summaryrefslogtreecommitdiffstats
path: root/meta-pipewire/dynamic-layers/meta-app-framework
diff options
context:
space:
mode:
Diffstat (limited to 'meta-pipewire/dynamic-layers/meta-app-framework')
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-core/packagegroups/packagegroup-pipewire.bbappend1
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/client.env10
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/pipewire.conf.in17
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/server.env12
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl_git.bb43
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch265
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf59
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service24
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket16
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.service24
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.socket19
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.25.bbappend33
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_git.bbappend32
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua1
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua17
-rw-r--r--meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend15
16 files changed, 430 insertions, 158 deletions
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-core/packagegroups/packagegroup-pipewire.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-core/packagegroups/packagegroup-pipewire.bbappend
index d87bd581e..92ebf837f 100644
--- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-core/packagegroups/packagegroup-pipewire.bbappend
+++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-core/packagegroups/packagegroup-pipewire.bbappend
@@ -1,4 +1,3 @@
RDEPENDS_${PN} += " \
agl-service-audiomixer \
- bluez-alsa-pipewire \
"
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/client.env b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/client.env
deleted file mode 100644
index 9b44cee01..000000000
--- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/client.env
+++ /dev/null
@@ -1,10 +0,0 @@
-# This file contains environment variables that will apply
-# to pipewire clients started by the application framework
-
-# libpipewire by default tries to obtain real-time scheduling
-# for the streaming thread. This is only useful on the desktop, disable here.
-DISABLE_RTKIT=1
-
-# Uncomment to enable libpipewire debug for clients
-# 1=error, 2=warning, 3=info, 4=debug, 5=trace
-#PIPEWIRE_DEBUG=4
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/pipewire.conf.in b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/pipewire.conf.in
deleted file mode 100644
index 6c055bcff..000000000
--- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/pipewire.conf.in
+++ /dev/null
@@ -1,17 +0,0 @@
-# daemon config file for PipeWire version "0.2.9"
-# distributed by Automotive Grade Linux
-
-add-spa-lib audio.convert* audioconvert/libspa-audioconvert
-add-spa-lib api.alsa.* alsa/libspa-alsa
-add-spa-lib api.v4l2.* v4l2/libspa-v4l2
-add-spa-lib api.bluez5.* bluez5/libspa-bluez5
-
-load-module libpipewire-module-protocol-native
-load-module libpipewire-module-spa-node-factory
-load-module libpipewire-module-client-node
-load-module libpipewire-module-client-device
-load-module libpipewire-module-access same-sec-label-mode=1
-load-module libpipewire-module-adapter
-load-module libpipewire-module-link-factory
-load-module libpipewire-module-session-manager
-exec /usr/bin/wireplumber
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/server.env b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/server.env
deleted file mode 100644
index c74b941d6..000000000
--- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/server.env
+++ /dev/null
@@ -1,12 +0,0 @@
-# This file contains environment variables that will apply
-# to the pipewire daemon as well as its session manager
-
-# Disable rtkit for wireplumber, which is also a client
-DISABLE_RTKIT=1
-
-# Uncomment to enable wireplumber debug
-#G_MESSAGES_DEBUG=all
-
-# Uncomment to enable pipewire debug
-# 1=error, 2=warning, 3=info, 4=debug, 5=trace
-#PIPEWIRE_DEBUG=4
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl_git.bb b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl_git.bb
deleted file mode 100644
index a28c6534e..000000000
--- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl_git.bb
+++ /dev/null
@@ -1,43 +0,0 @@
-SUMMARY = "AGL configuration file for pipewire"
-HOMEPAGE = "https://pipewire.org"
-BUGTRACKER = "https://jira.automotivelinux.org"
-AUTHOR = "George Kiagiadakis <george.kiagiadakis@collabora.com>"
-SECTION = "multimedia"
-
-LICENSE = "MIT"
-LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302"
-
-SRC_URI = " \
- file://pipewire.conf.in \
- file://client.env \
- file://server.env \
- "
-
-do_configure[noexec] = "1"
-do_compile[noexec] = "1"
-
-do_install_append() {
- # enable optional features in the config
- BLUEZ5=${@bb.utils.contains('DISTRO_FEATURES', 'bluez5', '', '#', d)}
- sed -e "s/#IF_BLUEZ5 /${BLUEZ5}/" ${WORKDIR}/pipewire.conf.in > ${WORKDIR}/pipewire.conf
-
- # install our custom config
- install -d ${D}/${sysconfdir}/pipewire/
- install -m 0644 ${WORKDIR}/pipewire.conf ${D}${sysconfdir}/pipewire/pipewire.conf
-
- # install environment variable files
- install -d ${D}/${sysconfdir}/afm/unit.env.d/
- install -m 0644 ${WORKDIR}/client.env ${D}/${sysconfdir}/afm/unit.env.d/pipewire
- install -m 0644 ${WORKDIR}/server.env ${D}${sysconfdir}/pipewire/environment
-}
-
-FILES_${PN} = "\
- ${sysconfdir}/pipewire/* \
- ${sysconfdir}/afm/unit.env.d/* \
-"
-CONFFILES_${PN} += "\
- ${sysconfdir}/pipewire/* \
- ${sysconfdir}/afm/unit.env.d/* \
-"
-
-RPROVIDES_${PN} += "virtual/pipewire-config"
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch
new file mode 100644
index 000000000..7885dfa37
--- /dev/null
+++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch
@@ -0,0 +1,265 @@
+From a949b090e9d4d11c300fb23b416a2cc69483962b Mon Sep 17 00:00:00 2001
+From: George Kiagiadakis <george.kiagiadakis@collabora.com>
+Date: Tue, 16 Feb 2021 17:26:20 +0200
+Subject: [PATCH] modules: add new access-seclabel module
+
+This module allows access control based on the security label
+of the client. It is tailored for use with the semantics of SMACK
+
+Upstream-Status: Inappropriate [smack specific]
+---
+ src/modules/meson.build | 10 ++
+ src/modules/module-access-seclabel.c | 220 +++++++++++++++++++++++++++
+ 2 files changed, 230 insertions(+)
+ create mode 100644 src/modules/module-access-seclabel.c
+
+diff --git a/src/modules/meson.build b/src/modules/meson.build
+index 8c9ccc85..234cff6b 100644
+--- a/src/modules/meson.build
++++ b/src/modules/meson.build
+@@ -14,6 +14,16 @@ pipewire_module_access = shared_library('pipewire-module-access', [ 'module-acce
+ dependencies : [mathlib, dl_lib, pipewire_dep],
+ )
+
++pipewire_module_access_seclabel = shared_library('pipewire-module-access-seclabel',
++ [ 'module-access-seclabel.c' ],
++ c_args : pipewire_module_c_args,
++ include_directories : [configinc, spa_inc],
++ install : true,
++ install_dir : modules_install_dir,
++ install_rpath: modules_install_dir,
++ dependencies : [mathlib, dl_lib, pipewire_dep],
++)
++
+ pipewire_module_profiler = shared_library('pipewire-module-profiler',
+ [ 'module-profiler.c',
+ 'module-profiler/protocol-native.c', ],
+diff --git a/src/modules/module-access-seclabel.c b/src/modules/module-access-seclabel.c
+new file mode 100644
+index 00000000..3739f2e4
+--- /dev/null
++++ b/src/modules/module-access-seclabel.c
+@@ -0,0 +1,220 @@
++/* PipeWire
++ *
++ * Copyright © 2018 Wim Taymans
++ * Copyright © 2021 Collabora Ltd.
++ * @author George Kiagiadakis <george.kiagiadakis@collabora.com>
++ *
++ * Permission is hereby granted, free of charge, to any person obtaining a
++ * copy of this software and associated documentation files (the "Software"),
++ * to deal in the Software without restriction, including without limitation
++ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
++ * and/or sell copies of the Software, and to permit persons to whom the
++ * Software is furnished to do so, subject to the following conditions:
++ *
++ * The above copyright notice and this permission notice (including the next
++ * paragraph) shall be included in all copies or substantial portions of the
++ * Software.
++ *
++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
++ * DEALINGS IN THE SOFTWARE.
++ */
++
++#include <string.h>
++#include <stdio.h>
++#include <errno.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <sys/vfs.h>
++#include <fcntl.h>
++#include <unistd.h>
++
++#include "config.h"
++
++#include <spa/utils/result.h>
++#include <spa/utils/json.h>
++
++#include <pipewire/impl.h>
++#include <pipewire/private.h>
++
++#define NAME "access-seclabel"
++
++#define MODULE_USAGE "[ seclabel.allowed=<cmd-line> ] " \
++ "[ seclabel.rejected=<cmd-line> ] " \
++ "[ seclabel.restricted=<cmd-line> ] " \
++
++static const struct spa_dict_item module_props[] = {
++ { PW_KEY_MODULE_AUTHOR, "George Kiagiadakis <george.kiagiadakis@collabora.com>" },
++ { PW_KEY_MODULE_DESCRIPTION, "Perform access check based on the security label" },
++ { PW_KEY_MODULE_USAGE, MODULE_USAGE },
++ { PW_KEY_MODULE_VERSION, PACKAGE_VERSION },
++};
++
++struct impl {
++ struct pw_context *context;
++ struct pw_properties *properties;
++
++ struct spa_hook context_listener;
++ struct spa_hook module_listener;
++};
++
++static int check_label(const char *label, const char *str)
++{
++ char key[1024];
++ int res = 0;
++ struct spa_json it[2];
++
++ spa_json_init(&it[0], str, strlen(str));
++ if ((res = spa_json_enter_array(&it[0], &it[1])) <= 0)
++ goto exit;
++
++ res = 0;
++ while (spa_json_get_string(&it[1], key, sizeof(key)) > 0) {
++ if (strcmp(label, key) == 0) {
++ res = 1;
++ break;
++ }
++ }
++exit:
++ return res;
++}
++
++static void
++context_check_access(void *data, struct pw_impl_client *client)
++{
++ struct impl *impl = data;
++ struct pw_permission permissions[1];
++ struct spa_dict_item items[2];
++ const struct pw_properties *props;
++ const char *str, *access, *label = NULL;
++ int res;
++
++ if ((props = pw_impl_client_get_properties(client)) != NULL) {
++ if ((str = pw_properties_get(props, PW_KEY_ACCESS)) != NULL) {
++ pw_log_info(NAME " client %p: has already access: '%s'", client, str);
++ return;
++ }
++ label = pw_properties_get(props, PW_KEY_SEC_LABEL);
++ }
++
++ if (!label) {
++ pw_log_info(NAME " client %p: has no security label", client);
++ return;
++ }
++
++ if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.allowed")) != NULL) {
++ res = check_label(label, str);
++ if (res < 0) {
++ pw_log_warn(NAME" %p: client %p allowed check failed: %s",
++ impl, client, spa_strerror(res));
++ } else if (res > 0) {
++ access = "allowed";
++ goto granted;
++ }
++ }
++
++ if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.rejected")) != NULL) {
++ res = check_label(label, str);
++ if (res < 0) {
++ pw_log_warn(NAME" %p: client %p rejected check failed: %s",
++ impl, client, spa_strerror(res));
++ } else if (res > 0) {
++ res = -EACCES;
++ access = "rejected";
++ goto rejected;
++ }
++ }
++
++ if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.restricted")) != NULL) {
++ res = check_label(label, str);
++ if (res < 0) {
++ pw_log_warn(NAME" %p: client %p restricted check failed: %s",
++ impl, client, spa_strerror(res));
++ }
++ else if (res > 0) {
++ pw_log_debug(NAME" %p: restricted client %p added", impl, client);
++ access = "restricted";
++ goto wait_permissions;
++ }
++ }
++
++ return;
++
++granted:
++ pw_log_info(NAME" %p: client %p '%s' access granted", impl, client, access);
++ items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access);
++ pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1));
++
++ permissions[0] = PW_PERMISSION_INIT(PW_ID_ANY, PW_PERM_ALL);
++ pw_impl_client_update_permissions(client, 1, permissions);
++ return;
++
++wait_permissions:
++ pw_log_info(NAME " %p: client %p wait for '%s' permissions",
++ impl, client, access);
++ items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access);
++ pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1));
++ return;
++
++rejected:
++ pw_resource_error(pw_impl_client_get_core_resource(client), res, access);
++ items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access);
++ pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1));
++ return;
++}
++
++static const struct pw_context_events context_events = {
++ PW_VERSION_CONTEXT_EVENTS,
++ .check_access = context_check_access,
++};
++
++static void module_destroy(void *data)
++{
++ struct impl *impl = data;
++
++ spa_hook_remove(&impl->context_listener);
++ spa_hook_remove(&impl->module_listener);
++
++ if (impl->properties)
++ pw_properties_free(impl->properties);
++
++ free(impl);
++}
++
++static const struct pw_impl_module_events module_events = {
++ PW_VERSION_IMPL_MODULE_EVENTS,
++ .destroy = module_destroy,
++};
++
++SPA_EXPORT
++int pipewire__module_init(struct pw_impl_module *module, const char *args)
++{
++ struct pw_context *context = pw_impl_module_get_context(module);
++ struct pw_properties *props;
++ struct impl *impl;
++
++ impl = calloc(1, sizeof(struct impl));
++ if (impl == NULL)
++ return -errno;
++
++ pw_log_debug(NAME" module %p: new %s", impl, args);
++
++ if (args)
++ props = pw_properties_new_string(args);
++ else
++ props = NULL;
++
++ impl->context = context;
++ impl->properties = props;
++
++ pw_context_add_listener(context, &impl->context_listener, &context_events, impl);
++ pw_impl_module_add_listener(module, &impl->module_listener, &module_events, impl);
++
++ pw_impl_module_update_properties(module, &SPA_DICT_INIT_ARRAY(module_props));
++
++ return 0;
++}
+--
+2.30.0
+
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf
new file mode 100644
index 000000000..bc0c89ac0
--- /dev/null
+++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf
@@ -0,0 +1,59 @@
+context.properties = {
+ core.daemon = true
+ core.name = pipewire-0
+ support.dbus = false
+ link.max-buffers = 16
+
+ # 1=error, 2=warning, 3=info, 4=debug, 5=trace
+ log.level = 2
+
+ ## Properties for the DSP configuration.
+ default.clock.rate = 48000
+ default.clock.quantum = 1024
+ default.clock.min-quantum = 512
+ default.clock.max-quantum = 8192
+}
+
+context.spa-libs = {
+ audio.convert.* = audioconvert/libspa-audioconvert
+ api.alsa.* = alsa/libspa-alsa
+ api.v4l2.* = v4l2/libspa-v4l2
+ support.* = support/libspa-support
+}
+
+context.modules = [
+ { name = libpipewire-module-protocol-native }
+ { name = libpipewire-module-metadata }
+ { name = libpipewire-module-spa-device-factory }
+ { name = libpipewire-module-spa-node-factory }
+ { name = libpipewire-module-client-node }
+ { name = libpipewire-module-client-device }
+ { name = libpipewire-module-adapter }
+ { name = libpipewire-module-link-factory }
+ { name = libpipewire-module-session-manager }
+
+ # allow clients with the "System" SMACK label
+ # such a client is also the session manager (wireplumber)
+ {
+ name = libpipewire-module-access-seclabel
+ args= {
+ seclabel.allowed = [ System ]
+ }
+ }
+
+ # and restrict all other clients
+ {
+ name = libpipewire-module-access
+ args= {
+ access.force = restricted
+ }
+ }
+
+ # The profile module. Allows application to access profiler
+ # and performance data. It provides an interface that is used
+ # by pw-top and pw-profiler.
+ #{ name = libpipewire-module-profiler }
+]
+
+context.objects = {}
+context.exec = {}
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service
new file mode 100644
index 000000000..b37fe2551
--- /dev/null
+++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Multimedia Service
+Requires=pipewire.socket
+
+[Service]
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+NoNewPrivileges=yes
+RestrictNamespaces=yes
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+Type=simple
+ExecStart=/usr/bin/pipewire
+Restart=on-failure
+RuntimeDirectory=pipewire
+RuntimeDirectoryPreserve=yes
+User=pipewire
+Environment=PIPEWIRE_RUNTIME_DIR=%t/pipewire
+SmackProcessLabel=System::Pipewire
+UMask=0077
+
+[Install]
+Also=pipewire.socket
+WantedBy=default.target
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket
new file mode 100644
index 000000000..a83435be4
--- /dev/null
+++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket
@@ -0,0 +1,16 @@
+[Unit]
+Description=Multimedia System
+
+[Socket]
+Priority=6
+Backlog=5
+ListenStream=%t/pipewire/pipewire-0
+SocketUser=pipewire
+SocketGroup=pipewire
+SocketMode=0666
+SmackLabel=*
+SmackLabelIPIn=System
+SmackLabelIPOut=System
+
+[Install]
+WantedBy=sockets.target
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.service b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.service
deleted file mode 100644
index e116dc1fa..000000000
--- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.service
+++ /dev/null
@@ -1,24 +0,0 @@
-[Unit]
-Description=Multimedia Service for user %i
-Requires=pipewire@%i.socket
-
-[Install]
-Also=pipewire@%i.socket
-
-[Service]
-Type=simple
-Restart=on-failure
-ExecStart=/usr/bin/pipewire
-
-Environment=XDG_RUNTIME_DIR=/run/user/%i
-Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%i/bus
-EnvironmentFile=-/etc/pipewire/environment
-
-User=%i
-Slice=user-%i.slice
-SmackProcessLabel=System::Pipewire
-SupplementaryGroups=audio
-UMask=0077
-CapabilityBoundingSet=
-SystemCallFilter=@basic-io @file-system @io-event @ipc \
- @memlock @network-io @process @resources @signal
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.socket b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.socket
deleted file mode 100644
index 10cb32276..000000000
--- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.socket
+++ /dev/null
@@ -1,19 +0,0 @@
-[Unit]
-Description=Multimedia Service socket for user %i
-Requires=afm-user-setup@%i.service
-After=afm-user-setup@%i.service
-
-[Socket]
-Priority=6
-Backlog=5
-ListenStream=/run/user/%i/pipewire-0
-Service=pipewire@%i.service
-SmackLabel=*
-SmackLabelIPIn=System
-SmackLabelIPOut=System
-SocketUser=%i
-SocketGroup=%i
-SocketMode=0660
-
-[Install]
-WantedBy=afm-user-session@%i.target
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.25.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.25.bbappend
new file mode 100644
index 000000000..d5e52de98
--- /dev/null
+++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.25.bbappend
@@ -0,0 +1,33 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/pipewire:"
+
+SRC_URI_append= "\
+ file://0001-modules-add-new-access-seclabel-module.patch \
+ file://pipewire.conf \
+ file://pipewire.service \
+ file://pipewire.socket \
+ file://smack-pipewire \
+"
+
+do_install_append() {
+ # replace the original config with our smack-aware config
+ rm -f ${D}${sysconfdir}/pipewire/pipewire.conf
+ install -m 0644 ${WORKDIR}/pipewire.conf ${D}${sysconfdir}/pipewire/pipewire.conf
+
+ if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
+ # remove the original unit files shipped by pipewire
+ rm -rf ${D}${systemd_system_unitdir}/pipewire.*
+
+ # install our own system-level templates
+ mkdir -p ${D}${systemd_system_unitdir}/
+ install -m 0644 ${WORKDIR}/pipewire.service ${D}${systemd_system_unitdir}/pipewire.service
+ install -m 0644 ${WORKDIR}/pipewire.socket ${D}${systemd_system_unitdir}/pipewire.socket
+
+ # install smack rules
+ mkdir -p ${D}${sysconfdir}/smack/accesses.d
+ install -m 0644 ${WORKDIR}/smack-pipewire ${D}${sysconfdir}/smack/accesses.d/pipewire
+ fi
+}
+
+FILES_${PN}_append = "\
+ ${sysconfdir}/smack/accesses.d/* \
+"
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_git.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_git.bbappend
deleted file mode 100644
index 8c9abf23e..000000000
--- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_git.bbappend
+++ /dev/null
@@ -1,32 +0,0 @@
-FILESEXTRAPATHS_prepend := "${THISDIR}/pipewire:"
-
-SRC_URI_append= "\
- file://pipewire@.service \
- file://pipewire@.socket \
- file://smack-pipewire \
- "
-
-do_install_append() {
- if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
- # remove the original user unit files shipped by pipewire
- rm -rf ${D}${systemd_unitdir}
-
- # install our own system-level templates
- mkdir -p ${D}${systemd_system_unitdir}/
- install -m 0644 ${WORKDIR}/pipewire@.service ${D}${systemd_system_unitdir}/pipewire@.service
- install -m 0644 ${WORKDIR}/pipewire@.socket ${D}${systemd_system_unitdir}/pipewire@.socket
-
- # enable the socket to start together with afm-user-session
- mkdir -p ${D}${systemd_system_unitdir}/afm-user-session@.target.wants
- ln -sf ../pipewire@.socket ${D}${systemd_system_unitdir}/afm-user-session@.target.wants/pipewire@.socket
-
- # install smack rules
- mkdir -p ${D}${sysconfdir}/smack/accesses.d
- install -m 0644 ${WORKDIR}/smack-pipewire ${D}${sysconfdir}/smack/accesses.d/pipewire
- fi
-}
-
-FILES_${PN}_append = "\
- ${systemd_system_unitdir}/* \
- ${sysconfdir}/smack/accesses.d/* \
-"
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua
new file mode 100644
index 000000000..10b3d7ae3
--- /dev/null
+++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua
@@ -0,0 +1 @@
+load_access("smack")
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua
new file mode 100644
index 000000000..a662a0f20
--- /dev/null
+++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua
@@ -0,0 +1,17 @@
+clients_om = ObjectManager {
+ Interest {
+ type = "client",
+ Constraint { "pipewire.access", "=", "restricted" },
+ }
+}
+
+clients_om:connect("object-added", function (om, client)
+ local smack_label = client["global-properties"]["pipewire.sec.label"]
+
+ if smack_label:match("^User::App::.+") then
+ -- FIXME: apps can work with less permissions
+ client:update_permissions { ["any"] = "all" }
+ end
+end)
+
+clients_om:activate()
diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend
new file mode 100644
index 000000000..e94f67eff
--- /dev/null
+++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend
@@ -0,0 +1,15 @@
+FILESEXTRAPATHS_prepend := "${THISDIR}/wireplumber-config-agl:"
+
+SRC_URI += "\
+ file://50-access-agl.lua \
+ file://access-smack.lua \
+"
+
+do_install_append() {
+ # install smack-specific config
+ config_dir="${D}${sysconfdir}/wireplumber/config.lua.d/"
+ access_dir="${D}${sysconfdir}/wireplumber/scripts/access/"
+ mkdir -p ${access_dir}
+ install -m 0644 ${WORKDIR}/50-access-agl.lua ${config_dir}
+ install -m 0644 ${WORKDIR}/access-smack.lua ${access_dir}
+}