Comment 4 for bug 592121

I'll put your personal attack aside and address your point as I think your main question is valid. I would appreciate it if you would discontinue these attacks.

I did not miss your point. The browser is supposed to be able to read and write files from the user's directory. This is *by design* of the browser, in particular firefox. How else is someone supposed to download a file? To upload their presentation to the company webserver? If the AppArmor profile denied these actions by default, what would the regular user who knows nothing of AppArmor do?
 * If we were lucky, they would only turn off only the firefox profile (which, I might add is *opt in* only right now). This action would weaken the security stance of firefox since it would now be running totally unconfined.
 * If we were more unlucky, the user would turn off all of AppArmor (this has been seen occasionally with AppArmor but famously with SELinux). The result would be that CUPS, dhclient, evince, the guest-session and other profiles in Ubuntu would be disabled.
 * If we were most unlucky, the user would become frustrated with Ubuntu and use another OS, likely complaining to everyone they know about it. Considering all of Ubuntu's proactive security features (including, but in no way limited to AppArmor) and depending on what OS they choose, this could greatly decrease the security stance for the user.

The browser is arguably the most important application a regular user uses. If we are cavalier about breaking the most used application on the Desktop, then from the user's point of view the Desktop and OS are broken. We must carefully weigh usability requirements against security protections in all cases, otherwise it leads to frustration and the security feature being turned off.

AppArmor can protect against many things. The firefox profile protects against execution of arbitrary code by the browser and reading/writing of files you do not own (eg /etc/passwd), reading/writing sensitive files like the user's gnome-keyring, ssh keys, gnupg keys, history files, swp, backup files, rc files and to files in the standard PATH. It also confines add-ons and extensions to the above. Firefox is integrated into the Desktop and so it must be allowed to open helper programs and access the user's data. The profile is by default *general purpose* with the design being:
 * when enabled, it significantly improves the security of firefox as is
 * it provides a starting point for people to confine firefox how they want to
 * the implementation gives the user the ability to fine-tune it to be as strict as desired

Of course firefox can be locked down more to protect the user's data. We could make it so that it could only write to ~/Downloads and read from ~/Public. However, this deviates from upstream's design, would likely put Ubuntu's Mozilla branding at stake, and most importantly frustrate users. Is Ubuntu's profile a "violation of the idea of apparmor"? Of course not -- it *is* protecting user's from various attacks and many forms of information disclosure. It is a distribution requirement to provide a functional browser. It is a distribution choice to not break it with too-aggressive security protections. It is a user's/administrator's choice to configure the profile for her environment.