[GH-ISSUE #2037] Machine-ID breaks Pulseaudio

gitea-mirror commented

2026-05-05 07:57:57 -06:00

Owner

Originally created by @Futureknows on GitHub (Jul 11, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2037

This was discussed but a solution isn't clear.
--machine-id flag breaks Pulseaudio so no sound in Tor-browser and other firejails.
Turning off MID spoofing exposes the persistent machine-id (hardware fingerprint) inside the sandbox.
We are running Pulseaudio 11.1 and this issue persists.
Is there a current solution?

Originally created by @Futureknows on GitHub (Jul 11, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2037 This was discussed but a solution isn't clear. --machine-id flag breaks Pulseaudio so no sound in Tor-browser and other firejails. Turning off MID spoofing exposes the persistent machine-id (hardware fingerprint) inside the sandbox. We are running Pulseaudio 11.1 and this issue persists. Is there a current solution?

gitea-mirror closed this issue

2026-05-05 07:58:01 -06:00

gitea-mirror commented

2026-05-05 07:58:04 -06:00

Author

Owner

@Vincent43 commented on GitHub (Jul 11, 2018):

In which profile machine-id breaks Pulseaudio? It works for me in firefox.

@Vincent43 commented on GitHub (Jul 11, 2018): In which profile `machine-id` breaks Pulseaudio? It works for me in firefox.

gitea-mirror commented

2026-05-05 07:58:06 -06:00

Author

Owner

@Futureknows commented on GitHub (Jul 11, 2018):

Tor-Browser-Launcher, Brave, Firefox, Chromium pretty much every firejail I launch with --machine-id.

@Futureknows commented on GitHub (Jul 11, 2018): Tor-Browser-Launcher, Brave, Firefox, Chromium pretty much every firejail I launch with --machine-id.

gitea-mirror commented

2026-05-05 07:58:10 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 11, 2018):

I don't even have /etc/machine-id available in many of my personal profiles (I use private-etc filters in many of them), and sound hasn't broken for me yet.

What do you get if you put in a private-etc filter leaving out machine-id. For example, this is the one I use with my firefox profile: private-etc hosts,passwd,mime.types,fonts,mailcap,firefox,xdg,gtk-3.0,X11,pulse,alternatives,localtime,nsswitch.conf (you might also need resolv.conf in there depending on your setup).

@chiraag-nataraj commented on GitHub (Jul 11, 2018): I don't even _have_ `/etc/machine-id` available in many of my personal profiles (I use `private-etc` filters in many of them), and sound hasn't broken for me yet. What do you get if you put in a `private-etc` filter leaving out `machine-id`. For example, this is the one I use with my `firefox` profile: `private-etc hosts,passwd,mime.types,fonts,mailcap,firefox,xdg,gtk-3.0,X11,pulse,alternatives,localtime,nsswitch.conf` (you might also need `resolv.conf` in there depending on your setup).

gitea-mirror commented

2026-05-05 07:58:12 -06:00

Author

Owner

@Vincent43 commented on GitHub (Jul 12, 2018):

Both Chromium and Firefox have sound working while using machine-id on Archlinux and KDE for me. What distro and desktop environment are you using?

@Vincent43 commented on GitHub (Jul 12, 2018): Both Chromium and Firefox have sound working while using `machine-id` on Archlinux and KDE for me. What distro and desktop environment are you using?

gitea-mirror commented

2026-05-05 07:58:15 -06:00

Author

Owner

@Futureknows commented on GitHub (Jul 12, 2018):

I didn't add --machine-id to any profile. I'm issuing firejail commands as documented firejail --machine-id firefox. Any time I include --machine-id I lose Pulseaudio in any Browser (Chromium, Brave, Firefox, Tor).
Current Fedora 28 with Cinnamon but I am seeing similar issue on Mint 18.3.

I'm going to figure out private-etc and report back.
Thanks!

@Futureknows commented on GitHub (Jul 12, 2018): I didn't add `--machine-id `to any profile. I'm issuing firejail commands as documented `firejail --machine-id firefox`. Any time I include `--machine-id ` I lose Pulseaudio in any Browser (Chromium, Brave, Firefox, Tor). Current Fedora 28 with Cinnamon but I am seeing similar issue on Mint 18.3. I'm going to figure out private-etc and report back. Thanks!

gitea-mirror commented

2026-05-05 07:58:19 -06:00

Author

Owner

@Vincent43 commented on GitHub (Jul 12, 2018):

I didn't add --machine-id to any profile. I'm issuing firejail commands as documented firejail --machine-id firefox

It doesn't matter. It has same effect.

@Vincent43 commented on GitHub (Jul 12, 2018): > I didn't add --machine-id to any profile. I'm issuing firejail commands as documented firejail --machine-id firefox It doesn't matter. It has same effect.

gitea-mirror commented

2026-05-05 07:58:20 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

@Futureknows Did you test the private-etc filter? I've turned on machine-id on all of my (personal) profiles with no issues so far. What exactly is your pulseaudio setup? Is it the default/standard setup? Did you make any changes?

@chiraag-nataraj commented on GitHub (Jul 15, 2018): @Futureknows Did you test the `private-etc` filter? I've turned on `machine-id` on all of my (personal) profiles with no issues so far. What exactly is your `pulseaudio` setup? Is it the default/standard setup? Did you make any changes?

gitea-mirror commented

2026-05-05 07:58:21 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

(Also, btw, machine-id is useful even if you use a private-etc filter, since the machine ID is also available at /var/lib/dbus/machine-id which is also spoofed by firejail)

@chiraag-nataraj commented on GitHub (Jul 15, 2018): (Also, btw, `machine-id` is useful _even_ if you use a `private-etc` filter, since the machine ID is also available at `/var/lib/dbus/machine-id` which is also spoofed by `firejail`)

gitea-mirror commented

2026-05-05 07:58:24 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 15, 2018):

--machine-id flag breaks Pulseaudio so no sound in Tor-browser and other firejails.

Somehow pulseaudio ends up reading /etc/machine-id and it will refuse to start if it doesn't find it. Also some part of the dbus code might read it. I don't know why they do that. I'll have to try Arch, maybe they removed it, see @Vincent43 comment above.

@netblue30 commented on GitHub (Jul 15, 2018): > --machine-id flag breaks Pulseaudio so no sound in Tor-browser and other firejails. Somehow pulseaudio ends up reading /etc/machine-id and it will refuse to start if it doesn't find it. Also some part of the dbus code might read it. I don't know why they do that. I'll have to try Arch, maybe they removed it, see @Vincent43 comment above.

gitea-mirror commented

2026-05-05 07:58:27 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 15, 2018):

The same is true for me on Debian - I can get away without having pulse read the machine ID.

@chiraag-nataraj commented on GitHub (Jul 15, 2018): The same is true for me on Debian - I can get away without having pulse read the machine ID.

gitea-mirror commented

2026-05-05 07:58:28 -06:00

Author

Owner

@Futureknows commented on GitHub (Jul 16, 2018):

I didn't make any changes to Pulseaudio, it is the default install from Fedora 28 Cinnamon which must have just recently been updated to 12.0, it was 11.1. It is persistent across all apps, I don't get Pulseaudio output from Rhythmbox, VLC or anything firejailed with --machine-id.

I noticed a dbus error when --machine-id is present:


(rhythmbox:10): dbind-WARNING **: 17:04:26.792: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-BqrQlHOiVH: Connection refused

(rhythmbox:10): Rhythmbox-WARNING **: 17:04:27.302: Unable to grab media player keys: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SettingsDaemon.MediaKeys was not provided by any .service files

When I enable private-etc (removing comment firefox-common.profile it breaks my networking in Firefox.


"Secure Connection Failed
An error occurred during a connection to travis-ci.org. security library failure. Error code: SEC_ERROR_LIBRARY_FAILURE "

@Futureknows commented on GitHub (Jul 16, 2018): I didn't make any changes to Pulseaudio, it is the default install from Fedora 28 Cinnamon which must have just recently been updated to 12.0, it was 11.1. It is persistent across all apps, I don't get Pulseaudio output from Rhythmbox, VLC or anything firejailed with --machine-id. I noticed a dbus error when --machine-id is present: ``` (rhythmbox:10): dbind-WARNING **: 17:04:26.792: Couldn't connect to accessibility bus: Failed to connect to socket /tmp/dbus-BqrQlHOiVH: Connection refused (rhythmbox:10): Rhythmbox-WARNING **: 17:04:27.302: Unable to grab media player keys: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The name org.gnome.SettingsDaemon.MediaKeys was not provided by any .service files ``` When I enable private-etc (removing comment firefox-common.profile it breaks my networking in Firefox. ``` "Secure Connection Failed An error occurred during a connection to travis-ci.org. security library failure. Error code: SEC_ERROR_LIBRARY_FAILURE " ```

gitea-mirror commented

2026-05-05 07:58:31 -06:00

Author

Owner

@chiraag-nataraj commented on GitHub (Jul 16, 2018):

Huh...you probably need ca-certificates and ca-certificates.conf I guess? That's weird that I don't end up require it...
[edit] never mind...hold on. At least on my system, the certificates are in /usr/share/ca-certificates. If your system is different, you may need to also include ca-certificates in your private-etc predicate.

@chiraag-nataraj commented on GitHub (Jul 16, 2018): Huh...you probably need `ca-certificates` and `ca-certificates.conf` I guess? That's weird that I don't end up require it... [edit] never mind...hold on. At least on my system, the certificates are in `/usr/share/ca-certificates`. If your system is different, you may need to also include `ca-certificates` in your `private-etc` predicate.

gitea-mirror commented

2026-05-05 07:58:34 -06:00

Author

Owner

@Futureknows commented on GitHub (Jul 16, 2018):

Incidentally the problem was similar on my Mint machine and although private-etc doesn't break networking Pulseaudio was still blocked by machine-id.

After digging I applied an older solution
echo "enable-shm = no" >> ~/.config/pulse/client.conf"
In addition I applied the same to daemon.conf:
echo "enable-shm = no" >> ~/.config/pulse/daemon.conf"

Now audio works along with machine-id everywhere.
I noticed if I add machine-id to globals.local for some reason I lose Pulseaudio again.
If I launch it per instance --machine-id then it works perfect.

@Futureknows commented on GitHub (Jul 16, 2018): Incidentally the problem was similar on my Mint machine and although private-etc doesn't break networking Pulseaudio was still blocked by machine-id. After digging I applied an older solution `echo "enable-shm = no" >> ~/.config/pulse/client.conf"` In addition I applied the same to daemon.conf: `echo "enable-shm = no" >> ~/.config/pulse/daemon.conf"` Now audio works along with machine-id everywhere. I noticed if I add machine-id to globals.local for some reason I lose Pulseaudio again. If I launch it per instance --machine-id then it works perfect.

gitea-mirror referenced this issue

2026-05-05 10:10:38 -06:00

[PR #1374] [MERGED] Add profiles for IntelliJ IDEA and Android Studio #3934

Rows
Columns

[GH-ISSUE #2037] Machine-ID breaks Pulseaudio #1374