[Touch-packages] [Bug 1777070] Re: firefox plugin libwidevinecdm.so crashes due to apparmor denial

Sun, 25 Oct 2020 05:26:04 -0700 

I got it working by adding the 2 lines at the end of the
/etc/apparmor.d/usr.bin.firefox just before the closing brack "}".
Without these lines, I had to use another workaround by disabling
Apparmor completely on Firefox with a command like "sudo aa-complain
/usr/lib/firefox/firefox" or using the official Firefox binary from
Mozilla instead of the Ubuntu package.

I saw Daniel wrote "this is not a great way of working (malware could
write to that location and then load in code)" but do you have an idea
how to make it more secure?

When will the fix be added officially to the Firefox Apparmor profile?

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1777070

Title:
  firefox plugin libwidevinecdm.so crashes due to apparmor denial

Status in apparmor package in Ubuntu:
  Confirmed
Status in firefox package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 18.04, Firefox 60.0.1+build2-0ubuntu0.18.04.1

  Running firefix, then going to netflix.com and attempting to play a
  movie.  The widevinecdm plugin crashes, the following is found in
  syslog:

  
  Jun 15 19:13:22 xplt kernel: [301351.553043] audit: type=1400 
audit(1529046802.585:246): apparmor="DENIED" operation="file_mmap" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" 
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
 pid=16118 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 
ouid=1000
  Jun 15 19:13:22 xplt kernel: [301351.553236] audit: type=1400 
audit(1529046802.585:247): apparmor="DENIED" operation="ptrace" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" 
requested_mask="trace" denied_mask="trace" 
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:22 xplt kernel: [301351.553259] plugin-containe[16118]: segfault 
at 0 ip 00007fcdfdaa76af sp 00007ffc1ff03e28 error 6 in 
libxul.so[7fcdfb77a000+6111000]
  Jun 15 19:13:22 xplt snmpd[2334]: error on subcontainer 'ia_addr' insert (-1)
  Jun 15 19:13:22 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! 
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
  Jun 15 19:13:24 xplt kernel: [301353.960182] audit: type=1400 
audit(1529046804.994:248): apparmor="DENIED" operation="file_mmap" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" 
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
 pid=16135 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 
ouid=1000
  Jun 15 19:13:24 xplt kernel: [301353.960373] audit: type=1400 
audit(1529046804.994:249): apparmor="DENIED" operation="ptrace" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" 
requested_mask="trace" denied_mask="trace" 
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:24 xplt kernel: [301353.960398] plugin-containe[16135]: segfault 
at 0 ip 00007fe3b57f46af sp 00007ffe6dc0b488 error 6 in 
libxul.so[7fe3b34c7000+6111000]
  Jun 15 19:13:28 xplt kernel: [301357.859177] audit: type=1400 
audit(1529046808.895:250): apparmor="DENIED" operation="file_mmap" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" 
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
 pid=16139 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 
ouid=1000
  Jun 15 19:13:28 xplt kernel: [301357.859328] audit: type=1400 
audit(1529046808.895:251): apparmor="DENIED" operation="ptrace" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" 
requested_mask="trace" denied_mask="trace" 
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:28 xplt kernel: [301357.859349] plugin-containe[16139]: segfault 
at 0 ip 00007fcf32ae06af sp 00007ffeb8a136c8 error 6 in 
libxul.so[7fcf307b3000+6111000]
  Jun 15 19:13:25 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! 
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
  Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ERROR block_reap:328: 
[hamster] bad exit code 1
  Jun 15 19:13:29 xplt /usr/lib/gdm3/gdm-x-session[6549]: ###!!! 
[Parent][MessageChannel::Call] Error: Channel error: cannot send/recv
  Jun 15 19:13:29 xplt kernel: [301358.227635] audit: type=1400 
audit(1529046809.263:252): apparmor="DENIED" operation="file_mmap" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" 
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
 pid=16188 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 
ouid=1000
  Jun 15 19:13:29 xplt kernel: [301358.227811] audit: type=1400 
audit(1529046809.263:253): apparmor="DENIED" operation="ptrace" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" 
requested_mask="trace" denied_mask="trace" 
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:29 xplt kernel: [301358.227844] plugin-containe[16188]: segfault 
at 0 ip 00007fe5667c66af sp 00007fffe8cc0da8 error 6 in 
libxul.so[7fe564499000+6111000]
  Jun 15 19:13:31 xplt kernel: [301360.574177] audit: type=1400 
audit(1529046811.608:254): apparmor="DENIED" operation="file_mmap" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" 
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
 pid=16192 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 
ouid=1000
  Jun 15 19:13:31 xplt kernel: [301360.574326] audit: type=1400 
audit(1529046811.608:255): apparmor="DENIED" operation="ptrace" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" 
requested_mask="trace" denied_mask="trace" 
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:31 xplt kernel: [301360.574352] plugin-containe[16192]: segfault 
at 0 ip 00007f83507606af sp 00007ffdb3d22f08 error 6 in 
libxul.so[7f834e433000+6111000]
  Jun 15 19:13:35 xplt kernel: [301364.313727] audit: type=1400 
audit(1529046815.349:256): apparmor="DENIED" operation="file_mmap" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" 
name="/home/xav/.mozilla/firefox/wiavokxk.default-1510977878171/gmp-widevinecdm/1.4.8.1008/libwidevinecdm.so"
 pid=16206 comm="plugin-containe" requested_mask="m" denied_mask="m" fsuid=1000 
ouid=1000
  Jun 15 19:13:35 xplt kernel: [301364.313896] audit: type=1400 
audit(1529046815.349:257): apparmor="DENIED" operation="ptrace" 
profile="/usr/lib/firefox/firefox{,*[^s][^h]}" pid=24714 comm="firefox" 
requested_mask="trace" denied_mask="trace" 
peer="/usr/lib/firefox/firefox{,*[^s][^h]}"
  Jun 15 19:13:35 xplt kernel: [301364.313967] plugin-containe[16206]: segfault 
at 0 ip 00007f5ff6f746af sp 00007fff60c9c768 error 6 in 
libxul.so[7f5ff4c47000+6111000]
  Jun 15 19:13:35 xplt /usr/lib/gdm3/gdm-x-session[6549]: message repeated 3 
times: [ ###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot 
send/recv]

  If I run Firefox from the snap (rev 60.0.2-1) there's no problem.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1777070/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to