No, the chromium and firefox profiles can be fixed. However the current fixes are not ideal. Basically apparmor currently needs to allow capability sys_admin and a few other dangerous privileges in the base profile.
This is not do to the complexity of the sandbox model but because the linux namespace code does not provide the LSM the hooks/information for apparmor to be able to setup a separate profile for the user namespace chrome is setting up for its sandbox. Once the kernel is fixed, apparmor policy will handle the chrome/chromium just fine without the less than ideal fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1658943 Title: aa-notify blocks desktop with garbage notifications To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658943/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
