[apparmor] [Bug 1777070] Re: firefox plugin libwidevinecdm.so crashes due to apparmor denial

Sun Oct 25 12:15:32 UTC 2020

I got it working by adding the 2 lines at the end of the
/etc/apparmor.d/usr.bin.firefox just before the closing brack "}".
Without these lines, I had to use another workaround by disabling
Apparmor completely on Firefox with a command like "sudo aa-complain
/usr/lib/firefox/firefox" or using the official Firefox binary from
Mozilla instead of the Ubuntu package.

I saw Daniel wrote "this is not a great way of working (malware could
write to that location and then load in code)" but do you have an idea
how to make it more secure?

When will the fix be added officially to the Firefox Apparmor profile?

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to a duplicate bug report (1859361).
https://bugs.launchpad.net/bugs/1777070

Title:
  firefox plugin libwidevinecdm.so crashes due to apparmor denial

Status in apparmor package in Ubuntu:
  Confirmed
Status in firefox package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1

  Running firefix, then going to netflix.com and attempting to play a
  movie.  The widevinecdm plugin crashes, the following is found in
  syslog:

  Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400 audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
  Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400 audit(1529046802.585:247): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in libxul.so[7fcdfb77a000+6111000]
  Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert (-1)
  Jun 15 19:13:22 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
  Jun 15 19:13:24 xplt kernel: [301353.960182] audit: type=1400 audit(1529046804.994:248): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16135 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
  Jun 15 19:13:24 xplt kernel: [301353.960373] audit: type=1400 audit(1529046804.994:249): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:24 xplt kernel: [301353.960398] plugin-containe[16135]: segfault at 0 ip 00007fe3b57f46af sp 00007ffe6dc0b488 error 6 in libxul.so[7fe3b34c7000+6111000]
  Jun 15 19:13:28 xplt kernel: [301357.859177] audit: type=1400 audit(1529046808.895:250): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16139 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
  Jun 15 19:13:28 xplt kernel: [301357.859328] audit: type=1400 audit(1529046808.895:251): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:28 xplt kernel: [301357.859349] plugin-containe[16139]: segfault at 0 ip 00007fcf32ae06af sp 00007ffeb8a136c8 error 6 in libxul.so[7fcf307b3000+6111000]
  Jun 15 19:13:25 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
  Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ERROR block_reap:328: [hamster] bad exit code 1
  Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
  Jun 15 19:13:29 xplt kernel: [301358.227635] audit: type=1400 audit(1529046809.263:252): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16188 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
  Jun 15 19:13:29 xplt kernel: [301358.227811] audit: type=1400 audit(1529046809.263:253): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:29 xplt kernel: [301358.227844] plugin-containe[16188]: segfault at 0 ip 00007fe5667c66af sp 00007fffe8cc0da8 error 6 in libxul.so[7fe564499000+6111000]
  Jun 15 19:13:31 xplt kernel: [301360.574177] audit: type=1400 audit(1529046811.608:254): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16192 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
  Jun 15 19:13:31 xplt kernel: [301360.574326] audit: type=1400 audit(1529046811.608:255): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:31 xplt kernel: [301360.574352] plugin-containe[16192]: segfault at 0 ip 00007f83507606af sp 00007ffdb3d22f08 error 6 in libxul.so[7f834e433000+6111000]
  Jun 15 19:13:35 xplt kernel: [301364.313727] audit: type=1400 audit(1529046815.349:256): apparmor="DENIED" operation="file_mmap" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so" pid=16206 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
  Jun 15 19:13:35 xplt kernel: [301364.313896] audit: type=1400 audit(1529046815.349:257): apparmor="DENIED" operation="ptrace" profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" requested_mask="trace" denied_mask="trace" peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:35 xplt kernel: [301364.313967] plugin-containe[16206]: segfault at 0 ip 00007f5ff6f746af sp 00007fff60c9c768 error 6 in libxul.so[7f5ff4c47000+6111000]
  Jun 15 19:13:35 xplt /usr/lib/gdm3/gdm-x-session[6549]: message repeated 3 times: [ ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv]

  If I run Firefox from the snap (rev 60.0.2-1) there's no problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1777070/+subscriptions