CR: P16g AppArmor Deployment — Risk & Communications

Risk Assessment

Risk Likelihood Impact Mitigation

Risk	Likelihood	Impact	Mitigation
Boot parameter change prevents boot	Low	High	Fallback boot entry available; can edit from systemd-boot menu
Misconfigured profiles break applications	Medium	Medium	Complain mode first (Phase 2), enforce only after baseline established
Browser bwrap sandbox conflicts with AppArmor	Medium	Medium	Use `flags=(attach_disconnected)` to allow namespace operations
Docker containers fail under AppArmor	Low	Medium	Docker has built-in AppArmor support; test with `docker run --rm alpine`

Boot parameter change prevents boot

Low

High

Fallback boot entry available; can edit from systemd-boot menu

Misconfigured profiles break applications

Medium

Complain mode first (Phase 2), enforce only after baseline established

Browser bwrap sandbox conflicts with AppArmor

Medium

Use flags=(attach_disconnected) to allow namespace operations

Docker containers fail under AppArmor

Low

Medium

Docker has built-in AppArmor support; test with docker run --rm alpine