Thank you for your reply!
The problem with annoying users is they will tend to just disable AppArmor, and, worse, will recommend this to other users whenever they hit an AppArmor restriction. That's something I'd really like to avoid.
Yes, it makes perfect sense. We all want to avoid a SELinux situation :-) I personnally did use it for a while, but most people I know are disabling it.
After probably disappointing you, I hope you are still interested in the profiles from lp:apparmor-profiles ;-)
No problem, I am happy to have your point of view which is very instructive! :-) I will keep playing with them but with a different approach. I am convinced that, while it is technically possible, we can never, in real life, implement this "white list" approach for any complex application. By white list, I mean trying to have a complete view of all features and actions that a given app is going to do on the system, and, based on that, trying to make a profile with allow/deny filters. We are doomed to spend enormous amount of times, forget some stuff or being too restrictive. This approach aims to prevent an exploit to escalate its privileges. Under this constraints, an attacker cannot go beyond the normal behavior of the compromised application. But I want to investigate another approach, because I think it does not make sense on the desktop. It does make sense on a server, because we want to avoid a privilege escalation on the OS, which could impact other services and help the attacker to maintain his access for a long time. However, it is a different story on the desktop. For instance, let's say my browser was compromised. As a user, do I really care if then the OS gets also compromised? Would it be even a priority for the attacker? Maybe, but in most cases, both will more care about the data, for instance what's in /home. So why not having a simpler approach of blacklisting confidential folders? I am thinking about that .ssh or EncFS folder that contains secrets I really care about. Such a setting would be easy to configure and, I guess, very understood by the average user. You can have such a setting in a file included in all profile, and you can make dummy packages for almost every application that just include this base file. I want to try such settings, which, along with notifications, would make a nice HIDS. What do you think about it? Best regards, Jean-Christophe