PulseAudio not working in --chroot

[azurvii]

I try to get steam running with firejail --chroot. Steam runs, but without audio.

I'm on debian bullseye, and using firejail from the repo, version 0.9.62-3.
Steam logged the somewhat related error message: PulseAudio connect failed (used only for Mic Volume Control) with error: Access denied.
pavucontrol reported Failed to create secure directory (/run/user/1000/pulse): No such file or directory.
The ancestor /run/user/ folder was non-present in the chroot environment. In other non-chroot environments, mount contained /run/user/$UID from host. The chroot environment did not.
I tried to create the folder structure manually, and pulseaudio seemed to be able to create folders of its own, but it would complain E: [pulseaudio] core-util.c: Failed to connect to system bus: Failed to connect to socket /run/dbus/system_bus_socket: No such file or directory.

With that, I guess the pulseaudio is not configured in chroot environment like other non-chroot ones. While X11 is functional in chroot.

I found --bind= but that is for root only. I have not found other related options to mount /run/user into the chroot environment. --whitelist= did not work.

[rusty-snake]

In order to play audio from inside a chroot, you need at least to bind-mount $XDG_RUNTIM_DIR/pulse/native and copy /etc/machine-id.

[azurvii]

Thanks @rusty-snake.

I'm not quite getting what you mean.

What I tried: sudo firejail --bind=/run/user/1000/pulse/native,/run/user/1000/pulse/native --noprofile --chroot=/path/to/chroot.
The run would complain Error: invalid bind command, directory missing. (The chroot still works, just without that binding)
I hope I did not do the --bind wrongly?

In case you wonder, I tried with a default bootstrapped root (which does not have the /run/user/ folder, or, of course, anything under it). I also tried with manually created /run/user/1000/pulse/ folder, with the same permissions set as my host /run/user/1000/pulse/ folder.

Also, even if --bind works, my understanding is that it would only bind the folder for the session run as root, while I would not want to run steam as root. Do you suggest that I should run one sudo firejail ..., to just bind the folder, and another regular firejail ... to run what I need?

[rusty-snake]

This was more a technical note. I don't think it is possible ATM to make PA work from inside a --chroot. To sandbox steam, you are better advised with:

1. firejail without --chroot
2. systemd-nspawn (a "modern" chroot)
3. flatpak (with customizations)

[smitsohu]

@azurvii You can bind mount it like you normally do, outside Firejail

$ cd <chroot>
$ sudo mkdir -p ./$XDG_RUNTIME_DIR/pulse
$ sudo mount -o bind $XDG_RUNTIME_DIR/pulse ./$XDG_RUNTIME_DIR/pulse

[azurvii]

Thanks @smitsohu! That, plus copying machine-id, indeed brought sounds to the chrooted steam. However, it seemed I had only the steam app playing sounds well, e.g. playing videos in a game's store page. When starting games, some of them came with loud static in addition to the game sounds; and some of them were just silent. I might have some settings messed up, and would have more tests when I get a break.

[azurvii]

Closing issue. PulseAudio works in the steam app with the machine-id and bind-mounting. The static sounds are likely a config issue, which I'll take a look separately.

[Futureknows]

I'm seeing the same problem in the Discord electron app.
Discord is launched with '--seccomp=!chroot' --ignore=private-bin --ignore=private-dev --private-etc=group,passwd,machine-id. Discord launches but no sound hardware is detected under settings.

I tried bind as provided by smitsohu:

$ cd <chroot>
$ sudo mkdir -p ./$XDG_RUNTIME_DIR/pulse
$ sudo mount -o bind $XDG_RUNTIME_DIR/pulse ./$XDG_RUNTIME_DIR/pulse

Problem persists. Discord doesn't report any errors connecting to Pulseaudio, but sound hardware is not detected.