Comment 36 for bug 2046844

Scarlett, Simon and I had discussed preparing a small program that could prepare a wrapper profile: given a path to an appimage, it could emit a small profile to /etc/apparmor.d/ for the file, with the right attachment path and then load the profile.

As I understand our new strategy, it would probably also have to include whatever capabilities that appimage uses as part of setting up the new namespaces -- ideally, it'd be the same capabilities from appimage to appimage.

If there's some reasonable restraints on appimages, like using XDG_SOMETHING for user data storage, that might be nice, too. But that's harder to do.

Thanks