Comment 2 for bug 592121

Thank you for using Ubuntu and reporting a bug.

First off, in a standard Ubuntu install, PDFs are handled by evince, which is covered by an AppArmor profile and if the firefox profile is enabled it will run evince confined.

Second, if the firefox profile is enabled and is configured to use nspluginwrapper, when flash content is processed, firefox transitions to unconfined. Depending on the vulnerability, it may or may not be confined by the profile. If the user installs acroread and configures firefox to use it instead of evince, the same thing will happen if there is a vulnerability in acroread. As an aside, this is generally not the case for addons and extensions since they execute within the firefox context rather than a separate exec.

Keep in mind a couple of things:
1. The goal of the firefox apparmor profile is not to protect the user from herself, but instead to add a layer of protection against *firefox* executing code and launching other attacks. Due to a number of factors, not least of which usability and development time, the firefox profile will run many helper applications unconfined.

2. Users expect to be able to download and upload files, as well as access those files on removable media. Also, these lines apply to directories only:
  / r,
  /**/ r,

3. The profile explicitly denies read/write access to sensitive files via the priate abstraction and write access to ~/bin (which is in the user's PATH).

All of these things combined does improve the security stance of firefox, by effectively making it run within a sandbox. That said, it is recognized that security minded people and enterprise users will want to make the profile less general purpose and further restrict firefox, which is why the profile is shipped in /etc as a configuration file. It is planned that Ubuntu 10.10 will make it easier to fine browser profiles.

For more information on the design of the profile, please see https://wiki.ubuntu.com/SecurityTeam/Specifications/Karmic/AppArmorFirefoxProfile