@roberto-colnaghi Not exactly. The patch is against the apparmor profile of FF only.
Attached, I send the full version of a patched apparmor profile (patched with VERSION 6)
You can even leave the existing profile untouched by disabling it with a separate link and adding a separate file as a root user:
#disable existing profile
cd /etc/apparmor.d/disable
ln -s ./../usr.bin.firefox
#adding patched version (attached to this comment)
cp /path/to/downloaded/usr.bin.firefox_patched /etc/apparmor.d/usr.bin.firefox_patched
#reload profiles
service apparmor reload
Now that the original profile file remains unchanged, apt-get won't complain when the official package gets updated.
As soon as the official package gets updated, there's nothing more to do than to do a
#enable profile from official package again
rm /etc/apparmor.d/disable/usr.bin.firefox
#remove patched version
rm /etc/apparmor.d/usr.bin.firefox_patched
#reload profiles
service apparmor reload
Bonus: That should be undoable even for a production system even if something breaks (whereas I assume that your production system currently is broken anyways).
Please report back if it fixes your issues. And which of them it fixes (in the corresponding bug IDs).
@roberto-colnaghi Not exactly. The patch is against the apparmor profile of FF only.
Attached, I send the full version of a patched apparmor profile (patched with VERSION 6)
You can even leave the existing profile untouched by disabling it with a separate link and adding a separate file as a root user:
#disable existing profile d/disable bin.firefox downloaded/ usr.bin. firefox_ patched /etc/apparmor. d/usr.bin. firefox_ patched
cd /etc/apparmor.
ln -s ./../usr.
#adding patched version (attached to this comment)
cp /path/to/
#reload profiles
service apparmor reload
Now that the original profile file remains unchanged, apt-get won't complain when the official package gets updated.
As soon as the official package gets updated, there's nothing more to do than to do a d/disable/ usr.bin. firefox d/usr.bin. firefox_ patched
#enable profile from official package again
rm /etc/apparmor.
#remove patched version
rm /etc/apparmor.
#reload profiles
service apparmor reload
Bonus: That should be undoable even for a production system even if something breaks (whereas I assume that your production system currently is broken anyways).
Please report back if it fixes your issues. And which of them it fixes (in the corresponding bug IDs).