From 761e6467d12e2935785774383adca9ddbd3e1c26 Mon Sep 17 00:00:00 2001 From: George Kiagiadakis Date: Thu, 11 Feb 2021 14:13:55 +0200 Subject: meta-pipewire: update to pipewire 0.3.25 and wireplumber master Bug-AGL: SPEC-3844 Change-Id: Ie32bfa43bf078c7d218d3150dc616501b8848bd0 Signed-off-by: George Kiagiadakis Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/26094 Reviewed-by: Jan-Simon Moeller Tested-by: Jan-Simon Moeller --- .../pipewire/pipewire-conf-agl/client.env | 10 - .../pipewire/pipewire-conf-agl/pipewire.conf.in | 17 -- .../pipewire/pipewire-conf-agl/server.env | 12 - .../pipewire/pipewire-conf-agl_git.bb | 43 ---- ...01-modules-add-new-access-seclabel-module.patch | 265 +++++++++++++++++++++ .../pipewire/pipewire/pipewire.conf | 59 +++++ .../pipewire/pipewire/pipewire.service | 24 ++ .../pipewire/pipewire/pipewire.socket | 16 ++ .../pipewire/pipewire/pipewire@.service | 24 -- .../pipewire/pipewire/pipewire@.socket | 19 -- .../pipewire/pipewire_0.3.25.bbappend | 33 +++ .../pipewire/pipewire_git.bbappend | 32 --- .../wireplumber-config-agl/50-access-agl.lua | 1 + .../wireplumber-config-agl/access-smack.lua | 17 ++ .../wireplumber-config-agl_git.bbappend | 15 ++ 15 files changed, 430 insertions(+), 157 deletions(-) delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/client.env delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/pipewire.conf.in delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/server.env delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl_git.bb create mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch create mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf create mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service create mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.service delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.socket create mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.25.bbappend delete mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_git.bbappend create mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua create mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua create mode 100644 meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend (limited to 'meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia') diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/client.env b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/client.env deleted file mode 100644 index 9b44cee01..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/client.env +++ /dev/null @@ -1,10 +0,0 @@ -# This file contains environment variables that will apply -# to pipewire clients started by the application framework - -# libpipewire by default tries to obtain real-time scheduling -# for the streaming thread. This is only useful on the desktop, disable here. -DISABLE_RTKIT=1 - -# Uncomment to enable libpipewire debug for clients -# 1=error, 2=warning, 3=info, 4=debug, 5=trace -#PIPEWIRE_DEBUG=4 diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/pipewire.conf.in b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/pipewire.conf.in deleted file mode 100644 index 6c055bcff..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/pipewire.conf.in +++ /dev/null @@ -1,17 +0,0 @@ -# daemon config file for PipeWire version "0.2.9" -# distributed by Automotive Grade Linux - -add-spa-lib audio.convert* audioconvert/libspa-audioconvert -add-spa-lib api.alsa.* alsa/libspa-alsa -add-spa-lib api.v4l2.* v4l2/libspa-v4l2 -add-spa-lib api.bluez5.* bluez5/libspa-bluez5 - -load-module libpipewire-module-protocol-native -load-module libpipewire-module-spa-node-factory -load-module libpipewire-module-client-node -load-module libpipewire-module-client-device -load-module libpipewire-module-access same-sec-label-mode=1 -load-module libpipewire-module-adapter -load-module libpipewire-module-link-factory -load-module libpipewire-module-session-manager -exec /usr/bin/wireplumber diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/server.env b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/server.env deleted file mode 100644 index c74b941d6..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl/server.env +++ /dev/null @@ -1,12 +0,0 @@ -# This file contains environment variables that will apply -# to the pipewire daemon as well as its session manager - -# Disable rtkit for wireplumber, which is also a client -DISABLE_RTKIT=1 - -# Uncomment to enable wireplumber debug -#G_MESSAGES_DEBUG=all - -# Uncomment to enable pipewire debug -# 1=error, 2=warning, 3=info, 4=debug, 5=trace -#PIPEWIRE_DEBUG=4 diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl_git.bb b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl_git.bb deleted file mode 100644 index a28c6534e..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire-conf-agl_git.bb +++ /dev/null @@ -1,43 +0,0 @@ -SUMMARY = "AGL configuration file for pipewire" -HOMEPAGE = "https://pipewire.org" -BUGTRACKER = "https://jira.automotivelinux.org" -AUTHOR = "George Kiagiadakis " -SECTION = "multimedia" - -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COMMON_LICENSE_DIR}/MIT;md5=0835ade698e0bcf8506ecda2f7b4f302" - -SRC_URI = " \ - file://pipewire.conf.in \ - file://client.env \ - file://server.env \ - " - -do_configure[noexec] = "1" -do_compile[noexec] = "1" - -do_install_append() { - # enable optional features in the config - BLUEZ5=${@bb.utils.contains('DISTRO_FEATURES', 'bluez5', '', '#', d)} - sed -e "s/#IF_BLUEZ5 /${BLUEZ5}/" ${WORKDIR}/pipewire.conf.in > ${WORKDIR}/pipewire.conf - - # install our custom config - install -d ${D}/${sysconfdir}/pipewire/ - install -m 0644 ${WORKDIR}/pipewire.conf ${D}${sysconfdir}/pipewire/pipewire.conf - - # install environment variable files - install -d ${D}/${sysconfdir}/afm/unit.env.d/ - install -m 0644 ${WORKDIR}/client.env ${D}/${sysconfdir}/afm/unit.env.d/pipewire - install -m 0644 ${WORKDIR}/server.env ${D}${sysconfdir}/pipewire/environment -} - -FILES_${PN} = "\ - ${sysconfdir}/pipewire/* \ - ${sysconfdir}/afm/unit.env.d/* \ -" -CONFFILES_${PN} += "\ - ${sysconfdir}/pipewire/* \ - ${sysconfdir}/afm/unit.env.d/* \ -" - -RPROVIDES_${PN} += "virtual/pipewire-config" diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch new file mode 100644 index 000000000..7885dfa37 --- /dev/null +++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/0001-modules-add-new-access-seclabel-module.patch @@ -0,0 +1,265 @@ +From a949b090e9d4d11c300fb23b416a2cc69483962b Mon Sep 17 00:00:00 2001 +From: George Kiagiadakis +Date: Tue, 16 Feb 2021 17:26:20 +0200 +Subject: [PATCH] modules: add new access-seclabel module + +This module allows access control based on the security label +of the client. It is tailored for use with the semantics of SMACK + +Upstream-Status: Inappropriate [smack specific] +--- + src/modules/meson.build | 10 ++ + src/modules/module-access-seclabel.c | 220 +++++++++++++++++++++++++++ + 2 files changed, 230 insertions(+) + create mode 100644 src/modules/module-access-seclabel.c + +diff --git a/src/modules/meson.build b/src/modules/meson.build +index 8c9ccc85..234cff6b 100644 +--- a/src/modules/meson.build ++++ b/src/modules/meson.build +@@ -14,6 +14,16 @@ pipewire_module_access = shared_library('pipewire-module-access', [ 'module-acce + dependencies : [mathlib, dl_lib, pipewire_dep], + ) + ++pipewire_module_access_seclabel = shared_library('pipewire-module-access-seclabel', ++ [ 'module-access-seclabel.c' ], ++ c_args : pipewire_module_c_args, ++ include_directories : [configinc, spa_inc], ++ install : true, ++ install_dir : modules_install_dir, ++ install_rpath: modules_install_dir, ++ dependencies : [mathlib, dl_lib, pipewire_dep], ++) ++ + pipewire_module_profiler = shared_library('pipewire-module-profiler', + [ 'module-profiler.c', + 'module-profiler/protocol-native.c', ], +diff --git a/src/modules/module-access-seclabel.c b/src/modules/module-access-seclabel.c +new file mode 100644 +index 00000000..3739f2e4 +--- /dev/null ++++ b/src/modules/module-access-seclabel.c +@@ -0,0 +1,220 @@ ++/* PipeWire ++ * ++ * Copyright © 2018 Wim Taymans ++ * Copyright © 2021 Collabora Ltd. ++ * @author George Kiagiadakis ++ * ++ * Permission is hereby granted, free of charge, to any person obtaining a ++ * copy of this software and associated documentation files (the "Software"), ++ * to deal in the Software without restriction, including without limitation ++ * the rights to use, copy, modify, merge, publish, distribute, sublicense, ++ * and/or sell copies of the Software, and to permit persons to whom the ++ * Software is furnished to do so, subject to the following conditions: ++ * ++ * The above copyright notice and this permission notice (including the next ++ * paragraph) shall be included in all copies or substantial portions of the ++ * Software. ++ * ++ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ++ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ++ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ++ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ++ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ++ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ++ * DEALINGS IN THE SOFTWARE. ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "config.h" ++ ++#include ++#include ++ ++#include ++#include ++ ++#define NAME "access-seclabel" ++ ++#define MODULE_USAGE "[ seclabel.allowed= ] " \ ++ "[ seclabel.rejected= ] " \ ++ "[ seclabel.restricted= ] " \ ++ ++static const struct spa_dict_item module_props[] = { ++ { PW_KEY_MODULE_AUTHOR, "George Kiagiadakis " }, ++ { PW_KEY_MODULE_DESCRIPTION, "Perform access check based on the security label" }, ++ { PW_KEY_MODULE_USAGE, MODULE_USAGE }, ++ { PW_KEY_MODULE_VERSION, PACKAGE_VERSION }, ++}; ++ ++struct impl { ++ struct pw_context *context; ++ struct pw_properties *properties; ++ ++ struct spa_hook context_listener; ++ struct spa_hook module_listener; ++}; ++ ++static int check_label(const char *label, const char *str) ++{ ++ char key[1024]; ++ int res = 0; ++ struct spa_json it[2]; ++ ++ spa_json_init(&it[0], str, strlen(str)); ++ if ((res = spa_json_enter_array(&it[0], &it[1])) <= 0) ++ goto exit; ++ ++ res = 0; ++ while (spa_json_get_string(&it[1], key, sizeof(key)) > 0) { ++ if (strcmp(label, key) == 0) { ++ res = 1; ++ break; ++ } ++ } ++exit: ++ return res; ++} ++ ++static void ++context_check_access(void *data, struct pw_impl_client *client) ++{ ++ struct impl *impl = data; ++ struct pw_permission permissions[1]; ++ struct spa_dict_item items[2]; ++ const struct pw_properties *props; ++ const char *str, *access, *label = NULL; ++ int res; ++ ++ if ((props = pw_impl_client_get_properties(client)) != NULL) { ++ if ((str = pw_properties_get(props, PW_KEY_ACCESS)) != NULL) { ++ pw_log_info(NAME " client %p: has already access: '%s'", client, str); ++ return; ++ } ++ label = pw_properties_get(props, PW_KEY_SEC_LABEL); ++ } ++ ++ if (!label) { ++ pw_log_info(NAME " client %p: has no security label", client); ++ return; ++ } ++ ++ if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.allowed")) != NULL) { ++ res = check_label(label, str); ++ if (res < 0) { ++ pw_log_warn(NAME" %p: client %p allowed check failed: %s", ++ impl, client, spa_strerror(res)); ++ } else if (res > 0) { ++ access = "allowed"; ++ goto granted; ++ } ++ } ++ ++ if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.rejected")) != NULL) { ++ res = check_label(label, str); ++ if (res < 0) { ++ pw_log_warn(NAME" %p: client %p rejected check failed: %s", ++ impl, client, spa_strerror(res)); ++ } else if (res > 0) { ++ res = -EACCES; ++ access = "rejected"; ++ goto rejected; ++ } ++ } ++ ++ if (impl->properties && (str = pw_properties_get(impl->properties, "seclabel.restricted")) != NULL) { ++ res = check_label(label, str); ++ if (res < 0) { ++ pw_log_warn(NAME" %p: client %p restricted check failed: %s", ++ impl, client, spa_strerror(res)); ++ } ++ else if (res > 0) { ++ pw_log_debug(NAME" %p: restricted client %p added", impl, client); ++ access = "restricted"; ++ goto wait_permissions; ++ } ++ } ++ ++ return; ++ ++granted: ++ pw_log_info(NAME" %p: client %p '%s' access granted", impl, client, access); ++ items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access); ++ pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1)); ++ ++ permissions[0] = PW_PERMISSION_INIT(PW_ID_ANY, PW_PERM_ALL); ++ pw_impl_client_update_permissions(client, 1, permissions); ++ return; ++ ++wait_permissions: ++ pw_log_info(NAME " %p: client %p wait for '%s' permissions", ++ impl, client, access); ++ items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access); ++ pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1)); ++ return; ++ ++rejected: ++ pw_resource_error(pw_impl_client_get_core_resource(client), res, access); ++ items[0] = SPA_DICT_ITEM_INIT(PW_KEY_ACCESS, access); ++ pw_impl_client_update_properties(client, &SPA_DICT_INIT(items, 1)); ++ return; ++} ++ ++static const struct pw_context_events context_events = { ++ PW_VERSION_CONTEXT_EVENTS, ++ .check_access = context_check_access, ++}; ++ ++static void module_destroy(void *data) ++{ ++ struct impl *impl = data; ++ ++ spa_hook_remove(&impl->context_listener); ++ spa_hook_remove(&impl->module_listener); ++ ++ if (impl->properties) ++ pw_properties_free(impl->properties); ++ ++ free(impl); ++} ++ ++static const struct pw_impl_module_events module_events = { ++ PW_VERSION_IMPL_MODULE_EVENTS, ++ .destroy = module_destroy, ++}; ++ ++SPA_EXPORT ++int pipewire__module_init(struct pw_impl_module *module, const char *args) ++{ ++ struct pw_context *context = pw_impl_module_get_context(module); ++ struct pw_properties *props; ++ struct impl *impl; ++ ++ impl = calloc(1, sizeof(struct impl)); ++ if (impl == NULL) ++ return -errno; ++ ++ pw_log_debug(NAME" module %p: new %s", impl, args); ++ ++ if (args) ++ props = pw_properties_new_string(args); ++ else ++ props = NULL; ++ ++ impl->context = context; ++ impl->properties = props; ++ ++ pw_context_add_listener(context, &impl->context_listener, &context_events, impl); ++ pw_impl_module_add_listener(module, &impl->module_listener, &module_events, impl); ++ ++ pw_impl_module_update_properties(module, &SPA_DICT_INIT_ARRAY(module_props)); ++ ++ return 0; ++} +-- +2.30.0 + diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf new file mode 100644 index 000000000..bc0c89ac0 --- /dev/null +++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.conf @@ -0,0 +1,59 @@ +context.properties = { + core.daemon = true + core.name = pipewire-0 + support.dbus = false + link.max-buffers = 16 + + # 1=error, 2=warning, 3=info, 4=debug, 5=trace + log.level = 2 + + ## Properties for the DSP configuration. + default.clock.rate = 48000 + default.clock.quantum = 1024 + default.clock.min-quantum = 512 + default.clock.max-quantum = 8192 +} + +context.spa-libs = { + audio.convert.* = audioconvert/libspa-audioconvert + api.alsa.* = alsa/libspa-alsa + api.v4l2.* = v4l2/libspa-v4l2 + support.* = support/libspa-support +} + +context.modules = [ + { name = libpipewire-module-protocol-native } + { name = libpipewire-module-metadata } + { name = libpipewire-module-spa-device-factory } + { name = libpipewire-module-spa-node-factory } + { name = libpipewire-module-client-node } + { name = libpipewire-module-client-device } + { name = libpipewire-module-adapter } + { name = libpipewire-module-link-factory } + { name = libpipewire-module-session-manager } + + # allow clients with the "System" SMACK label + # such a client is also the session manager (wireplumber) + { + name = libpipewire-module-access-seclabel + args= { + seclabel.allowed = [ System ] + } + } + + # and restrict all other clients + { + name = libpipewire-module-access + args= { + access.force = restricted + } + } + + # The profile module. Allows application to access profiler + # and performance data. It provides an interface that is used + # by pw-top and pw-profiler. + #{ name = libpipewire-module-profiler } +] + +context.objects = {} +context.exec = {} diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service new file mode 100644 index 000000000..b37fe2551 --- /dev/null +++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.service @@ -0,0 +1,24 @@ +[Unit] +Description=Multimedia Service +Requires=pipewire.socket + +[Service] +LockPersonality=yes +MemoryDenyWriteExecute=yes +NoNewPrivileges=yes +RestrictNamespaces=yes +SystemCallArchitectures=native +SystemCallFilter=@system-service +Type=simple +ExecStart=/usr/bin/pipewire +Restart=on-failure +RuntimeDirectory=pipewire +RuntimeDirectoryPreserve=yes +User=pipewire +Environment=PIPEWIRE_RUNTIME_DIR=%t/pipewire +SmackProcessLabel=System::Pipewire +UMask=0077 + +[Install] +Also=pipewire.socket +WantedBy=default.target diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket new file mode 100644 index 000000000..a83435be4 --- /dev/null +++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire.socket @@ -0,0 +1,16 @@ +[Unit] +Description=Multimedia System + +[Socket] +Priority=6 +Backlog=5 +ListenStream=%t/pipewire/pipewire-0 +SocketUser=pipewire +SocketGroup=pipewire +SocketMode=0666 +SmackLabel=* +SmackLabelIPIn=System +SmackLabelIPOut=System + +[Install] +WantedBy=sockets.target diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.service b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.service deleted file mode 100644 index e116dc1fa..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.service +++ /dev/null @@ -1,24 +0,0 @@ -[Unit] -Description=Multimedia Service for user %i -Requires=pipewire@%i.socket - -[Install] -Also=pipewire@%i.socket - -[Service] -Type=simple -Restart=on-failure -ExecStart=/usr/bin/pipewire - -Environment=XDG_RUNTIME_DIR=/run/user/%i -Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%i/bus -EnvironmentFile=-/etc/pipewire/environment - -User=%i -Slice=user-%i.slice -SmackProcessLabel=System::Pipewire -SupplementaryGroups=audio -UMask=0077 -CapabilityBoundingSet= -SystemCallFilter=@basic-io @file-system @io-event @ipc \ - @memlock @network-io @process @resources @signal diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.socket b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.socket deleted file mode 100644 index 10cb32276..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire/pipewire@.socket +++ /dev/null @@ -1,19 +0,0 @@ -[Unit] -Description=Multimedia Service socket for user %i -Requires=afm-user-setup@%i.service -After=afm-user-setup@%i.service - -[Socket] -Priority=6 -Backlog=5 -ListenStream=/run/user/%i/pipewire-0 -Service=pipewire@%i.service -SmackLabel=* -SmackLabelIPIn=System -SmackLabelIPOut=System -SocketUser=%i -SocketGroup=%i -SocketMode=0660 - -[Install] -WantedBy=afm-user-session@%i.target diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.25.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.25.bbappend new file mode 100644 index 000000000..d5e52de98 --- /dev/null +++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_0.3.25.bbappend @@ -0,0 +1,33 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/pipewire:" + +SRC_URI_append= "\ + file://0001-modules-add-new-access-seclabel-module.patch \ + file://pipewire.conf \ + file://pipewire.service \ + file://pipewire.socket \ + file://smack-pipewire \ +" + +do_install_append() { + # replace the original config with our smack-aware config + rm -f ${D}${sysconfdir}/pipewire/pipewire.conf + install -m 0644 ${WORKDIR}/pipewire.conf ${D}${sysconfdir}/pipewire/pipewire.conf + + if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then + # remove the original unit files shipped by pipewire + rm -rf ${D}${systemd_system_unitdir}/pipewire.* + + # install our own system-level templates + mkdir -p ${D}${systemd_system_unitdir}/ + install -m 0644 ${WORKDIR}/pipewire.service ${D}${systemd_system_unitdir}/pipewire.service + install -m 0644 ${WORKDIR}/pipewire.socket ${D}${systemd_system_unitdir}/pipewire.socket + + # install smack rules + mkdir -p ${D}${sysconfdir}/smack/accesses.d + install -m 0644 ${WORKDIR}/smack-pipewire ${D}${sysconfdir}/smack/accesses.d/pipewire + fi +} + +FILES_${PN}_append = "\ + ${sysconfdir}/smack/accesses.d/* \ +" diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_git.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_git.bbappend deleted file mode 100644 index 8c9abf23e..000000000 --- a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/pipewire/pipewire_git.bbappend +++ /dev/null @@ -1,32 +0,0 @@ -FILESEXTRAPATHS_prepend := "${THISDIR}/pipewire:" - -SRC_URI_append= "\ - file://pipewire@.service \ - file://pipewire@.socket \ - file://smack-pipewire \ - " - -do_install_append() { - if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then - # remove the original user unit files shipped by pipewire - rm -rf ${D}${systemd_unitdir} - - # install our own system-level templates - mkdir -p ${D}${systemd_system_unitdir}/ - install -m 0644 ${WORKDIR}/pipewire@.service ${D}${systemd_system_unitdir}/pipewire@.service - install -m 0644 ${WORKDIR}/pipewire@.socket ${D}${systemd_system_unitdir}/pipewire@.socket - - # enable the socket to start together with afm-user-session - mkdir -p ${D}${systemd_system_unitdir}/afm-user-session@.target.wants - ln -sf ../pipewire@.socket ${D}${systemd_system_unitdir}/afm-user-session@.target.wants/pipewire@.socket - - # install smack rules - mkdir -p ${D}${sysconfdir}/smack/accesses.d - install -m 0644 ${WORKDIR}/smack-pipewire ${D}${sysconfdir}/smack/accesses.d/pipewire - fi -} - -FILES_${PN}_append = "\ - ${systemd_system_unitdir}/* \ - ${sysconfdir}/smack/accesses.d/* \ -" diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua new file mode 100644 index 000000000..10b3d7ae3 --- /dev/null +++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/50-access-agl.lua @@ -0,0 +1 @@ +load_access("smack") diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua new file mode 100644 index 000000000..a662a0f20 --- /dev/null +++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl/access-smack.lua @@ -0,0 +1,17 @@ +clients_om = ObjectManager { + Interest { + type = "client", + Constraint { "pipewire.access", "=", "restricted" }, + } +} + +clients_om:connect("object-added", function (om, client) + local smack_label = client["global-properties"]["pipewire.sec.label"] + + if smack_label:match("^User::App::.+") then + -- FIXME: apps can work with less permissions + client:update_permissions { ["any"] = "all" } + end +end) + +clients_om:activate() diff --git a/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend new file mode 100644 index 000000000..e94f67eff --- /dev/null +++ b/meta-pipewire/dynamic-layers/meta-app-framework/recipes-multimedia/wireplumber/wireplumber-config-agl_git.bbappend @@ -0,0 +1,15 @@ +FILESEXTRAPATHS_prepend := "${THISDIR}/wireplumber-config-agl:" + +SRC_URI += "\ + file://50-access-agl.lua \ + file://access-smack.lua \ +" + +do_install_append() { + # install smack-specific config + config_dir="${D}${sysconfdir}/wireplumber/config.lua.d/" + access_dir="${D}${sysconfdir}/wireplumber/scripts/access/" + mkdir -p ${access_dir} + install -m 0644 ${WORKDIR}/50-access-agl.lua ${config_dir} + install -m 0644 ${WORKDIR}/access-smack.lua ${access_dir} +} -- cgit 1.2.3-korg