apparmor.d/apparmor.d/profiles-a-f/flatpak-app

# apparmor.d - Full set of apparmor profiles
# Copyright (C) 2023 Alexandre Pujol <alexandre@pujol.io>
# SPDX-License-Identifier: GPL-2.0-only

# Default profile for all flatpak applications. Ideally, this profile should be
# generated by flatpak itself with settings from the flatpak manifest.

abi <abi/3.0>,

include <tunables/global>

profile flatpak-app flags=(attach_disconnected,mediate_deleted) {
  include <abstractions/base>
  include <abstractions/bwrap-app>

  network inet dgram,
  network inet6 dgram,
  network inet stream,
  network inet6 stream,
  network netlink raw,

  ptrace peer=flatpak-app//&flatpak-bwrap,

  signal peer=flatpak-app//&flatpak-bwrap,

  @{bin}/**                       rmix,
  @{lib}/**                       rmix,
  /app/**                         rmix,

  /var/lib/flatpak/app/{,**} r,

  @{run}/flatpak/{,**} r,

  include if exists <usr/flatpak-app.d>
  include if exists <local/flatpak-app>
}