> The second rule allows firefox to load and run code from that location.
> But doesn't allow firefox to write to it. So if there is malware [...]
That's correct for the added rule, but the profile also has
owner @{HOME}/.{firefox,mozilla}/** rw,
which means firefox _can_ write to that location.
However, this doesn't make the new rule for @{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/lib*so m, too bad because the profile also allows m for plugins already.
> The second rule allows firefox to load and run code from that location.
> But doesn't allow firefox to write to it. So if there is malware [...]
That's correct for the added rule, but the profile also has
owner @{HOME} /.{firefox, mozilla} /** rw,
which means firefox _can_ write to that location.
However, this doesn't make the new rule for @{HOME} /.mozilla/ firefox/ */gmp-widevinec dm/*/lib* so m, too bad because the profile also allows m for plugins already.
owner @{HOME} /.{firefox, mozilla} /plugins/ ** rm, /.{firefox, mozilla} /**/plugins/ ** rm,
owner @{HOME}
which already allows to run code from more writeable locations.