colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

pipewire: move sockets into a subdirectory for easier sandboxing

Browse Source
This commit is contained in:
Colin
2024-03-23 13:34:13 +00:00
parent db2801c652
commit 8c48adefa5
2 changed files with 16 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
hosts/common/programs/pipewire.nix
View File

@@ -28,17 +28,25 @@ in
".config/pulse" ".config/pulse"
]; ];
# see: <https://docs.pipewire.org/page_module_protocol_native.html>
# defaults to placing the socket in /run/user/$id/{pipewire-0,pipewire-0-manager,...}
# but that's trickier to sandbox
env.PIPEWIRE_RUNTIME_DIR = "$XDG_RUNTIME_DIR/pipewire";
services.pipewire = { services.pipewire = {
description = "pipewire: multimedia service"; description = "pipewire: multimedia service";
partOf = [ "sound" ]; partOf = [ "sound" ];
# env PIPEWIRE_LOG_SYSTEMD=false" # env PIPEWIRE_LOG_SYSTEMD=false"
# env PIPEWIRE_DEBUG"*:3,mod.raop*:5,pw.rtsp-client*:5" # env PIPEWIRE_DEBUG"*:3,mod.raop*:5,pw.rtsp-client*:5"
command = "pipewire"; command = pkgs.writeShellScript "pipewire-start" ''
readiness.waitCommand = pkgs.writeShellScript "pipewire-wait-started" '' mkdir -p $PIPEWIRE_RUNTIME_DIR
[ -e "$XDG_RUNTIME_DIR/pipewire-0" ] && \ exec pipewire
[ -e "$XDG_RUNTIME_DIR/pipewire-0-manager" ]
''; '';
cleanupCommand = ''rm -f "$XDG_RUNTIME_DIR/{pipewire-0,pipewire-0.lock,pipewire-0-manager,pipewire-0-manager.lock}"''; readiness.waitCommand = pkgs.writeShellScript "pipewire-wait-started" ''
test -e "$PIPEWIRE_RUNTIME_DIR/pipewire-0" && \
test -e "$PIPEWIRE_RUNTIME_DIR/pipewire-0-manager"
'';
cleanupCommand = ''rm -f "$PIPEWIRE_RUNTIME_DIR/{pipewire-0,pipewire-0.lock,pipewire-0-manager,pipewire-0-manager.lock}"'';
}; };
services.pipewire-pulse = { services.pipewire-pulse = {
description = "pipewire-pulse: Pipewire compatibility layer for PulseAudio clients"; description = "pipewire-pulse: Pipewire compatibility layer for PulseAudio clients";
@@ -46,8 +54,8 @@ in
partOf = [ "sound" ]; partOf = [ "sound" ];
command = "pipewire-pulse"; command = "pipewire-pulse";
readiness.waitCommand = pkgs.writeShellScript "pipewire-pulse-wait-started" '' readiness.waitCommand = pkgs.writeShellScript "pipewire-pulse-wait-started" ''
[ -e "$XDG_RUNTIME_DIR/pulse/native" ] && \ test -e "$XDG_RUNTIME_DIR/pulse/native" && \
[ -e "$XDG_RUNTIME_DIR/pulse/pid" ] test -e "$XDG_RUNTIME_DIR/pulse/pid"
''; '';
cleanupCommand = ''rm -f "$XDG_RUNTIME_DIR/pulse/{native,pid}"''; cleanupCommand = ''rm -f "$XDG_RUNTIME_DIR/pulse/{native,pid}"'';
}; };

2
modules/programs/default.nix
View File

@@ -70,7 +70,7 @@ let
(p: path-lib.concat [ xdgRuntimeDir p ]) (p: path-lib.concat [ xdgRuntimeDir p ])
( (
sandbox.extraRuntimePaths sandbox.extraRuntimePaths
++ lib.optionals sandbox.whitelistAudio [ "pipewire-0" "pipewire-0.lock" "pulse" ] # also pipewire-0-manager, unknown purpose ++ lib.optionals sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok?
++ lib.optionals (builtins.elem "user" sandbox.whitelistDbus) [ "bus" ] ++ lib.optionals (builtins.elem "user" sandbox.whitelistDbus) [ "bus" ]
++ lib.optionals sandbox.whitelistWayland [ "wayland-1" "wayland-1.lock" ] # app can still communicate with wayland server w/o this, if it has net access ++ lib.optionals sandbox.whitelistWayland [ "wayland-1" "wayland-1.lock" ] # app can still communicate with wayland server w/o this, if it has net access
) )