Comment 12 for bug 1777070

> The second rule allows firefox to load and run code from that location.
> But doesn't allow firefox to write to it. So if there is malware [...]

That's correct for the added rule, but the profile also has

    owner @{HOME}/.{firefox,mozilla}/** rw,

which means firefox _can_ write to that location.

However, this doesn't make the new rule for @{HOME}/.mozilla/firefox/*/gmp-widevinecdm/*/lib*so m, too bad because the profile also allows m for plugins already.

    owner @{HOME}/.{firefox,mozilla}/plugins/** rm,
    owner @{HOME}/.{firefox,mozilla}/**/plugins/** rm,

which already allows to run code from more writeable locations.