I notice lots of rules added for lsb_release. We had to add a bunch of similar ones to usr.bin.thunderbird recently, which was done with a named lsb_release child profile. This seems to be a nicer approach to me: whatever lsb_release needs is self-contained instead of being mixed with everything else Thunderbird/phpsysinfo need access to. So, now that we have two consumers for lsb_release confinement, I suggest we extract it into a shared named profile shipped in /etc/apparmor.d and not as a child profile that one has to duplicate. See e.g. the gst_plugin_scanner one.
I notice lots of rules added for lsb_release. We had to add a bunch of similar ones to usr.bin.thunderbird recently, which was done with a named lsb_release child profile. This seems to be a nicer approach to me: whatever lsb_release needs is self-contained instead of being mixed with everything else Thunderbird/ phpsysinfo need access to. So, now that we have two consumers for lsb_release confinement, I suggest we extract it into a shared named profile shipped in /etc/apparmor.d and not as a child profile that one has to duplicate. See e.g. the gst_plugin_scanner one.
What do you think?