jeremiejig, thanks for your work on this. I think I am going to solve it in a different way however. It would be nice if AppArmor could merge profiles, but we can't yet, so we need to do like you initially did: have two mostly identical profiles. Because the lightdm remote sessions are shipping policy copies, the maintenance cost is getting high. I will be abstracting out the guest rules into abstracations/lightdm and then have a small snippet using a child profile in abstractions/lightdm_chromium-browser. The guest and remote lightdm profiles can just include these and all the policy is in the abstractions. Using a lightdm.d directory is a good idea, but upstream AppArmor is currently discussing how to best handle .d directories like this, and I'd rather not add another one until that discussions is finished.
jeremiejig, thanks for your work on this. I think I am going to solve it in a different way however. It would be nice if AppArmor could merge profiles, but we can't yet, so we need to do like you initially did: have two mostly identical profiles. Because the lightdm remote sessions are shipping policy copies, the maintenance cost is getting high. I will be abstracting out the guest rules into abstracations/ lightdm and then have a small snippet using a child profile in abstractions/ lightdm_ chromium- browser. The guest and remote lightdm profiles can just include these and all the policy is in the abstractions. Using a lightdm.d directory is a good idea, but upstream AppArmor is currently discussing how to best handle .d directories like this, and I'd rather not add another one until that discussions is finished.