AppArmor: Are multiple profiles per application (Firefox, Thunderbird) possible? Syntax?
AppArmor works by executable. It can't figure out that Firefox has loaded a different profile and so it should use a different AppArmor profile.
AppArmor does support change rules, which allow an application to change which profile applies to it. The intended use case is precisely to allow an application to switch to a more restrictive profile once it's finished initializing and figured out what it needs to access in this particular instance. So if Firefox was AppArmor-aware, it would be possible to give it change_profile
rule and have it apply the transition once it's figured out which profile to run as. As far as I know, this hasn't been done.
What you can do without programming is make multiple copies or hard links of the firefox-bin
executable, and define different profiles for each of them (AppArmor is based on the path to the executable, so different hard links need not use the same profile, unlike SELinux which is based on inodes). This requires root and isn't so convenient, which is why the change profile feature was added to AppArmor.