From b43ee234598332b98bbb47c7d671dc1b766e599a Mon Sep 17 00:00:00 2001 From: Colin Date: Fri, 13 Sep 2024 00:02:48 +0000 Subject: [PATCH] firefox: allow webcam access --- hosts/common/programs/firefox/default.nix | 1 + hosts/common/programs/pipewire/default.nix | 8 +------- hosts/common/programs/wireplumber.nix | 8 +------- modules/programs/default.nix | 21 +++++++++++++++++++++ 4 files changed, 24 insertions(+), 14 deletions(-) diff --git a/hosts/common/programs/firefox/default.nix b/hosts/common/programs/firefox/default.nix index 878ac000e..6a4836082 100644 --- a/hosts/common/programs/firefox/default.nix +++ b/hosts/common/programs/firefox/default.nix @@ -207,6 +207,7 @@ in sandbox.method = "bunpen"; sandbox.net = "all"; sandbox.whitelistAudio = true; + sandbox.whitelistAvDev = true; #< it doesn't seem to use pipewire, but direct /dev/videoN (as of 2024/09/12) sandbox.whitelistDbus = [ "user" ]; # mpris sandbox.whitelistWayland = true; sandbox.extraHomePaths = [ diff --git a/hosts/common/programs/pipewire/default.nix b/hosts/common/programs/pipewire/default.nix index adf353ee3..5fd5cddf6 100644 --- a/hosts/common/programs/pipewire/default.nix +++ b/hosts/common/programs/pipewire/default.nix @@ -69,18 +69,12 @@ in # ]; sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path sandbox.keepPidsAndProc = true; #< TODO: why? + sandbox.whitelistAvDev = true; sandbox.capabilities = [ # if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority "ipc_lock" "sys_nice" ]; - sandbox.extraPaths = [ - "/dev/snd" - # desko/lappy don't need these, but moby complains if not present - "/dev/video0" - "/dev/video1" - "/dev/video2" - ]; sandbox.extraHomePaths = [ # pulseaudio cookie ".config/pulse" diff --git a/hosts/common/programs/wireplumber.nix b/hosts/common/programs/wireplumber.nix index c21385667..46f240b7f 100644 --- a/hosts/common/programs/wireplumber.nix +++ b/hosts/common/programs/wireplumber.nix @@ -12,14 +12,8 @@ # # "user" #< apparently not needed? # ]; sandbox.whitelistAudio = true; + sandbox.whitelistAvDev = true; #< i think these video inputs (for e.g. webcam) are optional. sandbox.extraPaths = [ - # i think these video inputs (for e.g. webcam) are optional. - "/dev/media0" - "/dev/snd" - # vvv video* is for moby - "/dev/video0" - "/dev/video1" - "/dev/video2" # "/run/systemd" "/run/udev" "/sys/class/sound" diff --git a/modules/programs/default.nix b/modules/programs/default.nix index 50846f4ad..ba09581f7 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -392,6 +392,15 @@ let allow sandbox to freely interact with pulse/pipewire. ''; }; + sandbox.whitelistAvDev = mkOption { + type = types.bool; + default = false; + description = '' + allow sandbox to freely interact with raw audio/video devices under /dev, + e.g. /dev/video0, /dev/snd, /dev/v4l/... + pipewire-aware applications shouldn't need this. + ''; + }; sandbox.whitelistDbus = mkOption { type = types.listOf (types.enum [ "user" "system" ]); default = [ ]; @@ -526,6 +535,18 @@ let ] ++ lib.optionals config.sandbox.whitelistX [ "/tmp/.X11-unix" ] ++ lib.optionals config.sandbox.keepPidsAndProc [ "/proc" ] + ++ lib.optionals config.sandbox.whitelistAvDev [ + "/dev/media0" + "/dev/snd" + "/dev/v4l" + # /dev/videoN is used for webcam on lappy, and camera on moby + "/dev/video0" + "/dev/video1" + "/dev/video2" + # "/sys/class/sound" + # "/sys/class/video4linux" + # "/sys/devices" + ] ; sandbox.extraRuntimePaths = lib.optionals config.sandbox.whitelistAudio [ "pipewire" "pulse" ] # this includes pipewire/pipewire-0-manager: is that ok?