{*/,} r,

I'm not sure this actually works. Have you tested it against a real Flatpak installation?

% ls -l ~/.local/share/flatpak/exports/share/applications
total 12
-rw-r--r-- ... mimeinfo.cache
lrwxrwxrwx ... org.debian.packages.openarena.desktop -> ../../../app/org.debian.packages.openarena/current/active/export/share/applications/org.debian.packages.openarena.desktop
lrwxrwxrwx ... org.gnome.PortalTest.desktop -> ../../../app/org.gnome.PortalTest/current/active/export/share/applications/org.gnome.PortalTest.desktop

% echo ~/.local/share/flatpak/exports/share/applications/* | xargs realpath
/home/smcv/.local/share/flatpak/exports/share/applications/mimeinfo.cache
/home/smcv/.local/share/flatpak/app/org.debian.packages.openarena/x86_64/master/250c091b6c9b2710c5804eee7f9ce923502cc04709f4cdbbc4e22cc522c9ab0f/export/share/applications/org.debian.packages.openarena.desktop
/home/smcv/.local/share/flatpak/app/org.gnome.PortalTest/x86_64/master/e12fd48e6eea5033481e7577ee2ea46d43a8a4bf9c67394631ab23fa287c18a7/export/share/applications/org.gnome.PortalTest.desktop

Other exports work similarly.

So I think this actually needs something like

{usr,usr/local,var/lib/flatpak/exports,var/lib/flatpak/{app,runtime}/*/*/*/*/export}/share/applications etc.

and

.local/share/{,flatpak/exports/share/,flatpak/{app,runtime}/*/*/*/*/export/}applications etc.

where the */*/*/* matches NAME/ARCH/BRANCH/COMMIT.

Reply
Revision history for this message
intrigeri (intrigeri) wrote :

I'll go back to the drawing board. Sorry folks for wasting your time!

review: Needs Fixing
Reply
Revision history for this message
intrigeri (intrigeri) wrote :

Superseded by https://gitlab.com/apparmor/apparmor/merge_requests/71. Simon, could you please take a look?

Reply
Revision history for this message
intrigeri (intrigeri) :
review: Disapprove
Reply

Unmerged revisions

3711. By intrigeri

abstractions/freedesktop.org: fixup.

3710. By intrigeri

abstractions/freedesktop.org: treat Flatpak exports the same way as bits shipped by the distro (Closes: Debian#865206).

As Simon McVittie <email address hidden> wrote on
https://bugs.debian.org/865206 and on the AppArmor mailing list:

"Anything in /var/lib/flatpak/exports/share or
~/.local/share/flatpak/exports/share is essentially equivalent to
the corresponding path in /usr/{local/,}share, and is something
that has deliberately been "exported" to the rest of the system by a
Flatpak-confined app.

The only reason to prevent reading those directories would be if you do
not want the AppArmor-confined app to be able to enumerate the other
software you have installed on your system, as an anti-fingerprinting
mechanism."

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches