Comment 10 for bug 592121

Jamie Strandboge (jdstrand) wrote :

I have changed this to Fix Committed since at least part of the issue in this bug is that the shipped profile is a conffile which makes restricting the profile more difficult than it needs to be.

With the next firefox in Ubuntu 10.10, this easier to configure. Specifically, a stripped down /etc/apparmor.d/usr.bin.firefox profile is shipped by firefox and it will include /etc/apparmor.d/local/usr.bin.firefox and /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox. The latter will ship by default with the abstractions in /etc/apparmor.d/abstractions/ubuntu-browsers.d/* enabled, but this can be controlled with the aa-update-browser command or hand edited to remove what is not wanted (for now, this won't be touched on upgrades, see debconf note below). The former can be adjusted as desired and will never be touched on upgrades.

The profile is still disabled by default. Setting the firefox profile's mode (ie enabled vs disabled) and configuring /etc/apparmor.d/abstractions/ubuntu-browsers.d/firefox via debconf is planned, but may not land this cycle.