Ubuntu
pipewire package

  1. Bug #2051454
  2. Comment #2

Comment 2 for bug 2051454

Revision history for this message
Anthony Harrington (linuxchemist) wrote (last edit ):

I believe this is the same problem affecting myself and a few others that began a few days ago (echoed by a few other posts). It may currently only affect ubuntu Noble (22.04) but conceivably will begin to affect more users on later kernels.
https://ubuntuforums.org/showthread.php?t=2494753
https://www.reddit.com/r/rhinolinux/comments/19f4yqc/sound_problems_in_firefoxchrome/

The problem began specifically when upgrading wireplumber from 0.4.17-1 to 0.4.17-1ubuntu1 and downgrading back does undo the problem.

Devices are 'visible' to the system (via wpctl status etc), they just can't be used. Reverting wireplumber versions and restarting the service brings audio devices straight back. (See ubuntuforum link if an affected reader needs further info on downgrading).

Removing apparmor (which will still leave package "libapparmor1") does not alleviate the problem.
Problem occurs even on the current latest apparmor (4.0.0~alpha2-0ubuntu8).

The problem does not occur on noble's 6.6.0-14 ubuntu kernel
(which is built with config option CONFIG_SECURITY_APPARMOR_RESTRICT_USERNS=y).

Subsequent kernels after this however, including the latest upstream AND recent Ubuntu mainlines (6.7.2, 6.8.1rc1 as mentioned and I can confirm) no longer have this kernel config option (code was removed/replaced) and do have the bug.
Ultimately: I suspect recent kernels may be missing other (now necessary?) apparmor plumbing on the kernel side relating to user namespace protections.

Noticing "pipewire-pulse[]: default: snap_get_audio_permissions: failed to get the AppArmor info."
I did follow the thorough (and well written) guidance https://gitlab.com/apparmor/apparmor/-/wikis/unprivileged_userns_restriction and https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/2046624 to create quick usr.bin.wireplumber and pipewire profiles in /etc/apparmor.d, hoping that the problem simply needed userns profiles to begin working, but to no affect - as some functionality is perhaps still not there.

To give a clearer picture:
(BAD: Ubuntu mainline kernel 6.7.2):

cat: /proc/sys/kernel/apparmor_restrict_unprivileged_userns: No such file or directory
cat: /proc/sys/kernel/unprivileged_userns_clone: No such file or directory
cat: /sys/kernel/security/apparmor/features/namespaces/userns_create: No such file or directory
sudo cat /sys/kernel/security/apparmor/features/namespaces/mask: userns_create

(GOOD: Ubuntu 22.04 6.6.0-14-generic):
cat /proc/sys/kernel/apparmor_restrict_unprivileged_userns: 1
cat /proc/sys/kernel/unprivileged_userns_clone: 1
cat /sys/kernel/security/apparmor/features/namespaces/userns_create: No such file or directory
sudo cat /sys/kernel/security/apparmor/features/namespaces/mask: userns_create

Potentially something on the kernel side for apparmor is still cooking and hasn't yet made it upstream but wireplumber insists on it now?