Code review comment for lp://staging/~intrigeri/apparmor/add-firefox-esr-to-ubuntu-browsers

On Thu, Jun 23, 2016 at 06:51:14PM -0000, intrigeri wrote:
> Two months later: ping?

Sorry about that.

> === modified file 'profiles/apparmor.d/abstractions/ubuntu-browsers'
> --- profiles/apparmor.d/abstractions/ubuntu-browsers 2012-04-25 19:13:15 +0000
> +++ profiles/apparmor.d/abstractions/ubuntu-browsers 2016-04-24 14:26:52 +0000
> @@ -30,7 +30,7 @@
> # this should cover all firefox browsers and versions (including shiretoko
> # and abrowser)
> /usr/bin/firefox Cxr -> sanitized_helper,
> - /usr/lib/firefox*/firefox*.sh Cx -> sanitized_helper,
> + /usr/lib/firefox*/firefox*{,.sh} Cx -> sanitized_helper,

The problem with this is that firefox*{,.sh} is equivalent to firefox*.
Furthermore it matches the firefox binary /usr/lib/firefox/firefox as
shipped in ubuntu, which the original pattern did not.

But (and this is what prevented me from replying when the original merge
request was proposed), I'm not sure what the implications of that change
are, if any. The shipped firefox profile in ubuntu (16.04 LTS at least)
has "/usr/lib/firefox/firefox{,*[^s][^h]}" as it's profile match, so
potentially this could cause interference.

Is there a more tightly bound pattern for the esr firefoxes that debian
is shipping?

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/