pulseaudio bug

author: netblue <netblue@debian> 2015-09-30 13:11:14 -0400
committer: netblue <netblue@debian> 2015-09-30 13:11:14 -0400
commit: 6278906f5536a83e8d9a6dfafc2ea4befc464dfb (patch)
tree: 718716dd484cd36385182133d305d2735bb1540b /README.md
parent: blacklist sockets in /run (diff)
download: firejail-6278906f5536a83e8d9a6dfafc2ea4befc464dfb.tar.gz
firejail-6278906f5536a83e8d9a6dfafc2ea4befc464dfb.tar.zst
firejail-6278906f5536a83e8d9a6dfafc2ea4befc464dfb.zip
1 files changed, 48 insertions, 11 deletions
diff --git a/README.md b/README.md
index 37c77126d..23b138984 100644
--- a/README.md
+++ b/README.md
@@ -1,16 +1,27 @@
 # Firejail
-Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
+Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting
+the running environment of untrusted applications using Linux namespaces, seccomp-bpf
-Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.
+and Linux capabilities. It allows a process and all its descendants to have their own private
+view of the globally shared kernel resources, such as the network stack, process table, mount table.
-The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. To start the sandbox, prefix your command with “firejail”:
+Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
-    $ firejail firefox            # starting Mozilla Firefox
+Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel
-    $ firejail transmission-gtk   # starting Transmission BitTorrent 
+version or newer. It can sandbox any type of processes: servers, graphical applications, and even
-    $ firejail vlc                # starting VideoLAN Client
+user login sessions. The software includes sandbox profiles for a number of more common Linux programs,
-    $ sudo firejail "/etc/init.d/nginx start && sleep inf"
+such as Mozilla Firefox, Chromium, VLC, Transmission etc.
+The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit,
+no socket connections open, no daemons running in the background. All security features are
+implemented directly in Linux kernel and available on any Linux computer. To start the sandbox,
+prefix your command with “firejail”:
+`````
+$ firejail firefox            # starting Mozilla Firefox
+$ firejail transmission-gtk   # starting Transmission BitTorrent 
+$ firejail vlc                # starting VideoLAN Client
+$ sudo firejail "/etc/init.d/nginx start && sleep inf"
+`````
 Project webpage: https://l3net.wordpress.com/projects/firejail/
 Download and Installation: https://l3net.wordpress.com/projects/firejail/firejail-download-and-install/
@@ -20,3 +31,29 @@ Features: https://l3net.wordpress.com/projects/firejail/firejail-features/
 Usage: https://l3net.wordpress.com/projects/firejail/firejail-usage/
 FAQ: https://l3net.wordpress.com/projects/firejail/firejail-faq/
+## Known Problems
+### PulseAudio 7.0
+The srbchannel IPC mechanism  introduced in PulseAudio6.0 was enabled by default in 7.0 release.
+Arch Linux users are reporting sound problems when running applications in Firejail sandbox.
+The issue is still under investigation. There are two workarounds so far:
+*   Running ALSA
+    By default, if Firefox doesn't manage to connect to PulseAudio, it will connect directly to ALSA.
+    Also by default, ALSA comes wit the sound volume down. You would need to install *alsamixer*
+    (*alsa-utils* package) or *gnome-alsamixer*, run it and crank up the volume (both Master and PCM).
+ 
+ *  Disable srbchannel mechanism in PulseAudio
+ `````
+$ mkdir -p ~/.config/pulse
+$ cd ~/.config/pulse
+$ cp /etc/pulse/client.conf .
+$ echo "enable-shm = no" >> client.conf
+`````
+If you are still having problems, join the discussion here: https://github.com/netblue30/firejail/issues/69
author	netblue <netblue@debian>	2015-09-30 13:11:14 -0400
committer	netblue <netblue@debian>	2015-09-30 13:11:14 -0400
commit	6278906f5536a83e8d9a6dfafc2ea4befc464dfb (patch)
tree	718716dd484cd36385182133d305d2735bb1540b /README.md
parent	blacklist sockets in /run (diff)
download	firejail-6278906f5536a83e8d9a6dfafc2ea4befc464dfb.tar.gz firejail-6278906f5536a83e8d9a6dfafc2ea4befc464dfb.tar.zst firejail-6278906f5536a83e8d9a6dfafc2ea4befc464dfb.zip

diff --git a/README.md b/README.md index 37c77126d..23b138984 100644 --- a/README.md +++ b/README.md
@@ -1,16 +1,27 @@
1	# Firejail	1	# Firejail
2		2
3	Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting the running environment of untrusted applications using Linux namespaces, seccomp-bpf and Linux capabilities. It allows a process and all its descendants to have their own private view of the globally shared kernel resources, such as the network stack, process table, mount table. Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.	3	Firejail is a SUID sandbox program that reduces the risk of security breaches by restricting
4		4	the running environment of untrusted applications using Linux namespaces, seccomp-bpf
5	Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel version or newer. It can sandbox any type of processes: servers, graphical applications, and even user login sessions. The software includes sandbox profiles for a number of more common Linux programs, such as Mozilla Firefox, Chromium, VLC, Transmission etc.	5	and Linux capabilities. It allows a process and all its descendants to have their own private
6		6	view of the globally shared kernel resources, such as the network stack, process table, mount table.
7	The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit, no socket connections open, no daemons running in the background. All security features are implemented directly in Linux kernel and available on any Linux computer. To start the sandbox, prefix your command with “firejail”:	7	Firejail can work in a SELinux or AppArmor environment, and it is integrated with Linux Control Groups.
8		8
9	$ firejail firefox # starting Mozilla Firefox	9	Written in C with virtually no dependencies, the software runs on any Linux computer with a 3.x kernel
10	$ firejail transmission-gtk # starting Transmission BitTorrent	10	version or newer. It can sandbox any type of processes: servers, graphical applications, and even
11	$ firejail vlc # starting VideoLAN Client	11	user login sessions. The software includes sandbox profiles for a number of more common Linux programs,
12	$ sudo firejail "/etc/init.d/nginx start && sleep inf"	12	such as Mozilla Firefox, Chromium, VLC, Transmission etc.
13		13
		14	The sandbox is lightweight, the overhead is low. There are no complicated configuration files to edit,
		15	no socket connections open, no daemons running in the background. All security features are
		16	implemented directly in Linux kernel and available on any Linux computer. To start the sandbox,
		17	prefix your command with “firejail”:
		18
		19	`````
		20	$ firejail firefox # starting Mozilla Firefox
		21	$ firejail transmission-gtk # starting Transmission BitTorrent
		22	$ firejail vlc # starting VideoLAN Client
		23	$ sudo firejail "/etc/init.d/nginx start && sleep inf"
		24	`````
14	Project webpage: https://l3net.wordpress.com/projects/firejail/	25	Project webpage: https://l3net.wordpress.com/projects/firejail/
15		26
16	Download and Installation: https://l3net.wordpress.com/projects/firejail/firejail-download-and-install/	27	Download and Installation: https://l3net.wordpress.com/projects/firejail/firejail-download-and-install/
@@ -20,3 +31,29 @@ Features: https://l3net.wordpress.com/projects/firejail/firejail-features/
20	Usage: https://l3net.wordpress.com/projects/firejail/firejail-usage/	31	Usage: https://l3net.wordpress.com/projects/firejail/firejail-usage/
21		32
22	FAQ: https://l3net.wordpress.com/projects/firejail/firejail-faq/	33	FAQ: https://l3net.wordpress.com/projects/firejail/firejail-faq/
		34
		35	## Known Problems
		36
		37	### PulseAudio 7.0
		38
		39	The srbchannel IPC mechanism introduced in PulseAudio6.0 was enabled by default in 7.0 release.
		40	Arch Linux users are reporting sound problems when running applications in Firejail sandbox.
		41	The issue is still under investigation. There are two workarounds so far:
		42
		43	* Running ALSA
		44
		45	By default, if Firefox doesn't manage to connect to PulseAudio, it will connect directly to ALSA.
		46	Also by default, ALSA comes wit the sound volume down. You would need to install alsamixer
		47	(alsa-utils package) or gnome-alsamixer, run it and crank up the volume (both Master and PCM).
		48
		49	* Disable srbchannel mechanism in PulseAudio
		50	`````
		51	$ mkdir -p ~/.config/pulse
		52	$ cd ~/.config/pulse
		53	$ cp /etc/pulse/client.conf .
		54	$ echo "enable-shm = no" >> client.conf
		55	`````
		56
		57	If you are still having problems, join the discussion here: https://github.com/netblue30/firejail/issues/69
		58
		59