Bug#1003650: firejail-profiles: Chromium running under the current profile cannot play sound
On Sat, Jan 15, 2022 at 11:07:30AM +0800, Mad Horse wrote:
> I do not have any custom setup on my pipewire, nor custom firejail profile
> for chromium.
Do I understand it correctly that you are also using pipewire?
> Started within firejail, chromium reported:
>
> > [10:46:0115/104317.720203:ERROR:bus.cc(397)] Failed to connect to the
> > bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
> > Permission denied
> > libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
> > [56:56:0115/104317.772250:ERROR:sandbox_linux.cc(378)]
> > InitializeSandbox() called with multiple threads in process gpu-process.
> > [10:85:0115/104317.887055:ERROR:bus.cc(397)] Failed to connect to the
> > bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
> > Permission denied
> > [10:85:0115/104317.887112:ERROR:bus.cc(397)] Failed to connect to the
> > bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
> > Permission denied
> > [10:85:0115/104317.887169:ERROR:bus.cc(397)] Failed to connect to the
> > bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
> > Permission denied
> > [10:85:0115/104317.887206:ERROR:bus.cc(397)] Failed to connect to the
> > bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
> > Permission denied
> > [10:85:0115/104317.887235:ERROR:bus.cc(397)] Failed to connect to the
> > bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
> > Permission denied
> /run/firejail/mnt/dbus/system do have permission 600, owned by root.
I think they are not related. I see these messages as well, but sound is
working for me.
> When trying to play sound, chromium in firejail reported:
>
> > Failed to create secure directory (/run/user/1000/pulse): Operation not
> > permitted
> > ALSA lib dlmisc.c:337:(snd_dlobj_cache_get0) Cannot open shared library
> > libasound_module_pcm_pulse.so
> > (/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so:
> > cannot open shared object file: Permission denied)
> > [307:307:0115/104404.402900:ERROR:alsa_util.cc(204)] PcmOpen: default,No
> > such device or address
> > ALSA lib dlmisc.c:337:(snd_dlobj_cache_get0) Cannot open shared library
> > libasound_module_pcm_pulse.so
> > (/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so:
> > cannot open shared object file: Permission denied)
> > [307:307:0115/104404.404678:ERROR:alsa_util.cc(204)] PcmOpen:
> > plug:default,No such device or address
>
> but there is a unix domain socket /run/user/1000/pulse/native, owned by UID
> 1000, with permission 666,
> and the permission of
> /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so is
> root,644.
> Both were inspected inside firejail for chromium.
>
> Do you have any idea about these?
Assuming that you are using pipewire, can you please add the following
to your chromium.profile (or chromium.local):
> whitelist ${RUNUSER}/pipewire-?
> whitelist /usr/share/pipewire
Kind regards,
Reiner
signature.asc
Description: PGP signature
Bug#1003650: firejail-profiles: Chromium running under the current profile cannot play sound
Hi Reine,
I do not have any custom setup on my pipewire, nor custom firejail
profile for chromium.
Started within firejail, chromium reported:
[10:46:0115/104317.720203:ERROR:bus.cc(397)] Failed to connect to the
bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
Permission denied
libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed
[56:56:0115/104317.772250:ERROR:sandbox_linux.cc(378)]
InitializeSandbox() called with multiple threads in process gpu-process.
[10:85:0115/104317.887055:ERROR:bus.cc(397)] Failed to connect to the
bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
Permission denied
[10:85:0115/104317.887112:ERROR:bus.cc(397)] Failed to connect to the
bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
Permission denied
[10:85:0115/104317.887169:ERROR:bus.cc(397)] Failed to connect to the
bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
Permission denied
[10:85:0115/104317.887206:ERROR:bus.cc(397)] Failed to connect to the
bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
Permission denied
[10:85:0115/104317.887235:ERROR:bus.cc(397)] Failed to connect to the
bus: Failed to connect to socket /run/firejail/mnt/dbus/system:
Permission denied
/run/firejail/mnt/dbus/system do have permission 600, owned by root.
When trying to play sound, chromium in firejail reported:
Failed to create secure directory (/run/user/1000/pulse): Operation
not permitted
ALSA lib dlmisc.c:337:(snd_dlobj_cache_get0) Cannot open shared
library libasound_module_pcm_pulse.so
(/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so:
cannot open shared object file: Permission denied)
[307:307:0115/104404.402900:ERROR:alsa_util.cc(204)] PcmOpen:
default,No such device or address
ALSA lib dlmisc.c:337:(snd_dlobj_cache_get0) Cannot open shared
library libasound_module_pcm_pulse.so
(/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so:
cannot open shared object file: Permission denied)
[307:307:0115/104404.404678:ERROR:alsa_util.cc(204)] PcmOpen:
plug:default,No such device or address
but there is a unix domain socket /run/user/1000/pulse/native, owned by
UID 1000, with permission 666,
and the permission of
/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so is
root,644.
Both were inspected inside firejail for chromium.
Do you have any idea about these?
Kind regards,
Mad Horse
On 2022/1/15 04:47, Reiner Herrmann wrote:
Hi Mad Horse,
On Thu, Jan 13, 2022 at 05:07:38PM +0800, Mad Horse wrote:
After upgraded to 97.0.4692.71-0.1, Chromium running inside firejail can no
longer play sound (e.g. when playing an online video), while bare Chromium
can. It is shown with PulseAudio Manager that the Chromium running inside
firejail cannot connect to the sound server while the bare Chromium can.
I had a similar issue initially as well. But it turned out to be related
to my custom sound setup (using pipewire with run directory in ~/pipewire).
There are also no sound-related Chromium issue known in the upstream
firejail bug tracker.
So I think it also has to be related to your setup.
It might be related to some whitelist in the chromium{-common}.profile,
as this causes the parent directory to get blocked.
Can you please try to figure out which path needs to be whitelisted
on your system to get it working again?
Kind regards,
Reiner
Bug#1003650: firejail-profiles: Chromium running under the current profile cannot play sound
Hi Mad Horse,
On Thu, Jan 13, 2022 at 05:07:38PM +0800, Mad Horse wrote:
> After upgraded to 97.0.4692.71-0.1, Chromium running inside firejail can no
> longer play sound (e.g. when playing an online video), while bare Chromium
> can. It is shown with PulseAudio Manager that the Chromium running inside
> firejail cannot connect to the sound server while the bare Chromium can.
I had a similar issue initially as well. But it turned out to be related
to my custom sound setup (using pipewire with run directory in ~/pipewire).
There are also no sound-related Chromium issue known in the upstream
firejail bug tracker.
So I think it also has to be related to your setup.
It might be related to some whitelist in the chromium{-common}.profile,
as this causes the parent directory to get blocked.
Can you please try to figure out which path needs to be whitelisted
on your system to get it working again?
Kind regards,
Reiner
signature.asc
Description: PGP signature
Bug#1003650: firejail-profiles: Chromium running under the current profile cannot play sound
Package: firejail-profiles Version: 0.9.66-2 Severity: normal Dear Maintainer, After upgraded to 97.0.4692.71-0.1, Chromium running inside firejail can no longer play sound (e.g. when playing an online video), while bare Chromium can. It is shown with PulseAudio Manager that the Chromium running inside firejail cannot connect to the sound server while the bare Chromium can. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.0-2-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND Locale: LANG=zh_CN.utf8, LC_CTYPE=zh_CN.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firejail-profiles depends on: ii firejail 0.9.66-2 firejail-profiles recommends no packages. firejail-profiles suggests no packages. -- no debconf information
