Firefox can't access sndio sound server

[nullenvk]

Bug and expected behavior
When using firejail, firefox can't play audio through sndio (an alternative to pulseaudio), most likely because it requires access to $HOME/.sndio/cookie. Firefox should be able to connect to sndio with use of the cookie file.

No profile and disabling firejail
Without firejail or without profiles, firefox works fine with sndio and is able to play audio.

Reproduce
Steps to reproduce the behavior:

1. Start sndio
2. Run firefox in firejail
3. Change default cubeb backend to sndio in about:config (media.cubeb.backend = sndio, security.sandbox.content.read_path_whitelist and write_path_whitelist = $HOME/.sndio/cookie)
4. Play any audio file and receive following errors in console

[Child 262, MediaDecoderStateMachine #1] WARNING: 7f9d097433c0 OpenCubeb() failed to init cubeb: file /var/tmp/portage/www-client/firefox-89.0.1/work/firefox-89.0.1/dom/media/AudioStream.cpp:323
[Child 262, MediaDecoderStateMachine #1] WARNING: Decoder=7f9d0b7c1c00 [OnMediaSinkAudioError]: file /var/tmp/portage/www-client/firefox-89.0.1/work/firefox-89.0.1/dom/media/MediaDecoderStateMachine.cpp:3916

Environment

• Gentoo/Linux (latest)
• firejail version 0.9.64.4

Checklist

• The profile (and redirect profile if exists) hasn't already been fixed upstream.
• The program has a profile. (If not, request one in https://github.com/netblue30/firejail/issues/1139)
• I have performed a short search for similar issues (to avoid opening a duplicate).
• If it is a AppImage, --profile=PROFILENAME is used to set the right profile.
• Used LC_ALL=en_US.UTF-8 LANG=en_US.UTF-8 PROGRAM to get english error-messages.
• I'm aware of browser-allow-drm yes/browser-disable-u2f no in firejail.config to allow DRM/U2F in browsers.
• This is not a question. Questions should be asked in https://github.com/netblue30/firejail/discussions.

[nullenvk]

Also, when you disable cubeb's sandbox (media.cubeb.sandbox in about:config) with sndio backend enabled, seccomp violations occur when trying to play audio:

Sandbox: seccomp sandbox violation: pid 301, tid 373, syscall 220, args 131111 139665670645564 2 0 139666228847724 139665660862640.

[rusty-snake]

When using firejail, firefox can't play audio through sndio (an alternative to pulseaudio), most likely because it requires access to $HOME/.sndio/cookie. Firefox should be able to connect to sndio with use of the cookie file.

If whitelist ${HOME}/.sndio/cookie works, we should add it to whitelist-common.inc

Also, when you disable cubeb's sandbox (media.cubeb.sandbox in about:config) with sndio backend enabled, seccomp violations occur when trying to play audio:

syscall 220 is semtimedop on x86_64 and getdents64 on i386. Both aren't blocked by firejail. Can you reproduce this with --noprofile too?

[nullenvk]

When using firejail, firefox can't play audio through sndio (an alternative to pulseaudio), most likely because it requires access to $HOME/.sndio/cookie. Firefox should be able to connect to sndio with use of the cookie file.

If whitelist ${HOME}/.sndio/cookie works, we should add it to whitelist-common.inc

Also, when you disable cubeb's sandbox (media.cubeb.sandbox in about:config) with sndio backend enabled, seccomp violations occur when trying to play audio:

syscall 220 is semtimedop on x86_64 and getdents64 on i386. Both aren't blocked by firejail. Can you reproduce this with --noprofile too?

The problem doesn't occur when I use --noprofile. However, I think adding that whitelist option to whitelist-common.local stopped these seccomp messages from appearing, although the problem still occurs and firefox prints out that "failed to init cubeb" message.

[nullenvk]

Oh, I've found out how to fix it. The program needs to access /tmp/sndio directory too, then the problem stops.