vlc: cannot read MakeMKV's libmmbd for BDs decryption

glu8716 commented 6 months ago

Description

MakeMKV provides libmmbd, which is a library for Blurays Discs decryption. It is installed in /usr/lib/libmmbd.so.0. VLC should automatically read it and play the BD, but it doesn't if launched with Firejail.

Steps to Reproduce

Download and install MakeMKV
Open a BD with VLC

Expected behavior

The BD should play.

Actual behavior

The BD doesn't play.

Behavior without a profile

The BD plays.

Environment

Linux distribution and version: Artix
Firejail version: 0.9.73

Checklist

[X] The issues is caused by firejail (i.e. running the program by path (e.g. /usr/bin/vlc) "fixes" it).
[X] I can reproduce the issue without custom modifications (e.g. globals.local).
[X] The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
[X] The profile (and redirect profile if exists) hasn't already been fixed upstream.
[X] I have performed a short search for similar issues (to avoid opening a duplicate).
- [ ] I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
[ ] I used --profile=PROFILENAME to set the right profile. (Only relevant for AppImages)

Log

VLC launched with Firejail

``` Reading profile /etc/firejail/vlc.profile Reading profile /home/freedom/.config/firejail/vlc.local Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-devel.inc Reading profile /etc/firejail/disable-exec.inc Reading profile /etc/firejail/disable-interpreters.inc Reading profile /etc/firejail/disable-programs.inc Reading profile /etc/firejail/whitelist-common.inc Reading profile /etc/firejail/whitelist-player-common.inc Reading profile /etc/firejail/whitelist-run-common.inc Reading profile /etc/firejail/whitelist-runuser-common.inc Reading profile /etc/firejail/whitelist-var-common.inc firejail version 0.9.73 Parent pid 13452, child pid 13456 Warning: NVIDIA card detected, nogroups command ignored 6 programs installed in 4.23 ms Warning: NVIDIA card detected, nogroups command ignored Warning: /sbin directory link was not blacklisted Warning: /usr/sbin directory link was not blacklisted Base filesystem installed in 42.33 ms Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Warning: NVIDIA card detected, nogroups command ignored Child process initialized in 91.01 ms VLC media player 3.0.20 Vetinari (revision 3.0.20-0-g6f0d0ab126b) [000064b0c83c15b0] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. [000064b0c849f020] qt interface error: Unable to load extensions module [000064b0c8451530] main playlist: playlist is empty keydbcfg.c:701: No valid AACS configuration files found aacs.c:121: No usable AACS libraries found! dec.c:197: aacs_open() failed: -2! [00007dd6f0001130] libbluray demux: First play: 1, Top menu: 1 HDMV Titles: 6, BD-J Titles: 0, Other: 0 ```

VLC launched withfirejail --noprofile

``` firejail version 0.9.73 Parent pid 13896, child pid 13897 Base filesystem installed in 0.03 ms Child process initialized in 4.24 ms Warning: an existing sandbox was detected. /usr/bin/vlc will run without any additional sandboxing features VLC media player 3.0.20 Vetinari (revision 3.0.20-0-g6f0d0ab126b) [00005d9bca1af5b0] main libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface. [00005d9bca23f530] main playlist: playlist is empty keydbcfg.c:701: No valid AACS configuration files found [00007b1f84001130] libbluray demux: First play: 1, Top menu: 1 HDMV Titles: 6, BD-J Titles: 0, Other: 0 [00007b1f84001130] libbluray demux: Adding ES 4113 select 1 [00007b1f84001130] libbluray demux: Adding ES 4352 select 1 [00005d9bca27ed80] main audio output error: too low audio sample frequency (0) [00007b1f7c0d3860] main decoder error: failed to create audio output [00005d9bca27ed80] vlcpulse audio output error: digital pass-through stream connection failure: Input/Output error [00005d9bca27ed80] main audio output error: module not functional [00007b1f7c0d3860] main decoder error: failed to create audio output [00007b1f60047880] freetype spu text error: LoadFace: Error creating face for /usr/share/fonts/truetype/freefont/FreeSerifBold.ttf - 0 - 2 - 2 [00007b1f60047880] freetype spu text error: Error loading default face libva error: vaGetDriverNames() failed with unknown libva error [00007b1f5c001f30] glconv_vaapi_x11 gl error: vaInitialize: unknown libva error [00007b1f5c001f30] glconv_vaapi_drm gl error: vaInitialize: unknown libva error libva error: vaGetDriverNames() failed with operation failed [00007b1f5c001f30] glconv_vaapi_drm gl error: vaInitialize: operation failed [00007b1f60047880] freetype spu text error: LoadFace: Error creating face for /usr/share/fonts/truetype/freefont/FreeSerifBold.ttf - 0 - 2 - 2 [00007b1f60047880] freetype spu text error: Error loading default face [00007b1f7c005130] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 550.78 Sun Apr 14 06:21:06 UTC 2024 for hardware decoding [00007b1f7c005130] main decoder error: buffer deadlock prevented [00007b1f84001130] libbluray demux: Reusing ES 4113 [00007b1f84001130] libbluray demux: Reusing ES 4352 [00005d9bca27ed80] main audio output error: too low audio sample frequency (0) [00007b1f7c0d3860] main decoder error: failed to create audio output [00007b1f84001130] libbluray demux: Adding ES 4608 select 0 [00007b1f84001130] libbluray demux: Adding ES 4609 select 0 [00005d9bca27ed80] vlcpulse audio output error: digital pass-through stream connection failure: Input/Output error [00005d9bca27ed80] main audio output error: module not functional [00007b1f7c0d3860] main decoder error: failed to create audio output [00007b1f60047880] freetype spu text error: LoadFace: Error creating face for /usr/share/fonts/truetype/freefont/FreeSerifBold.ttf - 0 - 2 - 2 [00007b1f60047880] freetype spu text error: Error loading default face [00007b1f7c005130] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 550.78 Sun Apr 14 06:21:06 UTC 2024 for hardware decoding [00007b1f7c005130] avcodec decoder error: hardware acceleration picture allocation failed [h264 @ 0x7b1f3c091c00] get_buffer() failed [h264 @ 0x7b1f3c091c00] thread_get_buffer() failed [h264 @ 0x7b1f3c091c00] decode_slice_header error [00007b1f84001130] libbluray demux: Initializing overlay [00007b1f84001130] libbluray demux: Reusing ES 4113 [00007b1f84001130] libbluray demux error: blurayReleaseVout: subpicture channel exists [00007b1f84001130] libbluray demux: Reusing ES 4352 [00005d9bca27ed80] main audio output error: too low audio sample frequency (0) [00007b1f7c0d3860] main decoder error: failed to create audio output [00007b1f84001130] libbluray demux: Adding ES 4353 select 0 [00007b1f84001130] libbluray demux: Reusing ES 4608 [00007b1f84001130] libbluray demux: Reusing ES 4609 [00005d9bca27ed80] vlcpulse audio output error: digital pass-through stream connection failure: Input/Output error [00005d9bca27ed80] main audio output error: module not functional [00007b1f7c0d3860] main decoder error: failed to create audio output [00007b1f60047880] freetype spu text error: LoadFace: Error creating face for /usr/share/fonts/truetype/freefont/FreeSerifBold.ttf - 0 - 2 - 2 [00007b1f60047880] freetype spu text error: Error loading default face [00007b1f84001130] libbluray demux error: blurayReleaseVout: subpicture channel exists [00007b1f7c005130] avcodec decoder: Using NVIDIA VDPAU Driver Shared Library 550.78 Sun Apr 14 06:21:06 UTC 2024 for hardware decoding [00007b1f84001130] libbluray demux: Reusing ES 4113 [00007b1f84001130] libbluray demux: Reusing ES 4352 [00007b1f84001130] libbluray demux: Reusing ES 4353 [00007b1f84001130] libbluray demux: Reusing ES 4608 [00007b1f84001130] libbluray demux: Reusing ES 4609 [h264 @ 0x7b1f78037a40] co located POCs unavailable [h264 @ 0x7b1f78008840] co located POCs unavailable [h264 @ 0x7b1f78001c00] co located POCs unavailable ```

glitsj16 commented 6 months ago

Never actually used BDs, but VLC probably relies on libbluray to access those. And AFAICT that library needs a java runtime, which the profile blocks by including disable-devel.inc and using a restrictive private-bin.

Have you tried allowing access to java(c) yet? I see you already use a vlc.local, so try adding the below to that:

include allow-java.inc
private-bin java*

PS: anything in your vlc.local that might be relevant to this?

glu8716 commented 6 months ago

I tried to add the two lines but it still won't load the BD. In my .local file I only have the net none option.

glitsj16 commented 6 months ago

Well, that's unfortunate. It might need other stuff in private-bin. I assume you've already tried ignore private-bin to rule that in or out?

Tracking down the culprit option(s) by commenting (=disabling) lines one by one (or in bulk for that matter) does take time, I do realize the pain in that. Yet, as this requires access to bluray hardware (which most if not all collaborators probably don't have) to actually test/reproduce/fix, its your best bet.

I'd start by confirming VLC can do this when sandboxed by running firejail --profile=noprofile /usr/bin/vlc. If that doesn't work it would mean the BD functionality is impossible to sandbox with Firejail. If it does, the detective work can proceed :)

glu8716 commented 6 months ago

Yes, I have tried with ignore private-bin, but it doesn't work. I'll try to disable different lines and see if I can find the culprit.

netblue30 / firejail