Comment 6 for bug 1658943

No, the chromium and firefox profiles can be fixed. However the current fixes are not ideal. Basically apparmor currently needs to allow capability sys_admin and a few other dangerous privileges in the base profile.

This is not do to the complexity of the sandbox model but because the linux namespace code does not provide the LSM the hooks/information for apparmor to be able to setup a separate profile for the user namespace chrome is setting up for its sandbox. Once the kernel is fixed, apparmor policy will handle the chrome/chromium just fine without the less than ideal fix.