@AdFundum i dont know about confined use but i know how to do it, its not a single command and has a couple of steps. look at lss background module its basically the how to for it.

@Flohack I know that any DBus call - except for some - is by default denied by AppArmor, therefore we should for sure update the confinement AA templates. I think we'd probably need to define a new AppArmor profile for headless apps, in order to prevent e.g. usage of the UriHandler service