Ubuntu
firefox package

Widevine violates the sandbox and crashes

Bug #1945100 reported by Marcos Alano
34
This bug affects 5 people
Affects Status Importance Assigned to Milestone
Mozilla Firefox
Fix Released
Unknown
firefox (Ubuntu)
Fix Released
High
Olivier Tilloy

Bug Description

I just updated for Impish Indri beta release but Firefox's Widevine is always crashing. When I disable the GMP sandbox (setting the environment variable MOZ_DISABLE_GMP_SANDBOX to 1) it works fine. I'm using Firefox 92.0.1 installed via .deb package.

Here is some console logs showing the violations:

➜ firefox --ProfileManager
Gtk-Message: 09:58:02.539: Failed to load module "appmenu-gtk-module"

###!!! [Child][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost

Gtk-Message: 09:58:10.435: Failed to load module "appmenu-gtk-module"
Sandbox: attempt to open unexpected file /usr/lib/firefox/librt.so.1
Sandbox: attempt to open unexpected file /lib/x86_64-linux-gnu/librt.so.1
Sandbox: attempt to open unexpected file /lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/x86_64-linux-gnu/tls/haswell/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/x86_64-linux-gnu/tls/haswell/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/x86_64-linux-gnu/tls/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/x86_64-linux-gnu/tls/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/x86_64-linux-gnu/haswell/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/x86_64-linux-gnu/haswell/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/x86_64-linux-gnu/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/x86_64-linux-gnu/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/x86_64-linux-gnu/tls/haswell/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/x86_64-linux-gnu/tls/haswell/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/x86_64-linux-gnu/tls/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/x86_64-linux-gnu/tls/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/x86_64-linux-gnu/haswell/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/x86_64-linux-gnu/haswell/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/x86_64-linux-gnu/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/x86_64-linux-gnu/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/glibc-hwcaps/x86-64-v3/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/glibc-hwcaps/x86-64-v2/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/tls/haswell/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/tls/haswell/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/tls/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/tls/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/haswell/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/haswell/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /lib/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/glibc-hwcaps/x86-64-v3/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/glibc-hwcaps/x86-64-v2/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/tls/haswell/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/tls/haswell/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/tls/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/tls/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/haswell/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/haswell/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/x86_64/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.
Sandbox: attempt to open unexpected file /usr/lib/librt.so.1
Sandbox: seccomp sandbox violation: pid 24799, tid 24799, syscall 262, args 4294967196 140721817045120 140721817045312 0 4294967295 140721817045120.

###!!! [Parent][MessageChannel::Call] Error: Channel error: cannot send/recv

###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost

Sandbox: Unexpected EOF, op 0 flags 00 path /proc/cpuinfo

See original description
Revision history for this message
In , Z-alex-6 (z-alex-6) wrote :

Created attachment 9236331
Screenshot-20210814154906-1239x1047.png

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0

Steps to reproduce:

Log in to https://open.spotify.com/

Actual results:

The bar at the top of the page says "WidevineCDM plugin has crashed."

Expected results:

Spotify is able to play music.

Revision history for this message
In , Z-alex-6 (z-alex-6) wrote :

The crash report: https://crash-stats.mozilla.org/report/index/92723eb0-d1ee-4725-9292-1f8b60210814

Revision history for this message
In , Z-alex-6 (z-alex-6) wrote :

I installed Firefox as a Flatpak -- and this version does not crash in the same environment.
Firefox 91.0 (64-bit) mozilla-flatpak - 1.0
Widevine 4.10.2209.1

Revision history for this message
In , Z-alex-6 (z-alex-6) wrote :

The crashing version is the same 91 64-bit and with the same Widevine 4.10.2209.1 just installed natively from Fedora package repository.

Revision history for this message
In , Z-alex-6 (z-alex-6) wrote :

I also tried this in a fresh clean profile in non-flatpak Firefox -- still crashes.

Revision history for this message
In , Motoskov (motoskov) wrote :
Download full text (6.9 KiB)

Have the same issue on Fedora 35.
Running with MOZ_DISABLE_GMP_SANDBOX=1 solves the issue.
See below some sandbox related logs before crash:
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /usr/lib64/firefox/libdl.so.2
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/libdl.so.2
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/glibc-hwcaps/x86-64-v3/libdl.so.2
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: seccomp sandbox violation: pid 7487, tid 7487, syscall 262, args 4294967196 140737200729248 140737200729440 0 4294967295 140737200729248.
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/glibc-hwcaps/x86-64-v2/libdl.so.2
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: seccomp sandbox violation: pid 7487, tid 7487, syscall 262, args 4294967196 140737200729248 140737200729440 0 4294967295 140737200729248.
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/tls/haswell/x86_64/libdl.so.2
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: seccomp sandbox violation: pid 7487, tid 7487, syscall 262, args 4294967196 140737200729248 140737200729440 0 4294967295 140737200729248.
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/tls/haswell/libdl.so.2
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: seccomp sandbox violation: pid 7487, tid 7487, syscall 262, args 4294967196 140737200729248 140737200729440 0 4294967295 140737200729248.
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/tls/x86_64/libdl.so.2
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: seccomp sandbox violation: pid 7487, tid 7487, syscall 262, args 4294967196 140737200729248 140737200729440 0 4294967295 140737200729248.
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/tls/libdl.so.2
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: seccomp sandbox violation: pid 7487, tid 7487, syscall 262, args 4294967196 140737200729248 140737200729440 0 4294967295 140737200729248.
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/haswell/x86_64/libdl.so.2
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: seccomp sandbox violation: pid 7487, tid 7487, syscall 262, args 4294967196 140737200729248 140737200729440 0 4294967295 140737200729248.
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/haswell/libdl.so.2
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: seccomp sandbox violation: pid 7487, tid 7487, syscall 262, args 4294967196 140737200729248 140737200729440 0 4294967295 140737200729248.
Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/x86_64/libdl.so.2
Aug 16 10:43:07 d...

Read more...

Revision history for this message
In , Bvandyk-0 (bvandyk-0) wrote :

Thanks for the report and the follow up. Alex, could you check if disabling the GMP sandbox, as in comment 5, also helps your case?

---

Comment 5 points to syscall 262 causing issues. syscall 262 looks to be `newfstatat`. Looks like bug 1673770 is some prior art in this area.

Revision history for this message
In , Bvandyk-0 (bvandyk-0) wrote :

:jld, do you have any thoughts as to what needs to be fixed here?

Revision history for this message
In , Z-alex-6 (z-alex-6) wrote :

Yes, confirming that setting MOZ_DISABLE_GMP_SANDBOX=1 the environment solves it for me.

Revision history for this message
In , Jed Davis (jld-moz) wrote :

(In reply to Andrey from comment #5)
> Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /usr/lib64/firefox/libdl.so.2
> Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/libdl.so.2
> Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/glibc-hwcaps/x86-64-v3/libdl.so.2

This looks like the dynamic loader trying to resolve `libdl.so.2`; a copy of `libwidevinecdm.so` I have locally (version `4.10.2209.1` if it matters) depends on it. But, the `libxul.so` from my Firefox build also depends on it, and so does the one in Fedora's package, so it should already be loaded. There's something odd going on here.

Revision history for this message
In , Motoskov (motoskov) wrote :

I have opened bug for Fedora too (for tracking).
Please find backtrace of the crash here: https://bugzilla.redhat.com/show_bug.cgi?id=1993821#c1

Revision history for this message
In , Motoskov (motoskov) wrote :

(In reply to Jed Davis [:jld] ⟨⏰|UTC-6⟩ ⟦he/him⟧ from comment #9)
> (In reply to Andrey from comment #5)
> > Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /usr/lib64/firefox/libdl.so.2
> > Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/libdl.so.2
> > Aug 16 10:43:07 dragonfly firefox-wayland.desktop[7487]: Sandbox: attempt to open unexpected file /lib64/glibc-hwcaps/x86-64-v3/libdl.so.2
>
> This looks like the dynamic loader trying to resolve `libdl.so.2`; a copy of `libwidevinecdm.so` I have locally (version `4.10.2209.1` if it matters) depends on it. But, the `libxul.so` from my Firefox build also depends on it, and so does the one in Fedora's package, so it should already be loaded. There's something odd going on here.

On Fedora 35 `libxul.so` has **no** `libdl.so.2` dependency. And no any other binary obj in /usr/lib64/firefox :
```
$ ldd /home/()/.mozilla/firefox/()/gmp-widevinecdm/4.10.2209.1/libwidevinecdm.so |grep libdl
 libdl.so.2 => /lib64/libdl.so.2 (0x00007f7c749a0000)
$ ldd /usr/lib64/firefox/libxul.so |grep libdl
$
$ ldd /usr/lib64/firefox/firefox-bin |grep libdl
$
$ find /usr/lib64/firefox/ -name *.so -exec ldd {} \; | grep libdl
$
```

Revision history for this message
In , Jed Davis (jld-moz) wrote :

(In reply to Andrey from comment #11)
> On Fedora 35 `libxul.so` has **no** `libdl.so.2` dependency. And no any other binary obj in /usr/lib64/firefox :

Thanks for the correction. I was looking at a package from the wrong version of Fedora. Now things make sense: [glibc 2.34 moved `dlopen` et al. into libc][0c1c] and left `libdl` as a stub for compatibility, which explains why Firefox (and NSPR and so on) don't depend on it anymore when they're built for Fedora ≥35. This should be a one-line fix.

If anyone needs a workaround, Mozilla's builds of Firefox should still work.

[0c1c]: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=0c1c3a771eceec46e66ce1183cf988e2303bd373

Revision history for this message
In , Jed Davis (jld-moz) wrote :

Created attachment 9237836
Bug 1725828 - Preload dependencies for the Widevine CDM when sandboxing it on Linux.

Revision history for this message
In , Pulsebot (pulsebot) wrote :

Pushed by <email address hidden>:
https://hg.mozilla.org/integration/autoland/rev/49bf466c3f24
Preload dependencies for the Widevine CDM when sandboxing it on Linux. r=bryce

Revision history for this message
In , Smolnar (smolnar) wrote :

https://hg.mozilla.org/mozilla-central/rev/49bf466c3f24

Revision history for this message
In , Bvandyk-0 (bvandyk-0) wrote :

*** Bug 1730082 has been marked as a duplicate of this bug. ***

Revision history for this message
Marcos Alano (mhalano) wrote :
Download full text (5.2 KiB)

If I download Firefox and execute it, I get a new set of messages about sandboxing, but worked this time. I used Firefox 92.0.1 in this test.
➜ ./firefox
Gtk-Message: 10:09:32.479: Failed to load module "appmenu-gtk-module"

###!!! [Child][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost

Gtk-Message: 10:09:44.730: Failed to load module "appmenu-gtk-module"
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/net/unix
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexpected file /proc/self/maps
Sandbox: attempt to open unexp...

Read more...

Revision history for this message
Marcos Alano (mhalano) wrote :

To disable the sandbox I use procedure detailed by Mozilla, set the environment variable MOZ_DISABLE_GMP_SANDBOX with value equals to 1.

description: updated
Revision history for this message
Marcos Alano (mhalano) wrote :

BTW, I'm using this website to check if works or crashes: https://bitmovin.com/demos/drm. it's faster than log in to a streaming service like Netflix to do a test.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in firefox (Ubuntu):
status: New → Confirmed
Revision history for this message
Horst Schirmeier (horst) wrote :

Still broken in firefox 93.0+build1-0ubuntu2 (Impish).

Revision history for this message
Olivier Tilloy (osomon) wrote :

I can observe the same problem with the firefox deb in a clean impish VM. Crash filed upstream: https://crash-stats.mozilla.org/report/index/88a7fb8c-ed47-4b0d-aff4-bd6d30211006.

As a comparison point, the firefox snap (when running on impish) doesn't appear to be affected.

Revision history for this message
Olivier Tilloy (osomon) wrote :

Upstream builds are not affected either, so this is specific to the deb build in impish (I tested other releases − bionic, focal, hirsute − and they aren't affected).

Revision history for this message
Olivier Tilloy (osomon) wrote :

This is very probably https://bugzilla.mozilla.org/show_bug.cgi?id=1725828.

Changed in firefox (Ubuntu):
importance: Undecided → High
assignee: nobody → Olivier Tilloy (osomon)
Bug Watch Updater (bug-watch-updater)
Changed in firefox:
status: Unknown → Fix Released
Revision history for this message
Olivier Tilloy (osomon) wrote :

Fixed with https://bazaar.launchpad.net/~mozillateam/firefox/firefox.impish/revision/1532.

Changed in firefox (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package firefox - 93.0+build1-0ubuntu3

---------------
firefox (93.0+build1-0ubuntu3) impish; urgency=medium

  * Cherry-pick an upstream patch to fix Widevine CDM crashes on impish
    (LP: #1945100)
    - debian/patches/upstream-49bf466c3f24.patch

 -- Olivier Tilloy <email address hidden> Wed, 06 Oct 2021 17:40:06 +0200

Changed in firefox (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
In , Jed Davis (jld-moz) wrote :

Comment on attachment 9237836
Bug 1725828 - Preload dependencies for the Widevine CDM when sandboxing it on Linux.

### ESR Uplift Approval Request
* **If this is not a sec:{high,crit} bug, please state case for ESR consideration**: Widevine EME and H.264 WebRTC may be broken depending on how Firefox is built.
* **User impact if declined**: This doesn't affect Mozilla's builds and probably won't affect them for some time, but downstream builds (already on some Linux distributions, and probably more and more in the future) won't be able to use the Widevine plugin for EME or OpenH264 for WebRTC.
* **Fix Landed on Version**: 94
* **Risk to taking this patch**: Low
* **Why is the change risky/not risky? (and alternatives if risky)**: We just preload some libraries which are normally already loaded; the patch is small and should have no effect on builds that weren't affected by this bug (like Mozilla's).

One alternative is to require downstream distributions to apply the patch themselves if they intend to build ESR91 with a recent glibc, but as far as I know there's no good way to communicate that to everyone who needs to hear it, and failures are likely to result in more bug reports for us.
* **String or UUID changes made by this patch**: none

Revision history for this message
In , Ryanvm (ryanvm) wrote :

Comment on attachment 9237836
Bug 1725828 - Preload dependencies for the Widevine CDM when sandboxing it on Linux.

Approved for 91.3esr.

Revision history for this message
In , Ryanvm (ryanvm) wrote :

https://hg.mozilla.org/releases/mozilla-esr91/rev/f6e36e1fb791

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.