summaryrefslogtreecommitdiffstats
path: root/meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch')
-rw-r--r--meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch94
1 files changed, 0 insertions, 94 deletions
diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch b/meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch
deleted file mode 100644
index 07a1ec114..000000000
--- a/meta-pipewire/recipes-multimedia/pipewire/pipewire/0005-module-access-add-same-sec-label-mode.patch
+++ /dev/null
@@ -1,94 +0,0 @@
-From 19fad1a4fa8bdc4f02aac4e169e7ff9cab18bdcd Mon Sep 17 00:00:00 2001
-From: George Kiagiadakis <george.kiagiadakis@collabora.com>
-Date: Tue, 19 Nov 2019 17:09:07 +0200
-Subject: [PATCH] module-access: add same-sec-label-mode
-
-This is a mode where the access module allows all clients that have
-the same security label as the pipewire daemon, and every other
-client is put on the restricted state.
-
-In systems that use SMACK security labels, such as AGL, this allows
-the session manager (which is spawned by pipewire, inheriting the
-same smack label) to have full access to all objects, while every
-other client is restricted and the session manager must decide
-what to do with it
-
-Note that while this option is configurable, there is no loss of
-security if this option is not set in the configuration. Clients
-that don't have the same security context will be considered to
-be flatpak clients because pipewire will not be able to open
-/proc/pid/cmdline. This however results in some unwanted error
-messages that may be confusing.
-
-Upstream-Status: Inappropriate [agl/smack specific]
----
- src/modules/module-access.c | 45 ++++++++++++++++++++++++++++++++++++-
- 1 file changed, 44 insertions(+), 1 deletion(-)
-
-diff --git a/src/modules/module-access.c b/src/modules/module-access.c
-index 09dafa43..f75306d9 100644
---- a/src/modules/module-access.c
-+++ b/src/modules/module-access.c
-@@ -50,6 +50,30 @@ struct impl {
- struct spa_hook module_listener;
- };
-
-+static int check_seclabel(const char *str)
-+{
-+ char attr[1024];
-+ int fd, len;
-+
-+ fd = open("/proc/self/attr/current", O_RDONLY);
-+ if (fd < 0)
-+ return -errno;
-+
-+ if ((len = read(fd, attr, 1024)) <= 0) {
-+ close(fd);
-+ return -EIO;
-+ }
-+ attr[len] = '\0';
-+
-+ if (strcmp(attr, str) == 0) {
-+ close(fd);
-+ return 1;
-+ }
-+
-+ close(fd);
-+ return 0;
-+}
-+
- static int check_cmdline(struct pw_client *client, int pid, const char *str)
- {
- char path[2048];
-@@ -121,8 +145,27 @@ core_check_access(void *data, struct pw_client *client)
- const char *str;
- int pid, res;
-
-+ props = pw_client_get_properties(client);
-+
-+ if (impl->properties &&
-+ (str = pw_properties_get(impl->properties, "same-sec-label-mode")) != NULL &&
-+ strcmp(str, "1") == 0) {
-+ if (props && (str = pw_properties_get(props, PW_KEY_SEC_LABEL)) != NULL) {
-+ res = check_seclabel(str);
-+ if (res == 1)
-+ goto granted;
-+ else if (res < 0)
-+ pw_log_warn("module %p: client %p seclabel check failed: %s",
-+ impl, client, spa_strerror(res));
-+ }
-+ pw_log_debug("module %p: seclabel restricted client %p added",
-+ impl, client);
-+ items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, "restricted");
-+ goto wait_permissions;
-+ }
-+
- pid = -EINVAL;
-- if ((props = pw_client_get_properties(client)) != NULL) {
-+ if (props != NULL) {
- if ((str = pw_properties_get(props, PW_KEY_SEC_PID)) != NULL)
- pid = atoi(str);
- }
---
-2.24.0
-