sandbox blocks open in firefox 54

[Hello71]

open("/dev/snd/controlC0", O_RDWR) is blocked by sandbox. workaround: set security.sandbox.content.write_path_whitelist to /dev/snd/controlC0,/dev/snd/pcmC0D0p.

possible things to do in apulse:

1. pre-initialize ALSA before forking?
2. hackaround the sandbox
3. print better error messages (if possible), document this issue

[kshade]

Thank you for the workaround, I've had this issue as well. apulse 0.1.10 with Firefox 54.0 on Gentoo.

[i-rinat]

hackaround the sandbox

I don't think using some kind of sandbox bypassing techniques is a right direction to go. It should be possible to, say, create symlinks to files in /dev/snd/ somewhere else, and use the custom version of libasound.so.2 with paths changed. There is no way to change them dynamically, since they are hardcoded during build process. Or to create a preloaded library that intercepts open() to redirect accesses to /dev/snd/* to some other paths. In both cases a separate preloaded library should create symlinks. But all that looks cumbersome and wrong.

pre-initialize ALSA before forking?

According to my understanding of ALSA operation, it won't work. Apulse opens separate ALSA device instances for every PA stream to offload resampling and mixing to standard ALSA plugins. I think it's possible to open one playback and one capture stream just at the loading time, and perform resampling and mixing inside apulse. But that is reinventing of PulseAudio, but in the single application mode. There will be two mixing/resampling points: one in apulse, and one in ALSA's dmix.

print better error messages (if possible), document this issue

Since it's possible to add own exceptions in Firefox sandbox, I'll go this way. For now, a generic message is added in 3895240.

[i-rinat]

security.sandbox.content.write_path_whitelist

By the way, this setting accepts not only list of files, but also directories. If you add there /dev/snd/, all files in /dev/snd directory will be accessible for reading and writing. The / character at the end of /dev/snd/ is essential. All paths ending with / are considered directories.

[kshade]

Would the best thing then be to document this and tell distributors to maybe put it in their default configs?

[i-rinat]

to document this

Hope this will be enough: ee63fd3#diff-04c6e90faac2675aa89e2176d2eec7d8R152

and tell distributors to maybe put it in their default configs?

Additional preferences shouldn't harm. But if distro maintainer cares enough about ALSA, it's easier to add ac_add_options --enable-alsa to Firefox build options and build it with ALSA support enabled. Firefox devs actually added sandbox exception for ALSA device paths. But it's there only for --enable-alsa builds [1].

[1] See file /security/sandbox/linux/broker/SandboxBrokerPolicyFactory.cpp, search for "/dev/snd".

[Hello71]

seems good enough. hackarounds sound ugly even to me, and reimplementing alsa-lib sounds not fun. would be easier to just patch firefox if it were really needed.