New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to output sound with PulseAudio 7.0 #69

Closed
pyamsoft opened this Issue Sep 26, 2015 · 65 comments

Comments

Projects
None yet
@pyamsoft
Copy link

pyamsoft commented Sep 26, 2015

With the upgrade to PulseAudio 7.0 on Archlinux, audio in Chromium 45 and other applications which use pulseaudio fail to work properly.

In the case of chromium, launching with the default sandbox and no profile/seccomp chomium will launch and instantly report a failure that it is unable to open a slave. Firejail worked fine on PulseAudio 6.

Aside from the debug output of firejail the only other noteworthy output that Chromium spews is the failure to open a slave, which I have found is something dealing with ALSA on the system.

A similar outcome can be observed when launching firefox with no profile, as well as any other application which may use pulseaudio.

Oddly enough, things like Steam work fine at outputting audio via Pulse, but seem to fail when attempting to record audio input via a microphone in firejail, even though this functionality was working under PulseAudio 6.

Apologies for the very vague bug report, I am rather confused about where the source of the problem exactly is.

Firejail version 0.9.30
PulseAudio version 7.0

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Sep 26, 2015

I'll leave it for two weeks for Arch to stabilize, and I'll fix it. Thanks.

@netblue30 netblue30 added the bug label Sep 26, 2015

@rbieb

This comment has been minimized.

Copy link

rbieb commented Sep 28, 2015

Having the same issue. Check here: https://bugs.freedesktop.org/show_bug.cgi?id=92141 to take a look at what I've already found out with the help of the pulseaudio developers.

Starting firejail deletes pulseaudio shm files in /dev/shm causing it to stop working.

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Sep 28, 2015

No, for a regular user firejail doesn't touch shm. Try like this:

$ touch /dev/shm/testfile
$ ls /dev/shm
firejail  testfile

I have created a file, now I start firejail:

$ firejail 
Reading profile /etc/firejail/generic.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-history.inc

** Note: you can use --noprofile to disable generic.profile **

Parent pid 6856, child pid 6857
Child process initialized
$ ls /dev/shm
firejail  testfile

The file is still visible in the sandbox. Now I exit firejail and check the file again:

$ exit
exit

parent is shutting down, bye...
$ ls /dev/shm
firejail  testfile
$ 

After closing the sandbox, the file is still there.

Firejail modifies /dev/shm in two cases: if the sandbox is run as root, or if --private-dev option is used. In both cases a tmpfs filesystem is mounted on top of /dev/shm directory. Processes running outside the sandbox will see the real /dev/shm. Firejail never deletes files from /dev/shm directory.

Try a simple bash session using firefox profile, and take a look at dev shm.

$ firejail --profile=/etc/firejail/firefox
[...]
$ ls /dev/shm

You should have the same thing as before starting firejail.

@rbieb

This comment has been minimized.

Copy link

rbieb commented Sep 28, 2015

I start firejail with --seccomp enabled, could this be the cause?

Because I know one thing for sure, it definitely seems to be firejail that deletes these shm files. I have been trying to find where exactly the issue lies, and unless I run

firejail --seccomp firefox 

which is the default way I run firefox, pulseaudio does not have issues. Starting firefox without firejail does not cause any problems either. I'm not running firejail as root either.

Have you taken a look at the link I provided? Maybe that could help clear things up a bit.

@pyamsoft

This comment has been minimized.

Copy link
Author

pyamsoft commented Sep 28, 2015

Allow me to comment on my findings regarding the progress in this thread.

All of the following is tested and ran as a normal, non-privileged user.
First the initial problem, which I have noticed:

Some incompatability between PulseAudio 7 and firejail prevent it from outputting audio in programs that used to function successfully like chromium and firefox. Both chromium and firefox were launched with the following options to test this:

firejail --noprofile --debug chromium

firejail --noprofile --debug firefox

This should, I believe, launch firejail with the least restrictive setup possible. No seccomp, no capability dropping, no blacklisting of directories. The debug messages also reflect this, and never once mention tampering with /dev/shm.

After launching:
firejail --noprofile --debug chromium

There are infact, no pulse-shm-* files located in the /dev/shm directory. Before launching, on my specific system, there we about 4 instances of various shm files. Restarting pulseaudio via:
systemctl --user restart pulseaudio

restores these pulse-shm-* files, but does not restore sound output.

However, this does not mean that firejail is destroying /dev/shm. When launching keepass, which does not use pulseaudio in any way, using firejail, the /dev/shm directory stays intact.

Do note, that applying the pulseaudio work around of adding srbchannel=no into the default.pa file does appear to resolve the issue, although it is not the best solution as it does not allow one to take advantage of the progress in pulseaudio development with the newer version 7.

As a tl;dr

 # /dev/shm has pulse-shm-* files
 firejail --noprofile --debug chromium

 #  /dev/shm now empty, except for a firejail directory, pulseaudio does not work
 firejail --noprofile --debug keepass (or bash)

 # /dev/shm still contains all pulse-shm-* files
 #  srbchannel=no "fixes" pulseaudio, but is far from ideal of a solution.

 # Launching chromium without firejail works fine, as expected.
@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Sep 28, 2015

... applying the pulseaudio work around of adding srbchannel=no into the default.pa file does appear to resolve the issue

OK, there seems to be a workaround. Use it until I get a chance to find the problem. I am installing Arch right now.

@rbieb

This comment has been minimized.

Copy link

rbieb commented Sep 28, 2015

Just a little advice: If this is just about fixing the bug, you might want to use antergos instead of arch. It's basically the same but you don't have the hassle of dealing with the arch install.

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Sep 28, 2015

Thanks for the antergos idea!

@Utini2000

This comment has been minimized.

Copy link

Utini2000 commented Sep 28, 2015

Evolution Installer is another solution for easy and quick (5mins) arch installation.

@Utini2000

This comment has been minimized.

Copy link

Utini2000 commented Sep 28, 2015

writing srbchannel = no into the /etc/pulse/default.pa makes it impossible to start the daemon.

@pyamsoft

This comment has been minimized.

Copy link
Author

pyamsoft commented Sep 28, 2015

Please note that the srbchannel option needs to be added as described in the pulseaudio bugtracker thread linked above, not simply written into the file.

If the proper addition of the srbchannel option prevents pulseaudio startup, that it a bug for pulseaudio, not firejail.

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Sep 29, 2015

srbchannel=no crashes pulseaudio. With pulseaudio out of the picture, the system defaults to ALSA. I got "firejail firefox" running fine after adding "srbchannel=no" in /etc/pulse/default.pa and system restart. The inconvenience is that I had to replace pavucontrol with gnome-alsamixer.

I'll look to see what is going on. Antegos/Arch is running fine here!

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Sep 30, 2015

I added a description of the problem and workarounds on the main page of the project.

@amarildojr

This comment has been minimized.

Copy link

amarildojr commented Oct 6, 2015

Hello,

Is there an expected time for this issue to be resolved? I absolutely need Pulseaudio to be 100% working, for work.

Regards,
Amarildo

@netblue30 netblue30 removed the bug label Oct 7, 2015

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Oct 7, 2015

Unfortunately this is a PulseAudio 7.0 bug. I don't see any way to get around it at sandbox level. There are two workarounds described in "known bugs" section here: https://github.com/netblue30/firejail

I'll keep this discussion open in case somebody figures it out.

@amarildojr

This comment has been minimized.

Copy link

amarildojr commented Oct 7, 2015

Hi,

Yes, the fixed seems to be working, and it doesn't seem to be breaking Pulse :)

Have you contacted pulseaudio developers?

Thanks and keep up the good work,
Amarildo

@tanuk

This comment has been minimized.

Copy link

tanuk commented Oct 7, 2015

A PulseAudio developer here. I'd be interested to hear more details about why you think this is a PulseAudio bug.

@tanuk

This comment has been minimized.

Copy link

tanuk commented Oct 7, 2015

Hmm... I have a likely explanation for the bug. Whenever PulseAudio creates a new shm file, it also cleans up any files that are left by crashed processes that didn't clean up the files they created. Each shm file contains the pid of the process that created it. The cleanup is triggered, if kill(pid, 0) fails with ESRCH, that is, if the pid does not exist. If firejail creates a new pid namespace, then processes outside the sandbox aren't visible to processes in the sandbox, and a sandboxed process will "clean up" all shm files.

So yes, this is a PulseAudio bug after all. With pid namespaces, we can't assume that a process is dead if kill() fails with ESRCH.

This will be resolved when we get memfd support in PulseAudio (currently being worked on). I'm not sure that it will be ready before the next release, so some other fix may be needed. I don't yet what that fix might be, though. Not cleaning up the shm files isn't really a good solution.

@amarildojr

This comment has been minimized.

Copy link

amarildojr commented Oct 7, 2015

@tanuk

I'm not sure that it will be ready before the next release, so some other fix may be needed

Hi. There is a fix on the main page that currecntly works. I read some people saying it breaks pulse, but for what I could see everything is working fine here. Ardour, Steam, pavucontrol, simplescreenrecorder, all working fine.

Not cleaning up the shm files isn't really a good solution

Could you elaborate?

@Utini2000

This comment has been minimized.

Copy link

Utini2000 commented Oct 7, 2015

@tanuk is there a way to manually clean up shm files ? thanks !

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Oct 7, 2015

Hi tanuk, thank you for your help. memfd is fine, we can wait until then. There is a workaround by disabling shm in PulseAudio - I guess in this case the client/server communication goes over the Unix socket. And there is also ALSA used as backup by Firefox and most other programs - I just have to explain to users to turn up the volume using alsamixer or some equivalent.

@tanuk

This comment has been minimized.

Copy link

tanuk commented Oct 8, 2015

Not cleaning up the shm files isn't really a good solution

Could you elaborate?

I mean that if it's hard to figure out which shm files are safe to remove, we could solve this by simply not cleaning up leaked shm files, but leaking resources is not cool.

is there a way to manually clean up shm files ?

You can simply remove the files from /dev/shm, if you can figure out which of the files are not being used any more.

@netblue30 If the workaround isn't applied automatically, a very big portion of your users will waste time wondering why their audio doesn't work, and probably not everyone will find the workaround. Are you really ok with that?

When firejail starts, maybe it could automatically copy ~/.config/pulse/client.conf to a temporary location, add "enable-shm = no" to the copy, and set the PULSE_CLIENTCONFIG environment variable to point to the modified configuration file?

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Oct 8, 2015

@tanuk Thanks for the idea, I'll try it out.

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Oct 9, 2015

OK, the fix is in. So far it seems to be working on Debian jessie and Antergos/Arch. Let me know if you see any problems. Thanks!

@Utini2000

This comment has been minimized.

Copy link

Utini2000 commented Oct 9, 2015

Uhm as I am relatively new to linux (and arch): I am not getting a firejail update on arch so that I could test the new fix?

@amarildojr

This comment has been minimized.

Copy link

amarildojr commented Oct 9, 2015

@Utini2000 I think it's the same fix that is present on the main page here.

If you want, you could contact the AUR maintainer so that he/she can update fifrejail for you. Or, you download the PKGBUILD and just edit it so that it fetches the new source (if there's one).

@emacsomancer

This comment has been minimized.

Copy link

emacsomancer commented Oct 11, 2015

updated to the latest git. the fix works for a while, but eventually i run into the same issue (pavucontrol can't connect, keyboard volume controls stop working), and have to "pulseaudio -k" and restart to regain control.

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Oct 15, 2015

@Utini2000 You cannot interrupt the system, the kernel wouldn't let you. Once you tell it to start a program, it will start the program. The only thing you can do is to trick it into starting the sandbox.

@curiosity-seeker

This comment has been minimized.

Copy link
Contributor

curiosity-seeker commented Oct 15, 2015

The idea is to build a custom launch script with the same name as your program, and store it in your path before the real program. A good place is /usrlocal/bin. The system will be tricked into running the custom launch script instead of the real program.

You can also use .desktop files. Put them on your desktop. The desktop files under /usr/share/applications/ get overwritten by your system when you update it.

Yes, I have been using desktop files so far. So you are saying that those scripts under /usr/local/bin always take precedence regardless if the desktop files are located in /usr/share/applications or ~/.local/share/applications? I didn't know that.

EDIT: I guess that was a dumb question. echo $PATH gives:

/usr/local/sbin:/usr/local/bin:/usr/bin:/usr/lib/jvm/default/bin:/usr/bin/site_perl:/usr/bin/vendor_perl:/usr/bin/core_perl

So, yes, /usr/local/bin should take precedence, indeed.

@curiosity-seeker

This comment has been minimized.

Copy link
Contributor

curiosity-seeker commented Oct 15, 2015

Start Thunderbird in firejail ("firejail thunderbird") and when you click on a link the browser opens in the same sandbox as Thunderbird. Even if there is a custom launch script, firejail will detect a sandbox is already running and will not start another one.

I'm not sure that I understand. I start firejail thunderbird and click a link but firejail --tree shows, e.g. the following:

1494:xxx:/usr/bin/firejail thunderbird 
  1495:xxx:thunderbird 
2541:xxx:/usr/bin/firejail firefox http://www.heise.de/security/meldung/Kritische-Flash-Luecke-Adobe-  stellt-Patch-in-Aussicht-2847993.html/from/nl_sec_summ?wt_mc=nl.heisec-summary.2015-10-
  2542:xxx:/bin/bash /usr/local/bin/firefox http://www.heise.de/security/meldung/Kritische-Flash-Luecke-Adobe-stellt-Patch-in-Aussicht-2847993.html/from/nl_sec_summ?wt_mc=nl.heisec-summary
    2543:xxx:firejail --profile=/home/xxx/.config/firejail/firefox.profile /usr/lib/firefox/firefox http://www.heise.de/security/meldung/Kritische-Flash-Luecke-Adobe-stellt-Patch-in-Aussic
      2544:xxx:/usr/lib/firefox/firefox http://www.heise.de/security/meldung/Kritische-Flash-Luecke-Adobe-stellt-Patch-in-Aussicht-2847993.html/from/nl_sec_summ?wt_mc=nl.heisec-summary.201
        2568:xxx:/usr/lib/mozilla/kmozillahelper

This doesn't look as if firefox is in the same sandbox as thunderbird ... ?

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Oct 16, 2015

@curiosity-seeker What firejail version are you running?

Start thunderbird/icedove from a terminal and click on a link:

$ icedove 
Reading profile /etc/firejail/icedove.profile
Reading profile /etc/firejail/thunderbird.profile
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-secret.inc
Reading profile /etc/firejail/disable-history.inc
Parent pid 2080, child pid 2081
Child process initialized
Warning: an existing sandbox was detected. /usr/bin/iceweasel https://github.com/netblue30/firejail/issues/83  will run without any additional sandboxing features in a /bin/sh shell

You'll get that warning "an existing sandbox was detected. /usr/bin/iceweasel #83 will run without any additional sandboxing features in a /bin/sh shell". It means firejail started the browser (firefox/iceweasel) directly, without any shell. "firejail --tree" in this moment looks like this:

$ firejail --tree
2080:netblue:firejail --name=mail /usr/bin/icedove 
  2081:netblue:/usr/bin/icedove 
    2138:netblue:/bin/bash /usr/local/bin/iceweasel https://github.com/netblue30/firejail/issues/83 
      2141:netblue:/usr/bin/firejail /usr/bin/iceweasel
        2142:netblue:sh -c /usr/bin/iceweasel https://github.com/netblue30/firejail/issues/83  
          2143:netblue:/usr/bin/iceweasel https://github.com/netblue30/firejail/issues/83 
            2227:netblue:/usr/lib/iceweasel/plugin-container /usr/lib/flashplugin-nonfree/libflashplayer.so -g
@curiosity-seeker

This comment has been minimized.

Copy link
Contributor

curiosity-seeker commented Oct 17, 2015

@netblue30 : I'm using 0.9.30 on Manjaro (=Arch derivative)

Start thunderbird/icedove from a terminal and click on a link:

I did that, and this is what I get:

Reading profile /home/xxx/.config/firejail/thunderbird.profile
Reading profile /home/xxx/.config/firejail/myrules.inc
Reading profile /etc/firejail/disable-mgmt.inc
Reading profile /etc/firejail/disable-history.inc
Warning: user namespaces not available in the current kernel.
Parent pid 1597, child pid 1598
Warning: /sbin directory link was not blacklisted
Warning: /usr/sbin directory link was not blacklisted
Child process initialized

(process:1): GLib-CRITICAL **: g_slice_set_config: assertion 'sys_page_size == 0' failed
[calBackendLoader] Using libical backend at /home/xxx/.thunderbird/gvf0q58u.default/extensions/{e2fda1a4-762b-4020-b5ad-a41df1933103}/components/libical-manifest

(thunderbird:1): Gtk-WARNING **: Theme directory action/24 of theme maia has no size field

enigmail.js: Registered components
ReminderFox  clh(1)  {rmFx_cmdLine: [xpconnect wrapped nsICommandLine]}
mimeVerify.jsm: module initialized
CardDAVDirectoryFactory.js: getDirectories
  aDirName: public
  aURI: carddav://sogo-demo.inverse.ca/SOGo/dav/t3000@posteo.de/Contacts/public/
  aPrefId: ldap_2.servers.public

(thunderbird:1): Gtk-WARNING **: Theme directory action/24 of theme maia has no size field

2015-10-17 12:26:16: range_map-inl.h:91: INFO: StoreRange failed, an existing range contains or extends higher than the new range: new 0x7fe11e703000+0x85fe4, existing 0x7fe11e5f5000+0x223130
2015-10-17 12:26:16: basic_code_modules.cc:70: ERROR: Module /usr/lib/libsystemd.so.0 could not be stored
2015-10-17 12:26:16: stackwalker.cc:125: INFO: Couldn't load symbols for: /usr/lib/thunderbird/libxul.so|0CBE9F5515663EED582EC007F97877620
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b288260
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b2888a8
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b287fe5
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b28800f
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b288068
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b2880e0
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b288098
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b288058
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe10a47a801
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe0d374c418
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0xaffd2b2889cf
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x8057000aaf0f21a0
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0xaf00a8
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b2880a8
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b2880b8
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b2881a0
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0xf8771c0
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x1f0ee38
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b288050
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe1000f21a0
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x100000001f0ee38
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0xaf00a8
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b288778
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x4e49f25693687c00
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b289098
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe1000f21a0
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b288c30
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b2881a0
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe0d374c148
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b2881c0
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b288b20
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b288260
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x8000ffff
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe0d9796800
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe105eb3f70
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe0d39fb500
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x3
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe10a47a928
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7ffd2b2880d8
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x8000000800000000
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe10a47a8a8
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x4e49f25693687c00
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe1000f02af
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x4e49f25693687c00
2015-10-17 12:26:16: basic_code_modules.cc:88: INFO: No module at 0x7fe1000f21c0

And firejail --tree shows:

1597:xxx:firejail thunderbird 
  1598:xxx:thunderbird 
1708:xxx:/usr/bin/firejail firefox https://github.com/netblue30/firejail/issues/69#issuecomment-148692976 
  1709:xxx:/bin/bash /usr/local/bin/firefox https://github.com/netblue30/firejail/issues/69#issuecomment-148692976 
    1710:xxx:firejail --profile=/home/xxx/.config/firejail/firefox.profile /usr/lib/firefox/firefox https://github.com/netblue30/firejail/issues/69#issuecomment-148692976 
      1711:xxx:/usr/lib/firefox/firefox https://github.com/netblue30/firejail/issues/69#issuecomment-148692976 
        1735:xxx:/usr/lib/mozilla/kmozillahelper

Thus, it seems that the behaviour is different from your system.

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Oct 17, 2015

That's interesting! You could get something like this if you already have firefox running in another window when you click on the link in thunderbird (I have a writeup here: https://l3net.wordpress.com/projects/firejail/firejail-faq/#firefox).

There seem to be something else going on, I'll try it here on my Arch box.

@curiosity-seeker

This comment has been minimized.

Copy link
Contributor

curiosity-seeker commented Oct 17, 2015

That's interesting! You could get something like this if you already have firefox running in another window when you click on the link in thunderbird

No, Firefox was definitely not running!

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Oct 31, 2015

The communication seems to go over DBus. Thunderbird sends a message, and somebody (?) starts the browser, so the browser ends up in a different sandbox.

@netblue30 netblue30 closed this Oct 31, 2015

@curiosity-seeker

This comment has been minimized.

Copy link
Contributor

curiosity-seeker commented Oct 31, 2015

Thanks for that info! It's all right as long as Firefox is sandboxed.

@emacsomancer

This comment has been minimized.

Copy link

emacsomancer commented Oct 31, 2015

So is the "enable-shm = no" in client.conf workaround no longer needed?

The last time I tried without the workaround (10 Oct), I still had the same issues with Pulseaudio.

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Nov 1, 2015

Yes, if you are running firejail version 0.9.32 or 0.9.34-rc1 it should be fixed.

@emacsomancer

This comment has been minimized.

Copy link

emacsomancer commented Nov 1, 2015

It's still not working for me. If I remove the "enable-shm = no" in ~/.config/pulse/client.conf, and restart Pulseaudio, I still end up with the same issue as before.

Steps:
(1) remove ~/.config/pulse/client.conf
(2) "pulseaudio -k && pulseaudio --start"
(3) "firejail --profile=/etc/firejail/firefox.profile firefox"
(4) open pavucontrol
(5) play music with mpd
(6) open up Youtube in firefox and play something
(7) If I look at pavucontrol, I can still see two streams active
(8) But muting pulseaudio no longer works
(9) And if I close pavucontrol and reopen it, it's again stuck on "Establishing connection to PulseAudio. Please wait...." until I do step 1 again.

If I put the enable-shm=no back in place, then things work properly.

@netblue30 netblue30 reopened this Nov 2, 2015

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Nov 2, 2015

In firefox.profile, if you also whitelist ~/.config/pulse, does it work?

It might be that we still need "enable-shm = no"

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Nov 2, 2015

OK, I've got it on Arch. It looks like we still need "enable-shm = no" in ~/.config/pulse/client.config. PulseAudio cannot mix various clients with and without "enable-shm = no".

Leave ~/.config/pulse/client.config in place. I'll update the documentation and the announcements. Thank you for reporting it.

@netblue30 netblue30 closed this Nov 2, 2015

@genodeftest

This comment has been minimized.

Copy link
Contributor

genodeftest commented Feb 1, 2016

Similar issue here with firejail from master on Fedora 23. I don't have problems playing music but I am seeing warnings like these:
shm_open() failed: File or directory not found
For future reference: look at https://firejail.wordpress.com/support/known-problems/ to find a workaround.

@ivan

This comment has been minimized.

Copy link

ivan commented Apr 21, 2016

This also affects PulseAudio 8 on Ubuntu 16.04. The enable-shm = no fix worked for me.

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Apr 21, 2016

Thanks for letting me know.

@covex

This comment has been minimized.

Copy link

covex commented Jul 19, 2016

Confirming this on Fedora 23 with firejail-0.9.28-1 from default install. Starting firefox in firejail causes the pulseaudio to stop working. Pulseaudio seems to be running but plays nothing.

Any attempt to play anything results in
$ aplay s.wav
shm_open() failed: No such file or directory
ALSA lib pulse.c:243:(pulse_connect) PulseAudio: Unable to connect: Protocol error
aplay: main:786: audio open error: Connection refused

PA is dead for all applications until
$ pulseudio -k; start-pulseaudio-x11

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Jul 20, 2016

You need to move to 0.9.40, there were a lot of fixes for PulseAudio since 0.9.28. Also, you would need to configure pulse this way: https://firejail.wordpress.com/support/known-problems/#pulseaudio

@tanuk

This comment has been minimized.

Copy link

tanuk commented Jul 20, 2016

If someone is running PA 9.0, it would be nice to get a confirmation that setting

enable-memfd = yes

in /etc/pulse/daemon.conf fixes this issue too. The option was added in PA 9.0, but it's off by default. It will be enabled by default at some point, probably in PA 10.0. The option changes the shared memory functionality so that the /dev/shm/* files aren't used any more.

@netblue30 netblue30 reopened this Jul 24, 2016

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Jul 24, 2016

Thanks @tanuk

@pyamsoft

This comment has been minimized.

Copy link
Author

pyamsoft commented Oct 23, 2016

I can confirm that using PulseAudio 9.0 and enabling the enable-memfd = yes option in the
/etc/pulse/daemon.conf allows jailed applications to use pulseaudio.

I can also confirm that I do not have enable-shm = no in any of the pulseaudio client configuration files.

@netblue30

This comment has been minimized.

Copy link
Owner

netblue30 commented Oct 23, 2016

Thanks, issue closed.

@netblue30 netblue30 closed this Oct 23, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment