3

New to Linux as well as sandboxing. I'm mainly trying to understand the differences between security layers and how LSMs interact with application sandboxes. I've read that the Snap sandbox, for example, relies on AppArmor to work properly, meaning the sandbox is "degraded" if SELinux is active instead of AppArmor. (https://en.wikipedia.org/wiki/Snap_(software))

It seems (correct me if I'm wrong) the Flatpak sandbox is self-contained and doesn't rely on a security module for isolation, but how does this work if SELinux is active as well and also providing security policies for application permissions? If both the Flatpak sandbox and SELinux are security layers that overlap in some of their goals (at least with regard to application security), are there issues because of "redundancy"? Do Flatpak apps (like Snap) run into issues with the sandbox being degraded when SELinux is active?

I'm hoping someone has some insight as to how Flatpak interacts with security modules on Linux because I think this will inform whether it's better to just install the distro package of an application as opposed to the Flatpak or Snap for new-to-Linux users like myself. Cheers!

no_clue
  • 51

1 Answers1

4

Do Flatpak apps (like Snap) run into issues with the sandbox being degraded when SELinux is active?

No, because the direct cause of the degradation (in the case of Snap) is not "SELinux is active" – it is specifically "AppArmor is inactive".

Snap does not conflict with SELinux, by itself, but the presence of SELinux leads to the absence of AppArmor which Snap's sandboxing is built around. So the Snap sandbox would also be degraded if AppArmor was absent for any other reason, but would not be degraded if both AppArmor and SELinux were present (which might be a possibility in the future).

Flatpak, on the other hand, does not build sandboxing around AppArmor, therefore absence of AppArmor – whether caused by the presence of SELinux or not – has no effect on its sandboxing.

(Flatpak mainly relies on container-style namespacing and seccomp syscall filtering for its sandboxing; e.g. instead of denying access to /home using AppArmor rules as Snap does, it is not mounted at all into a Flatpak app's namespace.)

grawity
  • 501,077