New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Documentation] Could a complete example be added, how to run firefox with sound on youtube please? #64

Open
ghost opened this Issue Aug 30, 2017 · 7 comments

Comments

Projects
None yet
5 participants
@ghost

ghost commented Aug 30, 2017

Could a complete example be added, how to run firefox with sound on youtube please?

This would help me I think. I already modified security.sandbox.content.write_path_whitelist in about:config but I am not sure what else to do ... should I do "apulse firefox"? Would this then work for youtube audio?

Perhaps this would be helpful for more people in general.

I tried to do "apulse firefox" and it is starting but when trying to play audio in the videos I get:

[apulse] [error] do_connect_pcm: can't get initial hw parameters for playback device "default". Error code 1 (Operation not permitted)
[apulse] [error] do_connect_pcm: failed to open ALSA device. Apulse does no resampling or format conversion, leaving that task to ALSA plugins. Ensure that selected device is capable of playing a particular sample format at a particular rate. They have to be supported by either hardware directly, or by "plug" and "dmix" ALSA plugins which will perform required conversions on CPU.
[apulse] [error] do_connect_pcm: can't get initial hw parameters for playback device "default". Error code 1 (Operation not permitted)
[apulse] [error] do_connect_pcm: failed to open ALSA device. Apulse does no resampling or format conversion, leaving that task to ALSA plugins. Ensure that selected device is capable of playing a particular sample format at a particular rate. They have to be supported by either hardware directly, or by "plug" and "dmix" ALSA plugins which will perform required conversions on CPU.

And I am not sure what to do...

Thanks for reading!

@hishamhm

This comment has been minimized.

Show comment
Hide comment
@hishamhm

hishamhm Aug 31, 2017

Contributor

For me what solved the issue was adding /dev/snd/controlC0,/dev/snd/pcmC0D0p to security.sandbox.content.write_path_whitelist in about:config and I also did sudo chmod 0777 /dev/snd/* just in case but I'm not sure if that was necessary.

Contributor

hishamhm commented Aug 31, 2017

For me what solved the issue was adding /dev/snd/controlC0,/dev/snd/pcmC0D0p to security.sandbox.content.write_path_whitelist in about:config and I also did sudo chmod 0777 /dev/snd/* just in case but I'm not sure if that was necessary.

@i-rinat

This comment has been minimized.

Show comment
Hide comment
@i-rinat

i-rinat Aug 31, 2017

Owner

@shevegen

I already modified security.sandbox.content.write_path_whitelist in about:config

Just to be sure: you need to add /dev/snd/ there. It's important to keep / at the end. It says Firefox that the directory /dev/snd and all files in it should be added to the white list.

should I do "apulse firefox"?

Yep. That should be enough.

Owner

i-rinat commented Aug 31, 2017

@shevegen

I already modified security.sandbox.content.write_path_whitelist in about:config

Just to be sure: you need to add /dev/snd/ there. It's important to keep / at the end. It says Firefox that the directory /dev/snd and all files in it should be added to the white list.

should I do "apulse firefox"?

Yep. That should be enough.

@i-rinat

This comment has been minimized.

Show comment
Hide comment
@i-rinat

i-rinat Aug 31, 2017

Owner

@hishamhm

adding /dev/snd/controlC0,/dev/snd/pcmC0D0p to security.sandbox.content.write_path_whitelist

If code that parses the string in Firefox sees trailing /, the path is added to the whitelist as a directory:

sudo chmod 0777 /dev/snd/* just in case

Should not be necessary. As far as I understand either user is in audio group, and then they have rights to read-write to those files. Or there is Policykit running, which adds required permissions (ACLs) on the go.

Owner

i-rinat commented Aug 31, 2017

@hishamhm

adding /dev/snd/controlC0,/dev/snd/pcmC0D0p to security.sandbox.content.write_path_whitelist

If code that parses the string in Firefox sees trailing /, the path is added to the whitelist as a directory:

sudo chmod 0777 /dev/snd/* just in case

Should not be necessary. As far as I understand either user is in audio group, and then they have rights to read-write to those files. Or there is Policykit running, which adds required permissions (ACLs) on the go.

@keithbowes

This comment has been minimized.

Show comment
Hide comment
@keithbowes

keithbowes Sep 23, 2017

I tried both adding /dev/snd/ to security.sandbox.content.write_path_whitelist and changing the permissions of /dev/snd/*. Neither worked. But eh, without installing pulseaudio, at least I can still watch Netflix through Pipelight, with audio and everything (until Mozilla rips out plugins, that is).

keithbowes commented Sep 23, 2017

I tried both adding /dev/snd/ to security.sandbox.content.write_path_whitelist and changing the permissions of /dev/snd/*. Neither worked. But eh, without installing pulseaudio, at least I can still watch Netflix through Pipelight, with audio and everything (until Mozilla rips out plugins, that is).

@cbirchinger

This comment has been minimized.

Show comment
Hide comment
@cbirchinger

cbirchinger Nov 9, 2017

"security.sandbox.content.level" reduced to 2 and security.sandbox.content.write_path_whitelist set to "/dev/snd/" works. Maybe the level 3 features of "security.sandbox.content.level" got added recently. I did my tests with Firefox 57 beta. The difference between level 2 and 3 are "Read access to most of the filesystem". Source: https://wiki.mozilla.org/Security/Sandbox

So maybe "security.sandbox.content.read_path_whitelist" would also need some entries if level 3 is activated. I've already tried adding /dev/snd/ and it wasn't enough.

Update: I've tried adding my home .asoundrc to "security.sandbox.content.read_path_whitelist" and while that wasn't enough and it opened a can of worms regarding even more ALSA permission denied messages. It definitely shows the issue is missing read access caused by a possible new Firefox sandboxing feature activated within "security.sandbox.content.level" = 3.

Update2: Depending on your ALSA config, it requires read access to .asoundrc and all files you reference (i.e. include) in there. So i assume people who have issues, use a .asoundrc in their home. Adding all personal ALSA config files to "security.sandbox.content.read_path_whitelist" fixes the issue.

cbirchinger commented Nov 9, 2017

"security.sandbox.content.level" reduced to 2 and security.sandbox.content.write_path_whitelist set to "/dev/snd/" works. Maybe the level 3 features of "security.sandbox.content.level" got added recently. I did my tests with Firefox 57 beta. The difference between level 2 and 3 are "Read access to most of the filesystem". Source: https://wiki.mozilla.org/Security/Sandbox

So maybe "security.sandbox.content.read_path_whitelist" would also need some entries if level 3 is activated. I've already tried adding /dev/snd/ and it wasn't enough.

Update: I've tried adding my home .asoundrc to "security.sandbox.content.read_path_whitelist" and while that wasn't enough and it opened a can of worms regarding even more ALSA permission denied messages. It definitely shows the issue is missing read access caused by a possible new Firefox sandboxing feature activated within "security.sandbox.content.level" = 3.

Update2: Depending on your ALSA config, it requires read access to .asoundrc and all files you reference (i.e. include) in there. So i assume people who have issues, use a .asoundrc in their home. Adding all personal ALSA config files to "security.sandbox.content.read_path_whitelist" fixes the issue.

@i-rinat

This comment has been minimized.

Show comment
Hide comment
@i-rinat

i-rinat Nov 9, 2017

Owner

Sandbox code in Firefox has logging capabilities. If you set environment variable MOZ_SANDBOX_LOGGING=1 before starting Firefox, it will print what system call it tries to make, and what are forbidden. May help debugging.

Owner

i-rinat commented Nov 9, 2017

Sandbox code in Firefox has logging capabilities. If you set environment variable MOZ_SANDBOX_LOGGING=1 before starting Firefox, it will print what system call it tries to make, and what are forbidden. May help debugging.

@patrickdepinguin

This comment has been minimized.

Show comment
Hide comment
@patrickdepinguin

patrickdepinguin Nov 21, 2017

After updating to Firefox 57, could no longer play audio, on e.g. mynoise.net.
Problem was solved after adding '/dev/snd/' to security.sandbox.content.write_path_whitelist, with no other changes. Thanks!

patrickdepinguin commented Nov 21, 2017

After updating to Firefox 57, could no longer play audio, on e.g. mynoise.net.
Problem was solved after adding '/dev/snd/' to security.sandbox.content.write_path_whitelist, with no other changes. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment