Loading PulseAudio modules via pactl and Webkit2GTK inside a core20 snap

D3SOX · March 16, 2021, 9:07am

Hi,

I’m trying to create a Snap package but it fails in devmode. Under classic confinement it works.

GitHub Repo: https://github.com/Soundux/soundux-snap
The snap is already published in the edge channel: snap install soundux --edge --devmode

I get this error message for Pulse:

pactl: error while loading shared libraries: libpulsecommon-13.99.so: cannot open shared object file: No such file or directory

and for Webkit2GTK

Unable to fork a new child process: Failed to execute child process ?/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess? (No such file or directory)
Trace/breakpoint trap (core dumped)

Running a find / -name "libpulsecommon-13.99.so" returns

/snap/soundux/28/usr/lib/x86_64-linux-gnu/pulseaudio/libpulsecommon-13.99.so

also find / -name "WebKitWebProcess"

/snap/soundux/28/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess

I’m stumped on how to fix this

I tried:

adding extensions: [gnome-3-38] to the app section gets the program to launch but I always get errors when the program tries to access pulseaudio via pactl like Failed to get module information: Access denied
adding

environment: 
      "LD_LIBRARY_PATH": "$LD_LIBRARY_PATH:$SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/pulseaudio:$SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/webkit2gtk-4.0"

to the app section gives me Connection failure: Connection refused and pa_context_connect() failed: Connection refused and the the WebViewGTK error mentioned at the top persists

Besides that I’m not sure if running pactl inside a snap qualifies it for a classic confinement as per

running arbitrary command
https://snapcraft.io/docs/reviewing-classic-confinement-snaps

I would appreciate any assistance in creating the package

ogra · March 16, 2021, 2:17pm

take a look at this snippet from the desktop-launch scripts:

# Make PulseAudio socket available inside the snap-specific $XDG_RUNTIME_DIR
if [ -n "$XDG_RUNTIME_DIR" ]; then
    pulsenative="pulse/native"
    pulseaudio_sockpath="$XDG_RUNTIME_DIR/../$pulsenative"
    if [ -S "$pulseaudio_sockpath" ]; then
        export PULSE_SERVER="unix:${pulseaudio_sockpath}"
    fi
fi

(and indeed you need to make sure that a pulseaudio daemon is running on the system)

lucyllewy · March 16, 2021, 3:38pm

D3SOX:

Unable to fork a new child process: Failed to execute child process ?/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0/WebKitWebProcess? (No such file or directory)
Trace/breakpoint trap (core dumped)

This is fixable with a layout:

layout:
  /usr/lib/$SNAPCRAFT_ARCH_TRIPLET/webkit2gtk-4.0:
    bind: $SNAP/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/webkit2gtk-4.0

If you’re using the gnome extensions, which provide this binary for you meaning you don’t need to ship it yourself, you can do it with:

layout:
  /usr/lib/$SNAPCRAFT_ARCH_TRIPLET/webkit2gtk-4.0:
    bind: $SNAP/gnome-platform/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/webkit2gtk-4.0

D3SOX · March 16, 2021, 4:13pm

It runs now but the window is just white and the developer tools are showing as source code

D3SOX · March 16, 2021, 4:36pm

When adding the gnome extension I don’t need the layout, the UI works in this case. But it prints this at the start and takes a lot longer to launch:

Warning: Schema “org.gnome.system.locale” has path “/system/locale/”.  Paths starting with “/apps/”, “/desktop/” or “/system/” are deprecated.
Warning: Schema “org.gnome.system.proxy” has path “/system/proxy/”.  Paths starting with “/apps/”, “/desktop/” or “/system/” are deprecated.
Warning: Schema “org.gnome.system.proxy.http” has path “/system/proxy/http/”.  Paths starting with “/apps/”, “/desktop/” or “/system/” are deprecated.
Warning: Schema “org.gnome.system.proxy.https” has path “/system/proxy/https/”.  Paths starting with “/apps/”, “/desktop/” or “/system/” are deprecated.
Warning: Schema “org.gnome.system.proxy.ftp” has path “/system/proxy/ftp/”.  Paths starting with “/apps/”, “/desktop/” or “/system/” are deprecated.
Warning: Schema “org.gnome.system.proxy.socks” has path “/system/proxy/socks/”.  Paths starting with “/apps/”, “/desktop/” or “/system/” are deprecated.

Also I still get Failed to get module information: Access denied for each pactl command.
Furthermore I’m not sure if the gnome-3-38 should be used in production since it’s labeled as experimental here:

lucyllewy · March 16, 2021, 4:37pm

You likely need to add browser-support to your plugs.

D3SOX · March 16, 2021, 4:42pm

I tried but it didn’t help. So I guess the gnome extension is the way to go since I got farther with it. I described the problems with it in my reply above.

lucyllewy · March 16, 2021, 4:50pm

You’re likely accessing more than the audio-playback interface allows when using pactl, so you might need to add and connect (it’s not automatic) the pulseaudio plug.

D3SOX · March 16, 2021, 4:53pm

It should be connected

$ sudo snap connections soundux 
Interface                 Plug                     Slot                             Notes
alsa                      soundux:alsa             -                                -
audio-playback            soundux:audio-playback   :audio-playback                  -
content[gnome-3-38-2004]  soundux:gnome-3-38-2004  gnome-3-38-2004:gnome-3-38-2004  -
content[gtk-3-themes]     soundux:gtk-3-themes     gtk-common-themes:gtk-3-themes   -
content[icon-themes]      soundux:icon-themes      gtk-common-themes:icon-themes    -
content[sound-themes]     soundux:sound-themes     gtk-common-themes:sound-themes   -
desktop                   soundux:desktop          :desktop                         -
desktop-legacy            soundux:desktop-legacy   :desktop-legacy                  -
gsettings                 soundux:gsettings        :gsettings                       -
home                      soundux:home             :home                            -
opengl                    soundux:opengl           :opengl                          -
pulseaudio                soundux:pulseaudio       -                                -
wayland                   soundux:wayland          :wayland                         -
x11                       soundux:x11              :x11                             -

The thing is that we load PulseAudio modules (via pactl load-module) and I noticed currently just that fails inside the snap. Listing something via pactl list works.

James-Carroll · March 16, 2021, 4:57pm

The - value in slot column means it’s declared, but it isn’t connected, try

sudo snap connect soundux:pulseaudio :pulseaudio

If this fixes the problem, your users will have to run that themselves manually when they install the snap OR you’d have to apply for an auto connection from the store to do it for them.

D3SOX · March 16, 2021, 5:00pm

Thanks now it’s connected

$ sudo snap connections soundux 
Interface                 Plug                     Slot                             Notes
alsa                      soundux:alsa             -                                -
audio-playback            soundux:audio-playback   :audio-playback                  -
content[gnome-3-38-2004]  soundux:gnome-3-38-2004  gnome-3-38-2004:gnome-3-38-2004  -
content[gtk-3-themes]     soundux:gtk-3-themes     gtk-common-themes:gtk-3-themes   -
content[icon-themes]      soundux:icon-themes      gtk-common-themes:icon-themes    -
content[sound-themes]     soundux:sound-themes     gtk-common-themes:sound-themes   -
desktop                   soundux:desktop          :desktop                         -
desktop-legacy            soundux:desktop-legacy   :desktop-legacy                  -
gsettings                 soundux:gsettings        :gsettings                       -
home                      soundux:home             :home                            -
opengl                    soundux:opengl           :opengl                          -
pulseaudio                soundux:pulseaudio       :pulseaudio                      manual
wayland                   soundux:wayland          :wayland                         -
x11                       soundux:x11              :x11                             -

but now I get another error when loading modules: Failure: Access denied

ogra · March 16, 2021, 5:36pm

weird, i do the same here:

github.com

ogra1/kodi-pi-standalone/blob/master/helpers/bin/bt-launch#L14


[ "$($SNAP/usr/bin/stat -c %s $SNAP_COMMON/.machine-id)" != "0" ] || $SNAP/usr/bin/uuidgen | tr -d - >$SNAP_COMMON/.machine-id
# always power on bluetooth if we can access it
if snapctl is-connected bluez; then
  sleep 10 # give the bluez stack time to initialize
  # power on bluetooth
  $SNAP/bin/echo -e 'power on\nquit' | $SNAP/usr/bin/bluetoothctl 2>&1 || true
  # allow pulse to switch to BT audio devices on connect
  if snapctl is-connected audio-playback; then
    # only load the module if it is not there already
    if ! $SNAP/usr/bin/pactl list short | grep -q module-switch-on-connect; then
      $SNAP/usr/bin/pactl load-module module-switch-on-connect >/dev/null 2>&1 || true
    fi
  fi
  # notify the user we have started
  export PYTHONPATH="$SNAP/usr/lib/python3/dist-packages"
  python3 $SNAP/usr/bin/kodi-send -a "Notification(Bluetooth,Service started,0,$SNAP/usr/share/pixmaps/bluetooth.png)"
fi

… though this helper runs as root, perhaps your user does not have enough permissions here …

D3SOX · March 16, 2021, 5:40pm

Running the pactl load-module commands like pactl load-module module-null-sink ... on the host system works.
$SNAP/usr/bin/pactl is used here but we use just pactl. Maybe we have to use it like that too?

ogra · March 16, 2021, 5:43pm

oh, right, try adding pulseaudio-utils to stage-packages and use the $SNAP prefix (or a layout to re-map pactl to /usr/bin)

D3SOX · March 16, 2021, 5:49pm

I tried adding

layout:
 /usr/bin/pactl:
   bind-file: $SNAP/usr/bin/pactl

but it didn’t help. Still stuck with the Failure: Access denied

jamesh · March 18, 2021, 11:41am

The module-snap-policy Pulse Audio module found on Ubuntu systems detects when the client is running with snap confinement, and applies various restrictions. In particular, it denies loading and unloading of modules:

As Pulse Audio modules are run within the daemon process outside of the sandbox, it is not safe to give a sandboxed application the ability to control how they run.

The restrictions are implemented within the pulseaudio daemon, so the “access denied” error is not down to the path of the pactl executable.

D3SOX · March 18, 2021, 12:24pm

So I have no other option than applying for a classic confinement?

jamesh · March 18, 2021, 1:55pm

With the current version of the policy module, I don’t think the restrictions on module loading differentiate between strict and classic confinement.

D3SOX · March 18, 2021, 2:41pm

I tested it in a Ubuntu 20.04 LTS VM and it works perfectly fine under the classic confinement

jamesh · March 19, 2021, 1:03am

You’re right. It looks like the patches I provided were refactored a bit by the security team, and we did in fact fix the “module loading by classic snaps” problem, as outlined in bug #1886854.