Why do I have to enable the AppArmor profile for Firefox? Why isn't it "on" by default?

I have a pretty standard default install of 11.10 (Unity 3D).

I'm trying to understand a bit about AppArmor. sudo aa-status shows me that the available Firefox profile isn't being enforced (since it isn't listed).

Am I right in using sudo aa-enforce /etc/apparmor.d/usr.bin.firefox and then rebooting to start the enforcement (immunization)?

Is it correct that the Firefox profile isn't active by default since the current version number (now 7.0.1) is part of the profile? /usr/lib/firefox-7.0.1/ appears several times. In other words, users will have to be aware of this and bump the version number (correctly) each time it changes? Is that the only reason the profile isn't enforced by default?

Or is there something else I need to do before enforcing the default Firefox profile? Will just editing /etc/apparmor.d/usr.bin.firefox with each change in version number be sufficient?


In theory you don't have to do anything when the firefox version changes as the AA profile is updated too.

"Activating" the FF AppArmor profile via sudo aa-enforce /etc/apparmor.d/usr.bin.firefox will enforce the policies right away, no need to reboot.