Merge lp:~intrigeri/apparmor/add-firefox-esr-to-ubuntu-browsers into lp:apparmor/2.12

Just a sidenote: I'm not sure about the reason why the rule was about firefox*.sh (the bzr log r1905.1.5 doesn't explain it - Jamie, do you still remember?), so someone should double-check why it was restricted to *.sh.

On openSUSE, /usr/lib64/firefox/ contains firefox, firefox-bin and firefox.sh (and some files not matching firefox*)

Anyway - you can simplify your rule to /usr/lib/firefox*/firefox* - the additional {,.sh} isn't needed thanks to the * ;-)

> Anyway - you can simplify your rule to /usr/lib/firefox*/firefox* - the additional {,.sh} isn't needed thanks to the * ;-)

Thanks, now done in my branch :)

Two months later: ping?

On Thu, Jun 23, 2016 at 06:51:14PM -0000, intrigeri wrote:
> Two months later: ping?

Sorry about that.

> === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers'
> --- profiles/apparmor.d/abstractions/ubuntu-browsers 2012-04-25 19:13:15 +0000
> +++ profiles/apparmor.d/abstractions/ubuntu-browsers 2016-04-24 14:26:52 +0000
> @@ -30,7 +30,7 @@
> # this should cover all firefox browsers and versions (including shiretoko
> # and abrowser)
> /usr/bin/firefox Cxr -> sanitized_helper,
> - /usr/lib/firefox*/firefox*.sh Cx -> sanitized_helper,
> + /usr/lib/firefox*/firefox*{,.sh} Cx -> sanitized_helper,

The problem with this is that firefox*{,.sh} is equivalent to firefox*.
Furthermore it matches the firefox binary /usr/lib/firefox/firefox as
shipped in ubuntu, which the original pattern did not.

But (and this is what prevented me from replying when the original merge
request was proposed), I'm not sure what the implications of that change
are, if any. The shipped firefox profile in ubuntu (16.04 LTS at least)
has "/usr/lib/firefox/firefox{,*[^s][^h]}" as it's profile match, so
potentially this could cause interference.

Is there a more tightly bound pattern for the esr firefoxes that debian
is shipping?

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

Hi,

Steve Beattie wrote (23 Jun 2016 21:34:46 GMT):
> The problem with this is that firefox*{,.sh} is equivalent to firefox*.

Right (and since Christian noted this I've already changed the line to
firefox*).

> Furthermore it matches the firefox binary /usr/lib/firefox/firefox as
> shipped in ubuntu, which the original pattern did not.

> But (and this is what prevented me from replying when the original merge
> request was proposed), I'm not sure what the implications of that change
> are, if any. The shipped firefox profile in ubuntu (16.04 LTS at least)
> has "/usr/lib/firefox/firefox{,*[^s][^h]}" as it's profile match, so
> potentially this could cause interference.

OK. Let's avoid diving into this, if possible.

> Is there a more tightly bound pattern for the esr firefoxes that debian
> is shipping?

Yes, done in my updated branch :)