Bug#1003650: firejail-profiles: Chromium running under the current profile cannot play sound
On Sat, Jan 15, 2022 at 11:07:30AM +0800, Mad Horse wrote: > I do not have any custom setup on my pipewire, nor custom firejail profile > for chromium. Do I understand it correctly that you are also using pipewire? > Started within firejail, chromium reported: > > > [10:46:0115/104317.720203:ERROR:bus.cc(397)] Failed to connect to the > > bus: Failed to connect to socket /run/firejail/mnt/dbus/system: > > Permission denied > > libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed > > [56:56:0115/104317.772250:ERROR:sandbox_linux.cc(378)] > > InitializeSandbox() called with multiple threads in process gpu-process. > > [10:85:0115/104317.887055:ERROR:bus.cc(397)] Failed to connect to the > > bus: Failed to connect to socket /run/firejail/mnt/dbus/system: > > Permission denied > > [10:85:0115/104317.887112:ERROR:bus.cc(397)] Failed to connect to the > > bus: Failed to connect to socket /run/firejail/mnt/dbus/system: > > Permission denied > > [10:85:0115/104317.887169:ERROR:bus.cc(397)] Failed to connect to the > > bus: Failed to connect to socket /run/firejail/mnt/dbus/system: > > Permission denied > > [10:85:0115/104317.887206:ERROR:bus.cc(397)] Failed to connect to the > > bus: Failed to connect to socket /run/firejail/mnt/dbus/system: > > Permission denied > > [10:85:0115/104317.887235:ERROR:bus.cc(397)] Failed to connect to the > > bus: Failed to connect to socket /run/firejail/mnt/dbus/system: > > Permission denied > /run/firejail/mnt/dbus/system do have permission 600, owned by root. I think they are not related. I see these messages as well, but sound is working for me. > When trying to play sound, chromium in firejail reported: > > > Failed to create secure directory (/run/user/1000/pulse): Operation not > > permitted > > ALSA lib dlmisc.c:337:(snd_dlobj_cache_get0) Cannot open shared library > > libasound_module_pcm_pulse.so > > (/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so: > > cannot open shared object file: Permission denied) > > [307:307:0115/104404.402900:ERROR:alsa_util.cc(204)] PcmOpen: default,No > > such device or address > > ALSA lib dlmisc.c:337:(snd_dlobj_cache_get0) Cannot open shared library > > libasound_module_pcm_pulse.so > > (/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so: > > cannot open shared object file: Permission denied) > > [307:307:0115/104404.404678:ERROR:alsa_util.cc(204)] PcmOpen: > > plug:default,No such device or address > > but there is a unix domain socket /run/user/1000/pulse/native, owned by UID > 1000, with permission 666, > and the permission of > /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so is > root,644. > Both were inspected inside firejail for chromium. > > Do you have any idea about these? Assuming that you are using pipewire, can you please add the following to your chromium.profile (or chromium.local): > whitelist ${RUNUSER}/pipewire-? > whitelist /usr/share/pipewire Kind regards, Reiner signature.asc Description: PGP signature
Bug#1003650: firejail-profiles: Chromium running under the current profile cannot play sound
Hi Reine, I do not have any custom setup on my pipewire, nor custom firejail profile for chromium. Started within firejail, chromium reported: [10:46:0115/104317.720203:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied libva error: /usr/lib/x86_64-linux-gnu/dri/iHD_drv_video.so init failed [56:56:0115/104317.772250:ERROR:sandbox_linux.cc(378)] InitializeSandbox() called with multiple threads in process gpu-process. [10:85:0115/104317.887055:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:85:0115/104317.887112:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:85:0115/104317.887169:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:85:0115/104317.887206:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied [10:85:0115/104317.887235:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied /run/firejail/mnt/dbus/system do have permission 600, owned by root. When trying to play sound, chromium in firejail reported: Failed to create secure directory (/run/user/1000/pulse): Operation not permitted ALSA lib dlmisc.c:337:(snd_dlobj_cache_get0) Cannot open shared library libasound_module_pcm_pulse.so (/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so: cannot open shared object file: Permission denied) [307:307:0115/104404.402900:ERROR:alsa_util.cc(204)] PcmOpen: default,No such device or address ALSA lib dlmisc.c:337:(snd_dlobj_cache_get0) Cannot open shared library libasound_module_pcm_pulse.so (/usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so: cannot open shared object file: Permission denied) [307:307:0115/104404.404678:ERROR:alsa_util.cc(204)] PcmOpen: plug:default,No such device or address but there is a unix domain socket /run/user/1000/pulse/native, owned by UID 1000, with permission 666, and the permission of /usr/lib/x86_64-linux-gnu/alsa-lib/libasound_module_pcm_pulse.so is root,644. Both were inspected inside firejail for chromium. Do you have any idea about these? Kind regards, Mad Horse On 2022/1/15 04:47, Reiner Herrmann wrote: Hi Mad Horse, On Thu, Jan 13, 2022 at 05:07:38PM +0800, Mad Horse wrote: After upgraded to 97.0.4692.71-0.1, Chromium running inside firejail can no longer play sound (e.g. when playing an online video), while bare Chromium can. It is shown with PulseAudio Manager that the Chromium running inside firejail cannot connect to the sound server while the bare Chromium can. I had a similar issue initially as well. But it turned out to be related to my custom sound setup (using pipewire with run directory in ~/pipewire). There are also no sound-related Chromium issue known in the upstream firejail bug tracker. So I think it also has to be related to your setup. It might be related to some whitelist in the chromium{-common}.profile, as this causes the parent directory to get blocked. Can you please try to figure out which path needs to be whitelisted on your system to get it working again? Kind regards, Reiner
Bug#1003650: firejail-profiles: Chromium running under the current profile cannot play sound
Hi Mad Horse, On Thu, Jan 13, 2022 at 05:07:38PM +0800, Mad Horse wrote: > After upgraded to 97.0.4692.71-0.1, Chromium running inside firejail can no > longer play sound (e.g. when playing an online video), while bare Chromium > can. It is shown with PulseAudio Manager that the Chromium running inside > firejail cannot connect to the sound server while the bare Chromium can. I had a similar issue initially as well. But it turned out to be related to my custom sound setup (using pipewire with run directory in ~/pipewire). There are also no sound-related Chromium issue known in the upstream firejail bug tracker. So I think it also has to be related to your setup. It might be related to some whitelist in the chromium{-common}.profile, as this causes the parent directory to get blocked. Can you please try to figure out which path needs to be whitelisted on your system to get it working again? Kind regards, Reiner signature.asc Description: PGP signature
Bug#1003650: firejail-profiles: Chromium running under the current profile cannot play sound
Package: firejail-profiles Version: 0.9.66-2 Severity: normal Dear Maintainer, After upgraded to 97.0.4692.71-0.1, Chromium running inside firejail can no longer play sound (e.g. when playing an online video), while bare Chromium can. It is shown with PulseAudio Manager that the Chromium running inside firejail cannot connect to the sound server while the bare Chromium can. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (900, 'testing'), (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.0-2-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_FIRMWARE_WORKAROUND Locale: LANG=zh_CN.utf8, LC_CTYPE=zh_CN.utf8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages firejail-profiles depends on: ii firejail 0.9.66-2 firejail-profiles recommends no packages. firejail-profiles suggests no packages. -- no debconf information