pipewire: move sockets into a subdirectory for easier sandboxing

2024-03-23 13:34:13 +00:00 · 2024-03-23 13:34:13 +00:00 · 8c48adefa5
parent db2801c652
commit 8c48adefa5
2 changed files with 16 additions and 8 deletions
--- a/hosts/common/programs/pipewire.nix
+++ b/hosts/common/programs/pipewire.nix
@ -28,17 +28,25 @@ in
      ".config/pulse"
    ];

+    # see: <https://docs.pipewire.org/page_module_protocol_native.html>
+    # defaults to placing the socket in /run/user/$id/{pipewire-0,pipewire-0-manager,...}
+    # but that's trickier to sandbox
+    env.PIPEWIRE_RUNTIME_DIR = "$XDG_RUNTIME_DIR/pipewire";
+
    services.pipewire = {
      description = "pipewire: multimedia service";
      partOf = [ "sound" ];
      # env PIPEWIRE_LOG_SYSTEMD=false"
      # env PIPEWIRE_DEBUG"*:3,mod.raop*:5,pw.rtsp-client*:5"
-      command = "pipewire";
-      readiness.waitCommand = pkgs.writeShellScript "pipewire-wait-started" ''
-        [ -e "$XDG_RUNTIME_DIR/pipewire-0" ] && \
-        [ -e "$XDG_RUNTIME_DIR/pipewire-0-manager" ]
+      command = pkgs.writeShellScript "pipewire-start" ''
+        mkdir -p $PIPEWIRE_RUNTIME_DIR
+        exec pipewire
      '';
-      cleanupCommand = ''rm -f "$XDG_RUNTIME_DIR/{pipewire-0,pipewire-0.lock,pipewire-0-manager,pipewire-0-manager.lock}"'';
+      readiness.waitCommand = pkgs.writeShellScript "pipewire-wait-started" ''
+        test -e "$PIPEWIRE_RUNTIME_DIR/pipewire-0" && \
+        test -e "$PIPEWIRE_RUNTIME_DIR/pipewire-0-manager"
+      '';
+      cleanupCommand = ''rm -f "$PIPEWIRE_RUNTIME_DIR/{pipewire-0,pipewire-0.lock,pipewire-0-manager,pipewire-0-manager.lock}"'';
    };
    services.pipewire-pulse = {
      description = "pipewire-pulse: Pipewire compatibility layer for PulseAudio clients";
@ -46,8 +54,8 @@ in
      partOf = [ "sound" ];
      command = "pipewire-pulse";
      readiness.waitCommand = pkgs.writeShellScript "pipewire-pulse-wait-started" ''
-        [ -e "$XDG_RUNTIME_DIR/pulse/native" ] && \
-        [ -e "$XDG_RUNTIME_DIR/pulse/pid" ]
+        test -e "$XDG_RUNTIME_DIR/pulse/native" && \
+        test -e "$XDG_RUNTIME_DIR/pulse/pid"
      '';
      cleanupCommand = ''rm -f "$XDG_RUNTIME_DIR/pulse/{native,pid}"'';
    };
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@ -70,7 +70,7 @@ let
              (p: path-lib.concat [ xdgRuntimeDir p ])
              (
                sandbox.extraRuntimePaths
-                ++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ]  # also pipewire-0-manager, unknown purpose
+                ++ lib.optionals sandbox.whitelistAudio [ "pipewire" "pulse" ]  # this includes pipewire/pipewire-0-manager: is that ok?
                ++ lib.optionals (builtins.elem "user" sandbox.whitelistDbus) [ "bus" ]
                ++ lib.optionals sandbox.whitelistWayland [ "wayland-1" "wayland-1.lock" ]  # app can still communicate with wayland server w/o this, if it has net access
              )