Karmic will be shipping an apparmor profile for firefox (bug #382917). This is a spec for the security team. Due to packaging constraints and maintenance, it must use matching for the profile name. Eg, with a profile name specified like this:
/usr/lib/firefox-3.5.*/firefox {
...
/usr/lib/firefox-3.5.2/firefox attaches and works (good).
However, this causes problems:
a) it improperly matches the *files* /usr/lib/firefox-3.5.foo, /usr/lib/firefox-3.5.bar. This is wrong and could cause problems if other versions of firefox are installed.
b) '/usr/lib/** ux' is too greedy-- ie will match /usr/l if nothing else is available
c) '/usr/bin/** px' won't attach if the profiled is confined
These issues are a surprising side-effect of using matching in the profile name, and will cause bugs and problems when people modify the firefox profile or develop their own profiles using profile name matching.
Karmic will be shipping an apparmor profile for firefox (bug #382917). This is a spec for the security team. Due to packaging constraints and maintenance, it must use matching for the profile name. Eg, with a profile name specified like this: firefox- 3.5.*/firefox {
/usr/lib/
...
/usr/lib/ firefox- 3.5.2/firefox attaches and works (good).
However, this causes problems: firefox- 3.5.foo, /usr/lib/ firefox- 3.5.bar. This is wrong and could cause problems if other versions of firefox are installed.
a) it improperly matches the *files* /usr/lib/
b) '/usr/lib/** ux' is too greedy-- ie will match /usr/l if nothing else is available
c) '/usr/bin/** px' won't attach if the profiled is confined
These issues are a surprising side-effect of using matching in the profile name, and will cause bugs and problems when people modify the firefox profile or develop their own profiles using profile name matching.