No, the chromium and firefox profiles can be fixed. However the current fixes are not ideal. Basically apparmor currently needs to allow capability sys_admin and a few other dangerous privileges in the base profile.
This is not do to the complexity of the sandbox model but because the linux namespace code does not provide the LSM the hooks/information for apparmor to be able to setup a separate profile for the user namespace chrome is setting up for its sandbox. Once the kernel is fixed, apparmor policy will handle the chrome/chromium just fine without the less than ideal fix. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to apparmor in Ubuntu. https://bugs.launchpad.net/bugs/1658943 Title: aa-notify blocks desktop with garbage notifications Status in AppArmor: Confirmed Status in apparmor package in Ubuntu: Confirmed Bug description: Hi, aa-notify is highly annoying. Unfortunately the aa-armor profiles of firefox and chromium-browser are poorly maintained and cause dozens, hundreds, thousands of log messages for denied access, in most cases the same message again and again. aa-notify then throws dozens, hundreds of notification tiles on the desktop, sometimes faster than one can click them to go away, thus rendering the desktop unusable, making windows invisible. It is broken by design to throw unlimited numbers of notification on the user interface. regards ProblemType: Bug DistroRelease: Ubuntu 16.10 Package: apparmor-notify 2.10.95-4ubuntu5.1 ProcVersionSignature: Ubuntu 4.8.0-34.36-generic 4.8.11 Uname: Linux 4.8.0-34-generic x86_64 NonfreeKernelModules: zfs zunicode zcommon znvpair zavl ApportVersion: 2.20.3-0ubuntu8.2 Architecture: amd64 CurrentDesktop: XFCE Date: Tue Jan 24 10:26:57 2017 InstallationDate: Installed on 2016-04-22 (276 days ago) InstallationMedia: Lubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420) PackageArchitecture: all ProcKernelCmdline: BOOT_IMAGE=/vmlinuz-4.8.0-34-generic root=UUID=d0b47754-d5ca-49ec-8190-92a24e58e373 ro rootflags=subvol=@ nosplash noplymouth nomodeset text SourcePackage: apparmor Syslog: UpgradeStatus: Upgraded to yakkety on 2016-10-17 (99 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/apparmor/+bug/1658943/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp