When I look in your example profile, I see Cx somewhere and you define the profile for the child process within the main profile file, right? Thus you don´t need several profile files, you can put the child´s profile right into the main profile file, right?
Basically right.
When using Px or px you have to crate a seperate profile file for the corresponding application, right? This way, the application is always confined, no matter if called from within another profile or invoked solely, right? For example I plan to confine gpg, thus it would be easier to use px and create a seperate gpg profile that can be called from within other profiles, right?
BTW, sending a user agent with your mail user client may not be beneficial for security....
Who tells you that my header contains the user agent I'm actually using? ;-)
Indeed! You passed this test ;-)
Besides that, experts can often tell from small details in the other headers which mail client was used. Oh, and finally - I'm quite sure KMail does not have critical security issues (with HTML mode disabled). Maybe I'm just not paranoid enough to remove that header ;-)
"They" will always find holes to penetrate your system. Whoever "they" might be. This is, why God (and SUSE) give us AppArmor :-)