github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #3263] nosound should blacklist ${RUNUSER}/pulse #2048

New issue

Closed

opened 2026-05-05 08:43:13 -06:00 by gitea-mirror · 8 comments

gitea-mirror commented

2026-05-05 08:43:13 -06:00

Owner

Originally created by @rusty-snake on GitHub (Mar 2, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3263

I'm working a bit on templates for wru (whitelist ${RUNUSER}/…) and adding it to more profiles. I detected that /run/user/1000/pulse is accessible if nosound is in affect. Unfortunately there is also no ?HAS_NOSOUND: or ?HAS_LINE(nosound) connditions.

Originally created by @rusty-snake on GitHub (Mar 2, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3263 I'm working a bit on templates for wru (`whitelist ${RUNUSER}/…`) and adding it to more profiles. I detected that /run/user/1000/pulse is accessible if `nosound` is in affect. Unfortunately there is also no `?HAS_NOSOUND:` or `?HAS_LINE(nosound)` connditions.

gitea-mirror

2026-05-05 08:43:13 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 08:43:16 -06:00

Author

Owner

@ghost commented on GitHub (Mar 2, 2020):

Until we have those conditionals it might be worthwhile to make ${RUNUSER}/pulse read-only. I have been running with this in my globals.local for a while now without issues:

...
#+ protect pulse sockets & pid file
read-only ${RUNUSER}/pulse
...

@ghost commented on GitHub (Mar 2, 2020): Until we have those conditionals it might be worthwhile to make ${RUNUSER}/pulse read-only. I have been running with this in my globals.local for a while now without issues: ``` ... #+ protect pulse sockets & pid file read-only ${RUNUSER}/pulse ... ```

gitea-mirror commented

2026-05-05 08:43:17 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 3, 2020):

Just to have mentioned it: This doesn't mean that nosound is broken. The socket inside /run/user/<UID>/pulse is the primary target and it is blacklisted.

@smitsohu commented on GitHub (Mar 3, 2020): Just to have mentioned it: This doesn't mean that `nosound` is broken. The socket inside `/run/user/<UID>/pulse` is the primary target and it _is_ blacklisted.

gitea-mirror commented

2026-05-05 08:43:18 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 4, 2020):

May I vote to adjust the nosound option rather than the profiles?

@smitsohu commented on GitHub (Mar 4, 2020): May I vote to adjust the `nosound` option rather than the profiles?

gitea-mirror commented

2026-05-05 08:43:18 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 4, 2020):

Actual:

$ firejail --noprofile --nosound ls -l /run/user/1000/pulse 
-r-------- root root … native
-rw------- rusty-snake rusty-snake … pid

What I suggest:

ls: cannot open directory '/run/user/1000/pulse': Permission denied

The mentioned conditions would allow a workaround until this is changed in the C-code.

@rusty-snake commented on GitHub (Mar 4, 2020): Actual: ``` $ firejail --noprofile --nosound ls -l /run/user/1000/pulse -r-------- root root … native -rw------- rusty-snake rusty-snake … pid ``` What I suggest: ``` ls: cannot open directory '/run/user/1000/pulse': Permission denied ``` The mentioned conditions would allow a workaround until this is changed in the C-code.

gitea-mirror commented

2026-05-05 08:43:19 -06:00

Author

Owner

@Vincent43 commented on GitHub (Mar 4, 2020):

Did you tested if apps behave normal when this permission is denied?

@Vincent43 commented on GitHub (Mar 4, 2020): Did you tested if apps behave normal when this permission is denied?

gitea-mirror commented

2026-05-05 08:43:21 -06:00

Author

Owner

@rusty-snake commented on GitHub (Mar 5, 2020):

Will do some testing, but I think that this would not break anything, since if you try operate on /run/user/1000/pulse/native you already get an permissions denied error and we use nosound for programs which do not use sound.

@rusty-snake commented on GitHub (Mar 5, 2020): Will do some testing, but I think that this would not break anything, since if you try operate on /run/user/1000/pulse/native you already get an permissions denied error and we use nosound for programs which do not use sound.

gitea-mirror commented

2026-05-05 08:43:21 -06:00

Author

Owner

@smitsohu commented on GitHub (Mar 15, 2020):

fwiw the relevant lines are here:
35443058b6/src/firejail/pulseaudio.c (L41-L50)

@smitsohu commented on GitHub (Mar 15, 2020): fwiw the relevant lines are here: https://github.com/netblue30/firejail/blob/35443058b6539e8ed251c40bd342912a7e2c1484/src/firejail/pulseaudio.c#L41-L50

gitea-mirror commented

2026-05-05 08:43:22 -06:00

Author

Owner

@netblue30 commented on GitHub (Oct 1, 2020):

I am going for "ls: cannot open directory '/run/user/1000/pulse': Permission denied"

$ firejail --nosound
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 8846, child pid 8847
Child process initialized in 95.86 ms
[netblue@debian firejail]$ ls /run/user/1000/pulse
ls: cannot open directory '/run/user/1000/pulse': Permission denied
[netblue@debian firejail]$

@netblue30 commented on GitHub (Oct 1, 2020): I am going for "ls: cannot open directory '/run/user/1000/pulse': Permission denied" ````` $ firejail --nosound Reading profile /etc/firejail/default.profile Reading profile /etc/firejail/disable-common.inc Reading profile /etc/firejail/disable-passwdmgr.inc Reading profile /etc/firejail/disable-programs.inc ** Note: you can use --noprofile to disable default.profile ** Parent pid 8846, child pid 8847 Child process initialized in 95.86 ms [netblue@debian firejail]$ ls /run/user/1000/pulse ls: cannot open directory '/run/user/1000/pulse': Permission denied [netblue@debian firejail]$ `````

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#2048

No description provided.

Rows
Columns