Remove LXC Abstractions as Top Recommendations
I think the LXC abstractions (#include <abstractions/lxc/container-base>
, etc.) should be removed as an option for normal users when running aa-logprof or aa-genprof as this will almost always bite them in the leg and result in insecure profiles. Examples of this include articles such as this:
https://www.techrepublic.com/article/how-to-use-apparmor-to-block-access-to-folders-in-nginx/ https://ritcsec.wordpress.com/2016/11/30/apparmor-vs-selinux/
Users who are new to AppArmor will think that this is the AppArmor recommendation and use it as it is the most recommended option (it is Option 1)
If this is not possible, at least the LXC abstractions should be set as the last option or an optional warning should be shown