User:Trickygnome/Pulseaudio sandboxing

From Gentoo Wiki
Jump to:navigation Jump to:search

PulseAudio run as server by applications that require it. PulseAudio provide additional configuration interface for low-level ALSA system, hence many applications work directly with PulseAudio.

When we run applications under several users (for simple sandboxing) we need several PulseAudio daemons or clients configurations to connect to one daemon. PulseAudio security model encourage us not to run one daemon under root and not to use direct file access. But instead relay on sockets configure with cookies authentification.

The simpliest way is to run isolated deamon per user this way:

FILE run_firefox.sh
export PULSE_RUNTIME_PATH=/home/ff/pulse
doas -u ff mkdir -p /home/ff/pulse/
doas -u ff /usr/bin/pulseaudio --start
doas -u ff firefox
FILE /etc/doas.conf
permit setenv { PULSE_RUNTIME_PATH } nopass larry cmd /usr/bin/pulseaudio
permit setenv { PULSE_RUNTIME_PATH } nopass larry cmd /usr/bin/firefox


To configure audio for "ff" user you may copy ALSA config .asoundrc to /home/ff/ folder or use pulseaudio tools.

We was able to escape PulseAudio configuration and stick with ALSA and able to configure Mozilla Firefox to run over pulseaudio in simple sandboxing where every PulseAudio daemon run isolated.

For less isolated approach see:

See also
Simple_sandbox#Configure_Firefox_to_output_sound_to_larry.27s_PulseAudio_daemon
Retrieved from "https://wiki.gentoo.org/index.php?title=User:Trickygnome/Pulseaudio_sandboxing&oldid=1391935"