[GH-ISSUE #3681] Widevine/DRM broken with firejail 0.9.64 in browsers #2318

New issue

Closed

opened 2026-05-05 09:00:33 -06:00 by gitea-mirror · 10 comments

gitea-mirror commented 2026-05-05 09:00:33 -06:00

Owner

Copy link

Originally created by @cjsthompson on GitHub (Oct 20, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3681

Widevine (netflix) no longer works with Brave (1.15.75) after upgrading to firejail 0.9.64rc1-2 (arch linux). Works fine when starting brave without firejail or with firejail --noprofile /usr/bin/brave.

[242:1:1020/162026.705732:ERROR:cdm_module.cc(139)] CDM at /home/bla/.config/BraveSoftware/Brave-Browser/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so could not be loaded.
[242:1:1020/162026.705998:ERROR:cdm_module.cc(140)] Error: /home/bla/.config/BraveSoftware/Brave-Browser/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so: cannot open shared object file: Operation not permitted

Originally created by @cjsthompson on GitHub (Oct 20, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3681 Widevine (netflix) no longer works with Brave (1.15.75) after upgrading to firejail 0.9.64rc1-2 (arch linux). Works fine when starting brave without firejail or with firejail --noprofile /usr/bin/brave. ``` [242:1:1020/162026.705732:ERROR:cdm_module.cc(139)] CDM at /home/bla/.config/BraveSoftware/Brave-Browser/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so could not be loaded. [242:1:1020/162026.705998:ERROR:cdm_module.cc(140)] Error: /home/bla/.config/BraveSoftware/Brave-Browser/WidevineCdm/_platform_specific/linux_x64/libwidevinecdm.so: cannot open shared object file: Operation not permitted ```

gitea-mirror 2026-05-05 09:00:33 -06:00

• closed this issue
• added the
  information_old
  label

gitea-mirror commented 2026-05-05 09:00:36 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Oct 20, 2020):

Do you have
browser-allow-drm yes
in your
/etc/firejail/firejail.config ?

<!-- gh-comment-id:712897264 --> @SkewedZeppelin commented on GitHub (Oct 20, 2020): Do you have browser-allow-drm yes in your /etc/firejail/firejail.config ?

gitea-mirror commented 2026-05-05 09:00:37 -06:00

Author

Owner

Copy link

@cjsthompson commented on GitHub (Oct 20, 2020):

Nope, and enabling that fixes the problem. Thanks for the hint.

<!-- gh-comment-id:712910598 --> @cjsthompson commented on GitHub (Oct 20, 2020): Nope, and enabling that fixes the problem. Thanks for the hint.

gitea-mirror commented 2026-05-05 09:00:37 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Oct 20, 2020):

FYI: https://github.com/netblue30/firejail/pull/3390

<!-- gh-comment-id:713030117 --> @rusty-snake commented on GitHub (Oct 20, 2020): FYI: https://github.com/netblue30/firejail/pull/3390

gitea-mirror commented 2026-05-05 09:00:37 -06:00

Author

Owner

Copy link

@cjsthompson commented on GitHub (Oct 20, 2020):

That explains why it was working until I upgraded I guess.

<!-- gh-comment-id:713110025 --> @cjsthompson commented on GitHub (Oct 20, 2020): That explains why it was working until I upgraded I guess.

gitea-mirror commented 2026-05-05 09:00:38 -06:00

Author

Owner

Copy link

@toby63 commented on GitHub (Sep 3, 2021):

Is it also possible to activate this via a command flag?
(e.g. firejail --browser-allow-drm PROGRAM)

<!-- gh-comment-id:912590096 --> @toby63 commented on GitHub (Sep 3, 2021): Is it also possible to activate this via a command flag? (e.g. `firejail --browser-allow-drm PROGRAM`)

gitea-mirror commented 2026-05-05 09:00:38 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 3, 2021):

$ grep BROWSER_ALLOW_DRM /etc/firejail/*.profile
/etc/firejail/chromium-common.profile:?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
/etc/firejail/ephemeral.profile:?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
/etc/firejail/firefox-common.profile:?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
/etc/firejail/midori.profile:?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
/etc/firejail/otter-browser.profile:?BROWSER_ALLOW_DRM: ignore noexec ${HOME}
$ firejail --ignore='noexec ${HOME}' firefox

<!-- gh-comment-id:912592476 --> @rusty-snake commented on GitHub (Sep 3, 2021): ```console $ grep BROWSER_ALLOW_DRM /etc/firejail/*.profile /etc/firejail/chromium-common.profile:?BROWSER_ALLOW_DRM: ignore noexec ${HOME} /etc/firejail/ephemeral.profile:?BROWSER_ALLOW_DRM: ignore noexec ${HOME} /etc/firejail/firefox-common.profile:?BROWSER_ALLOW_DRM: ignore noexec ${HOME} /etc/firejail/midori.profile:?BROWSER_ALLOW_DRM: ignore noexec ${HOME} /etc/firejail/otter-browser.profile:?BROWSER_ALLOW_DRM: ignore noexec ${HOME} $ firejail --ignore='noexec ${HOME}' firefox ```

gitea-mirror commented 2026-05-05 09:00:39 -06:00

Author

Owner

Copy link

@toby63 commented on GitHub (Sep 3, 2021):

Interesting, thx.
Do I interpret this correctly that the DRM plugin wants to take a look in my home folder?

<!-- gh-comment-id:912717181 --> @toby63 commented on GitHub (Sep 3, 2021): Interesting, thx. Do I interpret this correctly that the DRM plugin wants to take a look in my home folder?

gitea-mirror commented 2026-05-05 09:00:39 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 3, 2021):

It will get installed in your home folder, therefore you need to mount it exec.

<!-- gh-comment-id:912717944 --> @rusty-snake commented on GitHub (Sep 3, 2021): It will get installed in your home folder, therefore you need to mount it `exec`.

gitea-mirror commented 2026-05-05 09:00:39 -06:00

Author

Owner

Copy link

@toby63 commented on GitHub (Sep 3, 2021):

It will get installed in your home folder, therefore you need to mount it exec.

I see, and I guess it can't be further limited?

<!-- gh-comment-id:912720132 --> @toby63 commented on GitHub (Sep 3, 2021): > It will get installed in your home folder, therefore you need to mount it `exec`. I see, and I guess it can't be further limited?

gitea-mirror commented 2026-05-05 09:00:40 -06:00

Author

Owner

Copy link

@rusty-snake commented on GitHub (Sep 3, 2021):

Actaully you could noexec every directory in firejail --ignore=private-bin --profile=firefox ls -a $HOME except for .mozilla, however a mkdir $HOME/this_dir_is_exec inside the sandbox is possible.

<!-- gh-comment-id:912724317 --> @rusty-snake commented on GitHub (Sep 3, 2021): Actaully you could `noexec` every directory in `firejail --ignore=private-bin --profile=firefox ls -a $HOME` except for `.mozilla`, however a `mkdir $HOME/this_dir_is_exec` inside the sandbox is possible.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2318

No description provided.