Ok so I found this on the "How can I enable AppArmor for Firefox?" line on the Ubuntu wiki which is out of date because Firefox is now a snap. I think the profile is enabled but first where is the profile with snaps I am not sure.
While the documentation states (incorrectly) that apparmor profiles are stored in /etc/apparmor.d, this is not true for some profiles, especially for snaps. As explained on the snapcraft.io forum in 2017:
Ubuntu’s apparmor init is patched to understand /var/lib/snapd/apparmor/profiles and will load cache files from /var/cache/apparmor for those profiles (this concept dates back to Touch and snappy v1 (but they of course used different profile directories)). Profile caches for snappy end up there and apparmor init makes sure these are loaded on early boot.
Note this will be problematic for non-Debian/non-Ubuntu systems that (will) use apparmor (eg, openSUSE).
The alternative location where snaps' apparmor profiles are stored is not documented on any Ubuntu site at present. I request that Ubuntu correct this omission, since their wiki page is immutable, and I can't correct it myself.
Yes the AppArmor Firefox Profile seems to be enabled, by default, at least on my 22.04 machine,
because I see some entries for Firefox in the kernel log files, entered by AppArmor:
zgrep firefox /var/log/kern.log*
Result (simplified, oneline -> multiline):
/var/log/kern.log.1:Jun 28 17:47:16 xxxx kernel: [ 6901.642471]
apparmor="DENIED" operation="open" profile="snap.firefox.firefox"
name="..." pid=7330
comm="firefox"
requested_mask="r" denied_mask="r" fsuid=1001 ouid=0
I think the apparmor profile for the Firefox snap is in
/etc/apparmor.d/usr.bin.firefox
and I think you can add your own rules in
/etc/apparmor.d/local/usr.bin.firefox
which by default only contains these comments (on my 22.04)
# Site-specific additions and overrides for usr.bin.firefox.
# For more details, please see /etc/apparmor.d/local/README.
But I do not know how to do that, adding custom rules.
