chromium: no sound with pipewire

[reinerh]

Someone on the Debian bug tracker reported that Chromium 97 no longer plays sound when firejailed.
I was able to reproduce that.

I narrowed it down to whitelists inside the HOME directory.
I.e. I disabled include whitelist-common.inc and all whitelist ${HOME}/... in chromium.profile and chromium-common.profile, and then sound was working again.
But I have problems figuring out which additional directory needs to be whitelisted.
I tried --trace (which just hangs and doesn't even open the Chromium window), --trace=file (which opens the windows, but does not load a website) and then used strace to log opened files.
But nothing looks sound-related in there.

Here is the console output with broken sound:

Reading profile /etc/firejail/chromium.profile
Reading profile /etc/firejail/chromium-common.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-devel.inc
Reading profile /etc/firejail/disable-exec.inc
Reading profile /etc/firejail/disable-interpreters.inc
Reading profile /etc/firejail/disable-programs.inc
Reading profile /etc/firejail/disable-xdg.inc
Reading profile /etc/firejail/whitelist-common.inc
Reading profile /etc/firejail/whitelist-runuser-common.inc
Reading profile /etc/firejail/whitelist-usr-share-common.inc
Reading profile /etc/firejail/whitelist-var-common.inc
Warning: networking feature is disabled in Firejail configuration file
Parent pid 7357, child pid 7358
Warning: An abstract unix socket for session D-BUS might still be available. Use --net or remove unix from --protocol set.
Child process initialized in 159.96 ms
[10:47:0114/183941.858968:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:74:0114/183941.950761:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:74:0114/183941.950821:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:74:0114/183941.950894:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:74:0114/183941.950948:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
[10:74:0114/183941.950994:ERROR:bus.cc(397)] Failed to connect to the bus: Failed to connect to socket /run/firejail/mnt/dbus/system: Permission denied
libva error: vaGetDriverNameByIndex() failed with unknown libva error, driver_name = (null)
[54:54:0114/183942.086148:ERROR:sandbox_linux.cc(378)] InitializeSandbox() called with multiple threads in process gpu-process.
Fontconfig error: Cannot load default config file
[10:66:0114/183944.995596:ERROR:chrome_browser_main_extra_parts_metrics.cc(227)] START: ReportBluetoothAvailability(). If you don't see the END: message, this is crbug.com/1216328.
[10:66:0114/183944.995641:ERROR:chrome_browser_main_extra_parts_metrics.cc(230)] END: ReportBluetoothAvailability()
ALSA lib confmisc.c:855:(parse_card) cannot find card '0'
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_card_inum returned error: No such file or directory
ALSA lib confmisc.c:422:(snd_func_concat) error evaluating strings
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1334:(snd_func_refer) error evaluating name
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5701:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2664:(snd_pcm_open_noupdate) Unknown PCM default
[164:164:0114/183946.144156:ERROR:alsa_util.cc(204)] PcmOpen: default,No such file or directory
ALSA lib confmisc.c:855:(parse_card) cannot find card '0'
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_card_inum returned error: No such file or directory
ALSA lib confmisc.c:422:(snd_func_concat) error evaluating strings
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_concat returned error: No such file or directory
ALSA lib confmisc.c:1334:(snd_func_refer) error evaluating name
ALSA lib conf.c:5178:(_snd_config_evaluate) function snd_func_refer returned error: No such file or directory
ALSA lib conf.c:5701:(snd_config_expand) Evaluate error: No such file or directory
ALSA lib pcm.c:2664:(snd_pcm_open_noupdate) Unknown PCM default
[164:164:0114/183946.144541:ERROR:alsa_util.cc(204)] PcmOpen: plug:default,No such file or directory

Parent is shutting down, bye...

[rusty-snake]

If no one else has an idea, I would suggest to narrow it down with something like for file in ./.*; do echo "whitelist $(realpath "$file")"; done.

[reinerh]

@rusty-snake That was a very good idea, thanks.
I figured out that it is related to my setup... I'm using pipewire (which emulates pulseaudio) and have its runtime directory in ~/pipewire, which was blocked...
It worked for me after whitelisting the directory. So I guess there is a different problem for the original reporter. I'll ask them about their setup...

[antonv6]

The follow-up from Mad Horse on the original bug has a hint:

Failed to create secure directory (/run/user/1000/pulse): Operation not permitted

No idea what the new version of chromium means by "secure directory", but I added whitelist ${RUNUSER}/pulse (so the entire directory, not just pulse/native file) to chromium.local and now sound works through pipewire-pulse again.

[rusty-snake]

https://bugs.gentoo.org/show_bug.cgi?id=699776

[netblue30]

I figured out that it is related to my setup... I'm using pipewire (which emulates pulseaudio) and have its runtime directory in ~/pipewire, which was blocked...
It worked for me after whitelisting the directory.

The directory will have to be hardcoded and activated by default by --private and --whitelist commands. For example we have alsa and pulse brought in by default by --private:

$ firejail --private find .
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 71558, child pid 71559
Child process initialized in 110.17 ms
.
./.config
./.config/pulse       <<<<<<<<<<<<<<
./.config/pulse/client.conf       <<<<<<<<<<<<<<
./.asoundrc       <<<<<<<<<<<<<<
./.Xauthority
./.bashrc
./.inputrc

Parent is shutting down, bye...

Do we know what directories (runtime and config under /home/username) are they using? My impression is pipewire is still under heavy development. I'm not sure what's happening in Fedora, probably this is where it will be deployed first. Anyway, I'm going for a test release (0.9.68~rc1) next week, the big release two weeks later. We can wait to bring in pipewire if needed.

[reinerh]

Do we know what directories (runtime and config under /home/username) are they using? My impression is pipewire is still under heavy development. I'm not sure what's happening in Fedora, probably this is where it will be deployed first. Anyway, I'm going for a test release (0.9.68~rc1) next week, the big release two weeks later. We can wait to bring in pipewire if needed.

Pipewire works actually fine. It's already whitelisted in includes:

inc/whitelist-runuser-common.inc
13:whitelist ${RUNUSER}/pipewire-?

inc/whitelist-usr-share-common.inc
48:whitelist /usr/share/pipewire

The problem I had was just very specific to my setup, as I have manually pointed the runtime path to somewhere else.
Though it's not yet clear what problem the OP has...

[netblue30]

OK, thanks! If they come with a user file or directory under /home/username we'll make it default later.

[rusty-snake]

FWIW man 4 pipewire.conf

$XDG_CONFIG_HOME/pipewire/pipewire.conf

/etc/pipewire/pipewire.conf

/usr/share/pipewire/pipewire.conf

These are the deamon config files, there is /usr/share/pipewire/client.conf but IDK if it has a user equivalent.

[netblue30]

pipewire/pipewire.conf

I'll make it default as ~/.config/pipewire/pipewire.conf

[rusty-snake]

This file is read by pipewire (the deamon). IDK if the client library read's it too but I don't think so. If we allow it inside the sandbox, it must be read-only (it's turing complete and pipewire isn't sandboxed).

[netblue30]

This file is read by pipewire (the deamon).

OK, so we don't need to add it for --private/--whitelist.

Question: is --nosound option working on a pipewire setup?

[reinerh]

Question: is --nosound option working on a pipewire setup?

Just tested it. firejail --nosound chromium is still able to play sound in youtube videos.

Edit: but as mentioned, I have my pipewire rundir (which has the socket) in a non-standard path.

[netblue30]

--nosound should be fine now if XDG_RUNTIME_DIR env variable is configured or if the socket is under /run/user/UID/pipewire-*

60231bd

[netblue30]

I think this one is closed.