Sound not working with firejail

[Leebre]

Hi, I am trying to run steam in firejail on Parabola GNU/Linux (derivative of Arch). If I run it outside of firejail, it seems to work fine and XCom: Enemy Unknown starts and runs fine. However, in firejail, even if I use --noprofile, the sound in the Steam application doesn't work (for example, in the store videos) and the game won't launch.

[rusty-snake]

Do you use pulseaudio?

[Leebre]

@rusty-snake yes, I am.

[rusty-snake]

Related: #3165

#3165 (comment)

[Leebre]

@rusty-snake thanks for the link. I read the info there and tried firejail --noprofile --noblacklist=/sys/module steam, but the sound still doesn't work. I am seeing the following error in the console though:

ALSA lib pcm_dmix.c:1089:(snd_pcm_dmix_open) unable to open slave
[0321/153240.860067:ERROR:alsa_util.cc(204)] PcmOpen: default,No such file or directory
ALSA lib pcm_dmix.c:1089:(snd_pcm_dmix_open) unable to open slave
[0321/153240.860907:ERROR:alsa_util.cc(204)] PcmOpen: plug:default,No such file or directory

so there is clearly some error relating to ALSA. My system is a fairly generic Dell Insipron desktop PC, x86, using a built-in sound card.

[Leebre]

I tried it with --noblacklist=/sys/fs as well and no joy. Something to do with ALSA must be being blocked by one of the built-in blockers?

[Leebre]

I just commented out all of the built-in blacklisted locations in fs.c and re-compiled. I ran firejail --noprofile --debug-blacklists steam, to verify that no locations were still being blacklisted - the sound still doesn't work and I get the same pcm errors.

[rusty-snake]

You can use firejail --noprofile --trace=outputfile steam to trace open, openat, fopen, access, opendir, ... or strace to trace everything. firejail --build steam maybe contain some hints or firejail --noprofile --debug steam.

[Leebre]

@rusty-snake ok, I'll give those a try and let you know what happens. Another thing I tried was running Rhythmbox in firejail (firejail --noprofile rhythmbox) and I got no sound with that either. So, it seems I have a general sound issue w. firejail, not just with Steam. One thing I noticed was the window title bar of Rhythmbox said it was operating as the superuser. So, I tried running it as root outside firejail and also got no sound. This might be the underlying problem - why is firejail running Rhythmbox as the superuser?

[rusty-snake]

https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#ive-noticed-the-title-bar-in-firefox-shows-as-superuser-is-this-normal

[Leebre]

@rusty-snake thanks for the link. However, it seems strange the I get the same audio issues in firejail as I do if I try to run the application as root. I will look into how to enable sound for the root user and see if that helps with firejail.

[Leebre]

I couldn't find a good way to enable the root user to use sound with pulseaudio, so I removed pulse completely and now the sound works fine with steam in firejail (both the client and the XCom game I was trying). Again, I suspect its to do with pulse not allowing access for the root user (I'm suddenly not so much a fan of pulse any more ...)

[rusty-snake]

just remembered, have you tried firecfg --fix-sound?

[Leebre]

@rusty-snake yes, I ran that command after installing, per the installation instructions on firejail.wordpress.com. However, I still experienced no audio through pulseaudio with firejailed applications.

[rusty-snake]

No idea if that could change anything but you can give it a try: firejail --noprofile --noblacklist=/sys/module --noautopulse steam

Unfortunately I have no more ideas what the issue could be, or how to investigate it further.

[matu3ba]

@rusty-snake Suggestion to change title to "Firejailed steam has no pulseaudio sound".

[matu3ba]

@glitsj16 Suggestion to change title to "Firejailed steam has no pulseaudio sound", because other sound apparently works.

[rusty-snake]

@matu3ba read that comment: #3282 (comment)

[glitsj16]

@matu3ba Why should we do that? The OP started noticing audio issues in Steam, while digging into it detected that all firejailed apps suffer from it and changed the title accordingly. Until there's a very good argument to do so I'm regarding the issue title the OP's prerogative.

[Leebre]

@matu3ba no, that isn't correct. I have tried with other applications that use audio and I'm not able to get sound from any of them within firejail with pulseaudio running.

@rusty-snake ok, I will give that a try when I get a chance. Although, for me, removing pulseaudio and falling back to ALSA solves the problem.

[rusty-snake]

You can try noprofile.profie. If this does not work ... 😿 .

[odiferousmint]

Sorry for somewhat necrobumping, but I have audio issues with Discord on Void Linux. It works with --noprofile and it works with the posted noprofile.profile.

I actually had audio issues with Discord (as in, the website) inside the browser Vivaldi as well, but the following lines solved it:

noblacklist /sys/fs
noblacklist /sys/module

It does not work for the Discord app though. It works if I remove all whitelist lines.

For example, this one WORKS:

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc

noblacklist /sys/fs
noblacklist /sys/module

keep-config-pulse

noblacklist ${HOME}/.config/discord

But this one does NOT WORK:

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc

noblacklist /sys/fs
noblacklist /sys/module

keep-config-pulse

noblacklist ${HOME}/.config/discord
mkdir ${HOME}/.config/discord
whitelist ${HOME}/.config/discord
whitelist ${DOWNLOADS}

Any ideas as to why that might be the case? Keep in mind it does not work either if I comment out the noblacklist lines OR if the keep-config-pulse is missing. I suppose I have to whitelist or noblacklist something else, but not exactly sure what.

I did try the default Discord.profile as well, that was actually the first thing I did and that one does not work either.

Unfortunately in this case I do not get any errors related to DBus, alsa, or pulseaudio either.

---

Apparently it even works with:

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc

noblacklist /sys/fs
noblacklist /sys/module

keep-config-pulse

noblacklist ${HOME}/.config/discord

apparmor
caps.drop all
caps.keep sys_admin,sys_chroot
netfilter
no3d
nodvd
nogroups
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6
shell none

disable-mnt
private-cache
private-tmp

dbus-user none
dbus-system none

private-bin Discord,bash,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],fish,grep,head,sed,sh,tclsh,tr,xdg-mime,xdg-open,zsh
private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl

#mkdir ${HOME}/.config/discord
#whitelist ${HOME}/.config/discord
#whitelist ${DOWNLOADS}

The issue only occurs if I uncomment the last 3 lines.

---

OK, I do get error with private-dev, complains about:

[2022-05-05 01:21:54.137] [120] (discord.cpp:551): JS console: ["%c[RPCServer:IPC]","Starting on /tmp/discord-ipc-0"]
ALSA lib pcm_dmix.c:1032:(snd_pcm_dmix_open) unable to open slave
ALSA lib pcm_dmix.c:1032:(snd_pcm_dmix_open) unable to open slave
[2022-05-05 01:21:54.855] [134] (device_info_linux.cc:45): NumberOfDevices

Any ideas?

---

SOLVED: Never mind, the issue was a missing whitelist ${HOME}/.config/pulse. I assumed keep-config-pulse would have done it.

An example of a supposedly working profile:

include disable-common.inc
include disable-devel.inc
include disable-interpreters.inc

noblacklist /sys/fs
noblacklist /sys/module

keep-config-pulse

apparmor
caps.drop all
caps.keep sys_admin,sys_chroot
netfilter
nodvd
nogroups
noinput
nonewprivs
noroot
notv
nou2f
novideo
protocol unix,inet,inet6
shell none

disable-mnt
private-cache
private-tmp

dbus-user none
dbus-system none

private-bin Discord,cut,echo,egrep,electron,electron[0-9],electron[0-9][0-9],grep,head,sed,sh,tr,xdg-mime,xdg-open,zsh,gzip,wget,curl
private-etc alternatives,asound.conf,ca-certificates,crypto-policies,fonts,group,ld.so.cache,ld.so.preload,localtime,login.defs,machine-id,password,pki,pulse,resolv.conf,ssl

noblacklist ${HOME}/.config/discord
mkdir ${HOME}/.config/discord
whitelist ${HOME}/.config/discord
whitelist ${DOWNLOADS}
whitelist ${HOME}/.config/pulse

It was a great monologue regardless. sighs

---

I do have some issues still at times but it might not be firejail related, or not exclusively.