# Apparmor 4.0 and over ships a few profiles that can conflict with apparmor.d
# This file keeps track of them and allow apparmor.d to replace them by our own.
# File format: one profile name by line.

# Overwrite unconfined upstream profiles that only allow userns
brave
chrome
chromium
cockpit-desktop
element-desktop
epiphany
firefox
flatpak
foliate
loupe
msedge
mullvad
nautilus
opera
os-prober
plasmashell
signal-desktop
slirp4netns
systemd-coredump
thunderbird
virtiofsd

# Overwrite upstreamed profiles, our local version may be more up to date
unix-chkpwd

# Overwrite some profiles recently added in apparmor while being already present in apparmor.d for a while
# They can be multiple justification for keeping our profiles here, or or the contrary using upstream ones:
# - Keep ours: If we/they use abstractions, tunable, rules, and integration with apparmor.d that would break if using the upstream profile
# - Drop ours: when upstream profiles is better (see pkg/prebuild/prepare/configure.go)
fusermount3
lsblk
lsusb
openvpn
remmina
transmission
wg-quick
systemd-detect-virt # Missing integration with @{p_systemd}
hostname # Has @{bin} denied in header, would conflict with apparmor.d's @{bin} tunables