Why isnt apparmor firefox profile enabled by default?

**jasonmchristos** · April 25th, 2010

This page https://help.ubuntu.com/community/AppArmor shows how to enable apparmor firefox profile. Why isnt apparmor firefox profile enabled by default? I would postulate that this would be because there must be some limitation by having the profile enabled. If so, what would the limitation be?

**rookcifer** · April 25th, 2010

Originally Posted by jasonmchristos

This page https://help.ubuntu.com/community/AppArmor shows how to enable apparmor firefox profile. Why isnt apparmor firefox profile enabled by default? I would postulate that this would be because there must be some limitation by having the profile enabled. If so, what would the limitation be?

Short answer: not everyone has the same needs from Firefox, so enabling the profile by default might "break" Firefox for some people and might be too permissive for others.

**lovinglinux** · April 25th, 2010

Originally Posted by rookcifer

Short answer: not everyone has the same needs from Firefox, so enabling the profile by default might "break" Firefox for some people and might be too permissive for others.

+1

For instance, it might break extensions functions.

**Rubi1200** · April 25th, 2010

So, here's the thing; if I enable the AppArmor profile for Firefox and things get messed up can I just disable it and everything will be back to "normal"? Secondly, I don't understand what the default profile is doing; a brief explanation about what it protects/prevents would be nice.
Thanks in advance

**rookcifer** · April 25th, 2010

Originally Posted by Rubi1200

So, here's the thing; if I enable the AppArmor profile for Firefox and things get messed up can I just disable it and everything will be back to "normal"?

Yes.

Secondly, I don't understand what the default profile is doing; a brief explanation about what it protects/prevents would be nice.
Thanks in advance

There is an apparmor sticky at the top of this forum which explains a lot of this.

**Rubi1200** · April 25th, 2010

Thanks!
I will check out the sticky as well.

**zong1** · August 15th, 2010

Originally Posted by rookcifer

Yes.

There is an apparmor sticky at the top of this forum which explains a lot of this.

Nope. I cannot see a sticky thread about AppArmour in :
Ubuntu Forums > The Ubuntu Forum Community > Main Support Categories > Security Discussions . However, I won't discount the possibility that I am partially blind.

**jasonmchristos** · May 1st, 2010

[QUOTE=Rubi1200;9172716]Secondly, I don't understand what the default profile is doing; a brief explanation about what it protects/prevents would be nice.
Well if fiefox is exploited someone may want to read the password files on the system using a Firefox exploit in attempts to crack them and gain access to your system. Skype for instance does this by default, the skype software is programmed to probe all of the sensitive areas on your system, however I found that the apparmor extra profile that is supposed to keep skype in line renders the current version of skype unusable. Looks like i will have to actually make my own profile. In short the firefox profile puts restrictions on what firefox can do. I am not sure of the exact details yet since i havent got too deep into apparmor yet. I heard through the grapevine that canonical intends to abandon apparmor for selinux. Not sure if I should be spending a lot of time on learning apparmor.