Comment 21 for bug 1659988

@roberto-colnaghi Not exactly. The patch is against the apparmor profile of FF only.

Attached, I send the full version of a patched apparmor profile (patched with VERSION 6)

You can even leave the existing profile untouched by disabling it with a separate link and adding a separate file as a root user:

#disable existing profile
cd /etc/apparmor.d/disable
ln -s ./../usr.bin.firefox
#adding patched version (attached to this comment)
cp /path/to/downloaded/usr.bin.firefox_patched /etc/apparmor.d/usr.bin.firefox_patched
#reload profiles
service apparmor reload

Now that the original profile file remains unchanged, apt-get won't complain when the official package gets updated.

As soon as the official package gets updated, there's nothing more to do than to do a
#enable profile from official package again
rm /etc/apparmor.d/disable/usr.bin.firefox
#remove patched version
rm /etc/apparmor.d/usr.bin.firefox_patched
#reload profiles
service apparmor reload

Bonus: That should be undoable even for a production system even if something breaks (whereas I assume that your production system currently is broken anyways).

Please report back if it fixes your issues. And which of them it fixes (in the corresponding bug IDs).