On 2/23/26 12:27, Kevin Chadwick via Dng wrote:
>
>
> -------- Original Message --------
>
>>
>> Some claim make a report against AppArmor,  some say report it against the
>> application package.
>
> It would be great if Linux moved forward on the pledge front. The developer and
> application is best placed to decide how to restrict itself. On the other hand
> some devs wouldn't do it like I'm betting 7-zip. Sandboxing only really helps on
> simple programs without much access to executing C binaries anyway and is an
> easily broken false sense of security otherwise.

It would be a matter of getting those controlling the corporate money on
board, something which has gone the opposite direction, as that seems to
determine the direction of development these days.

There was an interest in improving AppArmor a decade or so ago but the
actual work was stalled. Notice that AppArmor still has only file
system access control and that networking is simply on or off. Also,
the generic profiles provided by packages tend to be so loose as to be
useless.

You have to write your own AppArmor profiles for either the desktop or
server applications to match your own particular use cases. For certain
tools, AppArmor profiles are quite easy to make. For others,
specifically Firefox, it is difficult. I have a number of AppArmor
profiles here but not a working Firefox profile. If anyone has one and
is willing to share, I'd like to take a look.

/Lars