Hi,
Something 'interesting' happened last night. I found /var/lib/snapd/apparmor/profiles/snap.firefox.firefox apparmor script.
And I added to the end a deny @{HOME}/Documents/ rwl as wells as other private directories leaving only Downloads available to firefox.
Then I switched to an unprivileged account with no sudo rights. And went surfing for some Linux things using firefox.
When I ended the surfing session. I went back to my admin account which still have the snap.firefox.firefox script open, I was informed that the file has changed, would I want to reload it. And after the reload, I discovered that my changes were gone.
Now I had announced on another post that I was going to fiddle with apparmor stuff. But I said I was going to make one for Chrome, and didn't say anything about firefox.
My question is: does firefox replace the appamor script by itself, or was it maliciously replaced by someone.
If it was replaced by someone, this would be neat trick, as I thought that apparmor was supposedly able to stop even zero days and confine the attacker. How was he able to replace the apparmor profile? The apparmor script is owned by root.
The machine is a fresh install, with avahi-daemon and cups, the 2 listening services, removed. It also has a firewall with inbound deny and only outgoing allowed for https, http, DNS, and NTP.