We should get citoid an apparmor manifest as we have done for OCG. It will increase the overall security of the service and confine it.
|Resolved||MoritzMuehlenhoff||T101870 Service containment for nodejs-based services with firejail|
|Resolved||MoritzMuehlenhoff||T98851 containment for Citoid|
Many of the interesting bits of AppArmor have not been merged upstream (e.g. network confinement) and newer versions of AppArmor don't even make it upstream anymore. Thus, with the switch to Debian, we kind of lost the capability of sanely using AppArmor (this was well documented in advance).
I don't think it makes much sense to waste time for that now. We should instead invest into some of the systemd confinement features that are here to stay.