Comment 0 for bug 419308

Karmic will be shipping an apparmor profile for firefox (bug #382917). This is a spec for the security team. Due to packaging constraints and maintenance, it must use matching for the profile name. Eg, with a profile name specified like this:
/usr/lib/firefox-3.5.*/firefox {
...

/usr/lib/firefox-3.5.2/firefox attaches and works (good).

However, this causes problems:
a) it improperly matches the *files* /usr/lib/firefox-3.5.foo, /usr/lib/firefox-3.5.bar. This is wrong and could cause problems if other versions of firefox are installed.
b) '/usr/lib/** ux' is too greedy-- ie will match /usr/l if nothing else is available
c) '/usr/bin/** px' won't attach if the profiled is confined

These issues are a surprising side-effect of using matching in the profile name, and will cause bugs and problems when people modify the firefox profile or develop their own profiles using profile name matching.