Just something I figured out: as of Ubuntu 14.04.3, with kernel 3.19.x, you can use wildcards in AppArmor profiles. This way they can apply to more than one program. e.g. the first line of the profile below: Code: "/**/{wine*,*.exe}" { /**/ r, /dev/** rw, /proc/** rw, /sys/** r, /usr/** r, /lib/** r, /etc/** r, /tmp/** rw, /var/** rw, /usr/bin/wine* rix, /home/*/.wine/** rwix, /home/*/Games/** rwix, /home/*/.local/share/** rw, } When the above is applied, all programs run through Wine will be limited to - running Wine-related programs (with the same restrictions) - messing around in a very small part of the filesystem - playing audio and whatnot From what I can see here, the performance impact is pretty minimal too; unless you manage to get something stuck in an endless loop. You do probably want to be careful here - a profile that covers multiple programs is necessarily going to be less strict than a more specific one. Still, this is interesting, and I think it makes AppArmor a lot more versatile than it would be otherwise. Edit: also, it's easy to get lost in a string full of wildcards...
Effective permissions for that are the normal set of DAC ones. AppArmor restrictions are applied in addition to DAC; Wine won't be able to write to /dev/sda, unless your /dev permissions were already messed up. Or unless you're running it as root, which nobody should.
@summerheat @Stefan Froberg Do you think that in general for most programs profile that denies rw rights to all files in /var/run and /run directories shouldn't destabilize GUI programs? Or should I allow some file specific files in /run directory?