firefox: no sound (whitelisting in ${RUNUSER})

[jose1711]

Bug and expected behavior

After a recent update of firejail I am no longer getting any audio from Firefox.

No profile and disabling firejail

• What changed calling firejail --noprofile /path/to/program in a terminal?

Sound works

• What changed calling the program by path (e.g. /usr/bin/vlc)?

Sound works

Reproduce

Steps to reproduce the behavior:

1. Run in bash firejail firefox
2. Open youtube
3. Click any youtube video
4. Video plays but there is no audio (not visible in pavucontrol either)

Environment

• Linux distribution and version

Arch Linux, rolling, x86_64

• Firejail version (output of firejail --version) exclusive or used git commit (git rev-parse HEAD)

firejail version 0.9.67 (firejail-git r7675.263e3fe72-1)

Checklist

• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• I have performed a short search for similar issues (to avoid opening a duplicate).
• If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
• Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
• I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.

Log

[Child 236, MediaDecoderStateMachine #1] WARNING: 7f958fb7c740 OpenCubeb() failed to init cubeb: file /build/firefox/src/firefox-91.0.2/dom/media/AudioStream.cpp:324
[Child 236, MediaDecoderStateMachine #1] WARNING: Decoder=7f959031b400 [OnMediaSinkAudioError]: file /build/firefox/src/firefox-91.0.2/dom/media/MediaDecoderStateMachine.cpp:3980
[Child 236, MediaDecoderStateMachine #1] WARNING: 7f958cbba580 OpenCubeb() failed to init cubeb: file /build/firefox/src/firefox-91.0.2/dom/media/AudioStream.cpp:324
[Child 236, MediaDecoderStateMachine #1] WARNING: Decoder=7f959031b400 [OnMediaSinkAudioError]: file /build/firefox/src/firefox-91.0.2/dom/media/MediaDecoderStateMachine.cpp:3980

[rusty-snake]

1. Do you remember the latest working commit (so we can bisect this)?
2. Was there are firefox update that could cause this?
3. Do you get any seccomp violations?
4. What do you use for audio? PulseAudio, JACK, PipeWire, ...?
5. Is firefox the only program without audio?
6. Does it work if you ignore include whitelist-run-common.inc?
7. Does it work if you whitelist /usr/share/pipewire ( mpv requires whitelisting /usr/share/pipewire #4483)?
8. Do you have any .locals that could cause this?
9. Does it work if you set media.cubeb.sandbox=false on about:config? (TESTING ONLY!)

[jose1711]

4. What do you use for audio? PulseAudio, JACK, PipeWire, ...?

PipeWire

8. Do you have any .locals that could cause this?

BINGO! I did have include firefox-common-addons.profile in firefox-common.local. After commenting out the line the sound started to work. This line is however suggested by firefox-common.profile itself:

# Add the next line to your firefox-common.local to allow access to common programs/addons/plugins.
#include firefox-common-addons.profile

So there is still something in firefox-common-addons.profile which causes audio to break.

[rusty-snake]

firefox-common-addons.profile ignores include whitelist-runuser-common.inc (because it breaks a lot of such programs). But firefox.profile now whitelists ${RUNUSER}/*firefox*. Therefore all sockets in $XDG_RUNTIME_DIR (D-Bus, Wayland, PipeWire, PulseAudio, ...) are missing.

[rusty-snake]

--- a/etc/profile-a-l/firefox-common-addons.profile
+++ b/etc/profile-a-l/firefox-common-addons.profile
@@ -2,6 +2,7 @@
 # Persistent customizations should go in a .local file.
 include firefox-common-addons.local
 
+ignore ${RUNUSER}/*firefox*
 ignore include whitelist-runuser-common.inc
 ignore private-cache
 

[jose1711]

Adding ignore ${RUNUSER}/*firefox* to firefox-common-addons.profile as suggested above did not resolve the issue. Or is this just a start and I need to figure out also everything needed for correct communication to PW?

[rusty-snake]

Sad, is there any other uncommented whitelist ${RUNUSER}? Maybe search in --debug output.

What does firejail --ignore=private-bin --profile=firefox ls /run/user/$UID show?

[kmk3]

@rusty-snake commented on Sep 6:

+ignore ${RUNUSER}/*firefox*

->

+ignore whitelist ${RUNUSER}/*firefox*

[jose1711]

+ignore whitelist ${RUNUSER}/*firefox*

This did not help either. I don't know, perhaps this is the cause?

Failed to create secure directory (/run/user/1000/pulse): Permission denied
Sandbox: seccomp sandbox violation: pid 127, tid 405, syscall 220, args 163870 139839656088316 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 405, syscall 220, args 163871 139839656088316 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 405, syscall 220, args 163872 139839656088316 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 405, syscall 220, args 163873 139839656088316 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 405, syscall 220, args 163874 139839656088316 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 405, syscall 220, args 163875 139839656088316 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 405, syscall 220, args 163876 139839656088316 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 405, syscall 220, args 163877 139839656088316 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 405, syscall 220, args 163878 139839656088316 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 405, syscall 220, args 163879 139839656088316 2 0 6 1.
Failed to create secure directory (/run/user/1000/pulse): Permission denied
Sandbox: seccomp sandbox violation: pid 127, tid 343, syscall 220, args 163880 139840055960556 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 343, syscall 220, args 163881 139840055960556 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 343, syscall 220, args 163882 139840055960556 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 343, syscall 220, args 163883 139840055960556 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 343, syscall 220, args 163884 139840055960556 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 343, syscall 220, args 163885 139840055960556 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 343, syscall 220, args 163886 139840055960556 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 343, syscall 220, args 163887 139840055960556 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 343, syscall 220, args 163888 139840055960556 2 0 6 1.
Sandbox: seccomp sandbox violation: pid 127, tid 343, syscall 220, args 163889 139840055960556 2 0 6 1.
[Child 127, MediaDecoderStateMachine #1] WARNING: 7f2f0b8d5d60 OpenCubeb() failed to init cubeb: file /build/firefox/src/firefox-91.0.2/dom/media/AudioStream.cpp:324
[Child 127, MediaDecoderStateMachine #1] WARNING: Decoder=7f2f0b0ca000 [OnMediaSinkAudioError]: file /build/firefox/src/firefox-91.0.2/dom/media/MediaDecoderStateMachine.cpp:3980

[rusty-snake]

Why does it want to create /run/user/1000/pulse? If you use PipeWire, it should not even access it.

3. Do you get any seccomp violations? [in the syslog; from firejail]
4. Is firefox the only program without audio?
5. Does it work if you set media.cubeb.sandbox=false on about:config? (TESTING ONLY!)
   Is there any other uncommented whitelist ${RUNUSER}? Maybe search in --debug output.
   What does firejail --ignore=private-bin --profile=firefox ls /run/user/$UID show?

[jose1711]

Why does it want to create /run/user/1000/pulse? If you use PipeWire, it should not even access it.

I have no idea. I do have pipewire-pulse installed though.

[jose1711]

So what I finally did was edit firefox-common-addons.profile to contain:

include firefox-common-addons.profile
whitelist ${RUNUSER}/pulse

and the sound is back. Not sure if it makes to keep this open as this may be an issue impacting only a handful of users.

[jmetrius]

So what I finally did was edit firefox-common-addons.profile to contain:

include firefox-common-addons.profile
whitelist ${RUNUSER}/pulse

and the sound is back. Not sure if it makes to keep this open as this may be an issue impacting only a handful of users.

Will this fix be included in firefox-common-addons.profile? I hit the same bug recently.

[jmetrius]

Nvm. This actual problem might be this:

ignore whitelist ${RUNUSER}/*firefox* in firefox-common-addons.profile is declared too late to stop its counterpart whitelist ${RUNUSER}/*firefox* in firefox.profile from taking effect.

Adding ignore whitelist ${RUNUSER}/*firefox* to firefox.local instead immediately resolves this bug. So it seems to be an issue of precedence?

@rusty-snake Would it be a good idea to actually preprocess profiles for ignore-statements so they always take effect, independent of the order of declaration?

[rusty-snake]

There are even more things like #3358 for which the apply while parsing logic make problems.