pipewire wireplumber can not detect the sound output device when using an unofficial linux kernel

Status changed to 'Confirmed' because the bug affects multiple users.

I believe this is the same problem affecting myself and a few others that began a few days ago (echoed by a few other posts). It may currently only affect ubuntu Noble (22.04) but conceivably will begin to affect more users on later kernels.
https://ubuntuforums.org/showthread.php?t=2494753
https://www.reddit.com/r/rhinolinux/comments/19f4yqc/sound_problems_in_firefoxchrome/

The problem began specifically when upgrading wireplumber from 0.4.17-1 to 0.4.17-1ubuntu1 and downgrading back does undo the problem.

Devices are 'visible' to the system (via wpctl status etc), they just can't be used. Reverting wireplumber versions and restarting the service brings audio devices straight back. (See ubuntuforum link if an affected reader needs further info on downgrading).

Removing apparmor (which will still leave package "libapparmor1") does not alleviate the problem.
Problem occurs even on the current latest apparmor (4.0.0~alpha2-0ubuntu8).

The problem does not occur on noble's 6.6.0-14 ubuntu kernel
(which is built with config option CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS=y).

Subsequent kernels after this however, including the latest upstream AND recent Ubuntu mainlines (6.7.2, 6.8.1rc1 as mentioned and I can confirm) no longer have this kernel config option (code was removed/replaced) and do have the bug.
Ultimately: I suspect recent kernels may be missing other (now necessary?) apparmor plumbing on the kernel side relating to user namespace protections.

Noticing "pipewire-pulse[]: default: snap_get_audio_permissions: failed to get the AppArmor info."
I did follow the thorough (and well written) guidance https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction and https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046624 to create quick usr.bin.wireplumber and pipewire profiles in /etc/apparmor.d, hoping that the problem simply needed userns profiles to begin working, but to no affect - as some functionality is perhaps still not there.

To give a clearer picture:
(BAD: Ubuntu mainline kernel 6.7.2):

cat: /proc/sys/kernel/apparmor_restrict_unprivileged_userns: No such file or directory
cat: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
cat: /sys/kernel/security/apparmor/features/namespaces/userns_create: No such file or directory
sudo cat /sys/kernel/security/apparmor/features/namespaces/mask: userns_create

(GOOD: Ubuntu 22.04 6.6.0-14-generic):
cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns: 1
cat /proc/sys/kernel/unprivileged_userns_clone: 1
cat /sys/kernel/security/apparmor/features/namespaces/userns_create: No such file or directory
sudo cat /sys/kernel/security/apparmor/features/namespaces/mask: userns_create

Potentially something on the kernel side for apparmor is still cooking and hasn't yet made it upstream but wireplumber insists on it now?

Tried out the 6.7 kernel debs from
https://launchpad.net/~apparmor-dev/+archive/ubuntu/apparmor-devel/+packages
and this kernel also works splendidly without the audio bug.

uname: 6.7.0-2-generic #2+userns3-Ubuntu SMP PREEMPT_DYNAMIC Tue Jan 23 15:17:50 UTC 20 x86_64 x86_64 x86_64 GNU/Linux

cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns: 1
cat /proc/sys/kernel/unprivileged_userns_clone: 1
cat /sys/kernel/security/apparmor/features/namespaces/userns_create: pciu&
sudo cat /sys/kernel/security/apparmor/features/namespaces/mask: userns_create

Status changed to 'Confirmed' because the bug affects multiple users.

A slightly revised version of this kernel should be showing up in the Ubuntu unstable kernel builds this week.

I dug into the relevant code, and found that in file debian/patches/ubuntu/Add-missing-files.patch, when aa_getpeercon(fd, &aa_label, &snap_confinement) returns -1, the value of errno is ENOPROTOOPT.

This means that something went wrong in https://gitlab.com/apparmor/apparmor/-/blob/253eace57316aadd4dd01e3da7797d97b590d62e/libraries/libapparmor/src/kernel.c#L1039

I added a patch and recompiled the pipewire package, pipewire-pulse works again.
--- a/src/modules/module-protocol-pulse/snap-policy.c
+++ b/src/modules/module-protocol-pulse/snap-policy.c
@@ -61,7 +61,7 @@ pw_sandbox_access_t pw_snap_get_audio_permissions(struct client *client, int fd,
     assert(client != NULL);

     if (aa_getpeercon(fd, &aa_label, &snap_confinement) == -1) {
- if (errno == EINVAL) {
+ if (errno == EINVAL || errno == ENOPROTOOPT) {
             // if apparmor isn't enabled, we can safely assume that there are no SNAPs in the system
             return PW_SANDBOX_ACCESS_NOT_A_SANDBOX;
         }

I'm the author of the patch. The man page says nothing about ENOPROTOOPT, that's why I didn't managed that error. Clearly it is incomplete. Does anybody know where to send a patch for that?

EDIT: filled an issue in the gitlab repository.

Ok, people from the apparmor mailing list explained that ENOPROTOOPT error is returned when the kernel doesn't have "fine grained unix mediation", and that it still hasn't been merged upstream, so it's a patch that has to be manually merged.

I prepared a patch.

Lovely stuff, thank you!

Confirming pipewire 1.0.1-1ubuntu3 is now available in noble-proposed and works a charm.
A quick "systemctl --user restart pipewire*.service" or reboot has audio working again on mainline and upstream kernels.

This bug was fixed in the package pipewire - 1.0.1-1ubuntu3

---------------
pipewire (1.0.1-1ubuntu3) noble; urgency=medium

  * Fix broken audio when using a kernel without
    "fine grained unix mediation" patch (LP: #2051504, LP: #2051454)

 -- Sergio Costas Rodriguez <email address hidden> Mon, 29 Jan 2024 19:03:45 +0200