Quote Originally Posted by teddks View Post
Doesn't work with rix. I suppose I could write a profile for gnome-open, but pidgin's profile is just not good enough. I would need to give pidgin permissions for xdg-open, /etc/orbitrc, and dash, among other things.

As for the link: It seems that making a hard link to a symbolic link just causes it to resolve the symbolic link. Would making a script that called firefox with profile arguments work?
Not a script with apparmor profile arguments ...

You can write a script that calls firefox (with irx) and restrict firefox.

And yes, go ahead and call gnome-open with irx, and any other binary it needs (like xdg-open, /etc/orbitrc, and dash) They will all be called, but restricted.

IMO this is better then Ux, which will call the same xdg-open, /etc/orbitrc, and dash (via gnome-open) but in the case of Ux they will run unrestricted, essentially "breaking out" of your apparmor profile.

With apparmor calling these things is not a problem so long as you use irx and they are what you consider "normal functioning" of firefox.