apulse
apulse copied to clipboard
i-rinat
Firefox 57 can't play any media files.
Hi, on Firefox 56 and older I didn't have any issues. I updated recently and I encountered this one. Apulse version v0.1.10 Firefox v57
Here's the "stdout" firefox gives when running "apulse firefox" in a terminal:
ALSA lib confmisc.c:768:(parse_card) cannot find card '0'
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_card_driver returned error: Permission denied
ALSA lib confmisc.c:392:(snd_func_concat) error evaluating strings
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_concat returned error: Permission denied
ALSA lib confmisc.c:1251:(snd_func_refer) error evaluating name
ALSA lib conf.c:4248:(_snd_config_evaluate) function snd_func_refer returned error: Permission denied
ALSA lib conf.c:4727:(snd_config_expand) Evaluate error: Permission denied
ALSA lib pcm.c:2239:(snd_pcm_open_noupdate) Unknown PCM default
[apulse] [error] do_connect_pcm: can't open playback device "default". Error code -13 (Permission denied)
[apulse] [error] do_connect_pcm: failed to open ALSA device. Apulse does no resampling or format conversion, leaving that task to ALSA plugins. Ensure that selected device is capable of playing a particular sample format at a particular rate. They have to be supported by either hardware directly, or by "plug" and "dmix" ALSA plugins which will perform required conversions on CPU.
Running firefox under apulse causes that firefox isn't able to play any kind of media file at all. And It always outputs the same error.
Any workarounds?
This seems to be fixed by adding /dev/snd/ to security.sandbox.content.write_path_whitelist in about:config, as suggested by the apulse README: https://github.com/i-rinat/apulse#access-errors-in-do_connect_pcm
[Edit: I originally mis-stated the preference as syscall_whitelist instead of write_path_whitelist]
Hi! I tested back with FF57, and the issue persisted.
No error this time though.
/dev/snd has to go into security.sandbox.content.write_path_whitelist, not the syscall_whitelist
@gcp Hi Gian Carlo from bugzilla. I copied your command as it was different from the one suggested here. The folks at puppy say they got success using three different ones
I'll see how it goes.
Adding /dev/snd to whitelists does not seem to help here.
I noticed fork(): Operation not permitted on the stderr of apulse firefox whenever I attempt to play a YT video. However, adding 57 (the x86-64 syscall number for fork() according to https://filippo.io/linux-syscall-table/) into syscall_whitelist does not seem to have any effect, even after restarting Firefox.
Might need 58 for vfork or 56 for clone too. The call the application thinks it's using doesn't necessarily correspond to what libc sends to the kernel.
But if whatever you're injecting into Firefox uses fork(), there's no point in keeping the sandbox enabled at all.
Thank you, I added the syscalls you suggested, and then also 59, based on the (newly appearing) error message.
Sandbox: Failed to report rejected syscall: Bad file descriptor
Sandbox: seccomp sandbox violation: pid 2389, tid 2389, syscall 59, args 139622631646176 139622616934080 139623259001856 2097152 0 139623262309632.
No error messages appear anymore, which I find a bit surprising given that I built apulse with -DWITH_TRACE=2. This may indicate that execution never gets to apulse at all.
I lowered the content_level to 1 and eventually used 1,2,3,...,512 as syscall_whitelist but FF is still complaining about PA and I get no error messages and no sound — so no observable effect.
Should I open a new issue to track this thing (which is probably distinct from OP's)?
Does it work with the sandbox entirely disabled, i.e. level set to 0? It makes no sense to keep it enabled if fork() and friends are allowed.
Turns out this had nothing to do with security.
I dug around and discovered that the apulse wrapper in my $PATH contained the wrong APULSEPATH (which is the default /usr/local/lib/apulse), despite me having run cmake with -DCMAKE_INSTALL_PREFIX and -DAPULSEPATH with the correct paths. The first time I ran cmake+make+make install from that directory, I did not include these -D options, and the sequence cmake+make+make install did not pick them up anymore.
After removing the whole build/ directory, rerunning cmake with the correct paths from the get go, rebuilding and reinstalling apulse yields the correct APULSEPATH in the wrapper.
I returned content_level back to 3, syscall_whitelist to empty, and the R/W whitelist to /dev/snd/ each (necessary). Now everything works well.
Thank you for your help!
uses fork()
As far as I know, libasound2 (ALSA user-space part) may call fork(). I spawns some kind of sound mixing server if dmix is used and if protocol version is old enough:
if (ver < SNDRV_PROTOCOL_VERSION(2, 0, 8))
dmix->shmptr->use_server = 1;
Protocol version was changed to 2.0.8 in https://github.com/torvalds/linux/commit/0df63e44c3e315ec0fe427ae62558231864108bd. So, if Linux version is older than 2.6.18, libasound2 will call fork(). At the same time, I don't think there were any seccomp-bpf support at that time.
I can confirm, I have the very same issue.
$ uname -r 4.13.10-gentoo
$ qlist -Iv | grep -E '(alsa|firefox)' media-libs/alsa-lib-1.1.2 media-sound/alsa-utils-1.1.2 www-client/firefox-bin-57.0-r1
I can also confirm. I download mozilla pre-built firefox(http://ftp.mozilla.org/pub/firefox/releases/57.0.1/linux-x86_64/en-US/firefox-57.0.1.tar.bz2), cd /usr/lib and unpack that tarball, run the commands and i got:
$ apulse /usr/lib/firefox/firefox
[Parent 5643, Gecko_IOThread] WARNING: pipe error (147): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
Yes, I did. None of them actually worked except for those using old flash players(I had libflashplayer.so in /usr/lib/firefox/browser/plugins/).
I had the very same problem. Fixed it by upgrading ALSA-Lib to version 1.1.5. APulse works like a charm again.
