Firejail alone is probably good enough for security and privacy.

[amano-kenji]

While AppArmor can provide extra security, as long as you install small softwares from linux distribution repositories, you don't get much benefit from protecting system applications with AppArmor. How likely is it that a window manager or a terminal emulator is going to hack your computer or send your data to remote servers? They don't run remote codes.

On the other hand, big untrusted softwares that may or may not run arbitrary remote codes are web browsers and PDF readers and other user applications that can be sandboxed by firejail. A PDF reader can execute javascript in PDF.

Let's admit that true security is an illusion. Living on earth is not safe. Earthquakes, floods, hurricanes, and other natural disasters can destroy your house anytime. Even with SELinux, locking down the entire system is impossible. Often, hardwares and softwares promising total lockdown are spywares like Intel ME and AMD PSP. Anyone who promises total security wants control. Microsoft tried to use secure boot to prevent computers from replacing windows with linux. Government promises security but constantly threatens violence if people don't pay up or don't adhere to its arbitrarily changing rules without letting people consent to rules. Governments have killed many more people than all criminal organizations combined. Yet, instead of taking responsibility for our own security, we think we need governments to keep us safe. True security doesn't exist on earth. If you give up freedom to big tech or big government for illusion of security, you lose security. Lesson // Don't give up freedom for security.

But, you can get reasonable levels of security and privacy without compromising your natural right to do things without initiating violence. I think firejail is a good tradeoff. It is relatively straightfoward to use for applications that have firejail profiles.

I think creating an AppArmor profile for any system service that runs arbitrary remote code or directly connects to the internet is still worth my time. If you are trying to protect every system application with AppArmor or SELinux, you will be stuck creating and modifying profiles until your death. Perfection is impossible as long as you live in the physical universe.

Most of the time, protection from arbitrary code execution and on networked software is enough.