diff options
| author |   George Kiagiadakis <george.kiagiadakis@collabora.com> | 2019-06-26 14:48:29 +0300 |
|---|---|---|
| committer |   Jan-Simon Moeller <jsmoeller@linuxfoundation.org> | 2019-06-27 13:29:30 +0000 |
| commit | 1f5849784f91f18488e21307b2548e96095c190e (patch) | |
| tree | 4f928ff4b1e50157ff4661c0d38ae68d438a15af | |
| parent | 5cb5bf7e0c021e9b925b3e1fcf01b4945927bd07 (diff) | |
pipewire: run with the System::Pipewire smack label
Pipewire shares memory with its clients using open file
descriptors (memfd or shared memory file) which are created within
pipewire and therefore they have the same smack label as the
pipewire process. Clients must be able to read and write to this
memory, therefore they need rw acess to that smack label.
Since all AGL apps have only write access to the System label,
we need to use a different smack label which can be granted rw
access from the applications that need to use audio.
"System::Pipewire" is chosen here to follow the "System::Sub"
pattern that is described in the documentation.
Bug-AGL: SPEC-2554
Change-Id: I81cbf82adfde3ef4f67872bd91293370339b18d7
Signed-off-by: George Kiagiadakis <george.kiagiadakis@collabora.com>
3 files changed, 19 insertions, 2 deletions
diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service b/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service index 7ecdcc40..a603fdb3 100644 --- a/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service +++ b/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service @@ -15,6 +15,7 @@ Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%i/bus User=%i Slice=user-%i.slice +SmackProcessLabel=System::Pipewire SupplementaryGroups=audio UMask=0077 CapabilityBoundingSet= diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire/smack-pipewire b/meta-pipewire/recipes-multimedia/pipewire/pipewire/smack-pipewire new file mode 100644 index 00000000..8d5b541f --- /dev/null +++ b/meta-pipewire/recipes-multimedia/pipewire/pipewire/smack-pipewire @@ -0,0 +1,8 @@ +System System::Pipewire rwxa-- +System::Pipewire System -wx--- +System::Pipewire System::Shared r-x--- +System::Pipewire System::Run rwxat- +System::Pipewire System::Log rwxa-- +System::Pipewire _ r-x--l +System::Pipewire User::Home r-x--l +System::Pipewire User::App-Shared rwxat- diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend b/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend index 31253d03..8a0b0741 100644 --- a/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend +++ b/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend @@ -1,11 +1,12 @@ SRC_URI += "\ file://pipewire@.service \ file://pipewire@.socket \ + file://smack-pipewire \ " do_install_append() { if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - # remote the original user unit files shipped by pipewire + # remove the original user unit files shipped by pipewire rm -rf ${D}${systemd_unitdir} # install our own system-level templates @@ -16,7 +17,14 @@ do_install_append() { # enable the socket to start together with afm-user-session mkdir -p ${D}${systemd_system_unitdir}/afm-user-session@.target.wants ln -sf ../pipewire@.socket ${D}${systemd_system_unitdir}/afm-user-session@.target.wants/pipewire@.socket + + # install smack rules + mkdir -p ${D}${sysconfdir}/smack/accesses.d + install -m 0644 ${WORKDIR}/smack-pipewire ${D}${sysconfdir}/smack/accesses.d/pipewire fi } -FILES_${PN} += "${systemd_system_unitdir}/*" +FILES_${PN} += "\ + ${systemd_system_unitdir}/* \ + ${sysconfdir}/smack/accesses.d/* \ +" |