[apparmor] Mapping end-user applications to security contexts

[Ángel González]

I have been thinking on this and my conclusion is that they are 
orthogonal problems.

The question «Is the music player allowed to use an online account?» 
should be answered by apparmor (by providing the appropiate dbus rule).

On the other hand, the user-defined decision of «Allow access to the 
[music stored at] account to banshee but not to mplayer» shall be taken 
by the trust helper, *not* apparmor.


In fact, nothing from the problem description «Ubuntu's OnlineAccounts 
plans for the next months include maintaining its own dynamic ACL of 
which applications are allowed to use a certain account, with the 
end-user being the decision maker.» requires AppArmor at all.
The applications should be confined (and the helper may enforce that 
they have any profile). And enabling the account usage may involve 
changing the application profile.
But the problem is to identify applications, not profiles. (And the 
solution will end up being more general, which is good too)