I got it working by adding the 2 lines at the end of the /etc/apparmor.d/usr.bin.firefox just before the closing brack "}". Without these lines, I had to use another workaround by disabling Apparmor completely on Firefox with a command like "sudo aa-complain /usr/lib/firefox/firefox" or using the official Firefox binary from Mozilla instead of the Ubuntu package.
I saw Daniel wrote "this is not a great way of working (malware could write to that location and then load in code)" but do you have an idea how to make it more secure? When will the fix be added officially to the Firefox Apparmor profile? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1777070 Title: firefox plugin libwidevinecdm.so crashes due to apparmor denial Status in apparmor package in Ubuntu: Confirmed Status in firefox package in Ubuntu: Confirmed Bug description: Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1 Running firefix, then going to netflix.com and attempting to play a movie. The widevinecdm plugin crashes, the following is found in syslog: Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400 audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400 audit(1529046802.585:247): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}" Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in libxul.so[7fcdfb77a000+6111000] Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert (-1) Jun 15 19:13:22 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv Jun 15 19:13:24 xplt kernel: [301353.960182] audit: type=1400 audit(1529046804.994:248): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16135 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Jun 15 19:13:24 xplt kernel: [301353.960373] audit: type=1400 audit(1529046804.994:249): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}" Jun 15 19:13:24 xplt kernel: [301353.960398] plugin-containe[16135]: segfault at 0 ip 00007fe3b57f46af sp 00007ffe6dc0b488 error 6 in libxul.so[7fe3b34c7000+6111000] Jun 15 19:13:28 xplt kernel: [301357.859177] audit: type=1400 audit(1529046808.895:250): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16139 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Jun 15 19:13:28 xplt kernel: [301357.859328] audit: type=1400 audit(1529046808.895:251): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}" Jun 15 19:13:28 xplt kernel: [301357.859349] plugin-containe[16139]: segfault at 0 ip 00007fcf32ae06af sp 00007ffeb8a136c8 error 6 in libxul.so[7fcf307b3000+6111000] Jun 15 19:13:25 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ERROR block_reap:328: [hamster] bad exit code 1 Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv Jun 15 19:13:29 xplt kernel: [301358.227635] audit: type=1400 audit(1529046809.263:252): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16188 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Jun 15 19:13:29 xplt kernel: [301358.227811] audit: type=1400 audit(1529046809.263:253): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}" Jun 15 19:13:29 xplt kernel: [301358.227844] plugin-containe[16188]: segfault at 0 ip 00007fe5667c66af sp 00007fffe8cc0da8 error 6 in libxul.so[7fe564499000+6111000] Jun 15 19:13:31 xplt kernel: [301360.574177] audit: type=1400 audit(1529046811.608:254): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16192 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Jun 15 19:13:31 xplt kernel: [301360.574326] audit: type=1400 audit(1529046811.608:255): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}" Jun 15 19:13:31 xplt kernel: [301360.574352] plugin-containe[16192]: segfault at 0 ip 00007f83507606af sp 00007ffdb3d22f08 error 6 in libxul.so[7f834e433000+6111000] Jun 15 19:13:35 xplt kernel: [301364.313727] audit: type=1400 audit(1529046815.349:256): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16206 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000 Jun 15 19:13:35 xplt kernel: [301364.313896] audit: type=1400 audit(1529046815.349:257): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}" Jun 15 19:13:35 xplt kernel: [301364.313967] plugin-containe[16206]: segfault at 0 ip 00007f5ff6f746af sp 00007fff60c9c768 error 6 in libxul.so[7f5ff4c47000+6111000] Jun 15 19:13:35 xplt /usr/lib/gdm3/gdm-x-session[6549]: message repeated 3 times: [ ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv] If I run Firefox from the snap (rev 60.0.2-1) there's no problem. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1777070/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
