From 1f5849784f91f18488e21307b2548e96095c190e Mon Sep 17 00:00:00 2001 From: George Kiagiadakis Date: Wed, 26 Jun 2019 14:48:29 +0300 Subject: pipewire: run with the System::Pipewire smack label Pipewire shares memory with its clients using open file descriptors (memfd or shared memory file) which are created within pipewire and therefore they have the same smack label as the pipewire process. Clients must be able to read and write to this memory, therefore they need rw acess to that smack label. Since all AGL apps have only write access to the System label, we need to use a different smack label which can be granted rw access from the applications that need to use audio. "System::Pipewire" is chosen here to follow the "System::Sub" pattern that is described in the documentation. Bug-AGL: SPEC-2554 Change-Id: I81cbf82adfde3ef4f67872bd91293370339b18d7 Signed-off-by: George Kiagiadakis --- .../recipes-multimedia/pipewire/pipewire/pipewire@.service | 1 + .../recipes-multimedia/pipewire/pipewire/smack-pipewire | 8 ++++++++ .../recipes-multimedia/pipewire/pipewire_git.bbappend | 12 ++++++++++-- 3 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 meta-pipewire/recipes-multimedia/pipewire/pipewire/smack-pipewire (limited to 'meta-pipewire/recipes-multimedia') diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service b/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service index 7ecdcc40..a603fdb3 100644 --- a/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service +++ b/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service @@ -15,6 +15,7 @@ Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%i/bus User=%i Slice=user-%i.slice +SmackProcessLabel=System::Pipewire SupplementaryGroups=audio UMask=0077 CapabilityBoundingSet= diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire/smack-pipewire b/meta-pipewire/recipes-multimedia/pipewire/pipewire/smack-pipewire new file mode 100644 index 00000000..8d5b541f --- /dev/null +++ b/meta-pipewire/recipes-multimedia/pipewire/pipewire/smack-pipewire @@ -0,0 +1,8 @@ +System System::Pipewire rwxa-- +System::Pipewire System -wx--- +System::Pipewire System::Shared r-x--- +System::Pipewire System::Run rwxat- +System::Pipewire System::Log rwxa-- +System::Pipewire _ r-x--l +System::Pipewire User::Home r-x--l +System::Pipewire User::App-Shared rwxat- diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend b/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend index 31253d03..8a0b0741 100644 --- a/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend +++ b/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend @@ -1,11 +1,12 @@ SRC_URI += "\ file://pipewire@.service \ file://pipewire@.socket \ + file://smack-pipewire \ " do_install_append() { if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - # remote the original user unit files shipped by pipewire + # remove the original user unit files shipped by pipewire rm -rf ${D}${systemd_unitdir} # install our own system-level templates @@ -16,7 +17,14 @@ do_install_append() { # enable the socket to start together with afm-user-session mkdir -p ${D}${systemd_system_unitdir}/afm-user-session@.target.wants ln -sf ../pipewire@.socket ${D}${systemd_system_unitdir}/afm-user-session@.target.wants/pipewire@.socket + + # install smack rules + mkdir -p ${D}${sysconfdir}/smack/accesses.d + install -m 0644 ${WORKDIR}/smack-pipewire ${D}${sysconfdir}/smack/accesses.d/pipewire fi } -FILES_${PN} += "${systemd_system_unitdir}/*" +FILES_${PN} += "\ + ${systemd_system_unitdir}/* \ + ${sysconfdir}/smack/accesses.d/* \ +" -- cgit 1.2.3-korg