camera: fix sandboxing for pipewire (so snapshot can open the camera), and share that with megapixels (which opens it directly)

N.B. snapshot (pipewire) doesn't work with the current kernel deployment; it requires linux-postmarketos-allwinner and even then only the front camera works (at about 1 fps) this wasn't always the case: i believe that once, the rear camera worked as well. although now i think about it, i'm not positive of that
2024-09-15 11:14:23 +00:00
parent 6e0c83b4f3
commit b5f9ba62d0
3 changed files with 19 additions and 21 deletions
--- a/hosts/common/programs/megapixels.nix
+++ b/hosts/common/programs/megapixels.nix
@@ -38,23 +38,16 @@
      # also it addresses a lot via relative path.
    ];
    sandbox.extraPaths = [
-      # needs /dev/media*, /dev/video*; easier to give it all of /dev which isn't that bad since it's not running as root.
-      "/dev"
      # it passes the raw .dng files to a post-processor, via /tmp
      "/tmp"
      "/sys/class/leds"  #< for flash, presumably
-      # "/sys/dev/char"  #< not strictly necessary? but referenced in the source (for 1.7.0, not 1.8.0)
-      "/sys/devices"
-      "/sys/firmware"
-      # source code references /proc/device-tree/compatible, but it seems to be alright either way
-      "/proc"
    ];
+    sandbox.whitelistAvDev = true;
    sandbox.extraRuntimePaths = [
      "dconf"  #< else it's very spammy, and slow
    ];
-    # XXX(2024/04/21): without this it fails to convert .dng -> .jpg.
-    #   "bwrap: open /proc/34/ns/ns failed: No such file or directory"
-    sandbox.keepPidsAndProc = true;
+    # source code references /proc/device-tree/compatible, but it seems to be alright either way
+    # sandbox.keepPidsAndProc = true;

    suggestedPrograms = [ "dconf" ];  #< not sure if necessary
  };
--- a/hosts/common/programs/wireplumber.nix
+++ b/hosts/common/programs/wireplumber.nix
@@ -12,14 +12,7 @@
    #   # "user"  #< apparently not needed?
    # ];
    sandbox.whitelistAudio = true;
-    sandbox.whitelistAvDev = true;  #< i think these video inputs (for e.g. webcam) are optional.
-    sandbox.extraPaths = [
-      # "/run/systemd"
-      "/run/udev"
-      "/sys/class/sound"
-      "/sys/class/video4linux"
-      "/sys/devices"
-    ];
+    sandbox.whitelistAvDev = true;
    # sandbox.keepPids = true;  #< needed if i want rtkit to grant this higher scheduling priority

    suggestedPrograms = [ "alsa-ucm-conf" ];
--- a/modules/programs/default.nix
+++ b/modules/programs/default.nix
@@ -539,15 +539,27 @@ let
        ++ lib.optionals config.sandbox.keepPidsAndProc [ "/proc" ]
        ++ lib.optionals config.sandbox.whitelistAvDev [
          "/dev/media0"
+          "/dev/media1"
          "/dev/snd"
          "/dev/v4l"
+          "/dev/v4l-subdev0"
+          "/dev/v4l-subdev1"
+          "/dev/v4l-subdev2"
          # /dev/videoN is used for webcam on lappy, and camera on moby
          "/dev/video0"
          "/dev/video1"
          "/dev/video2"
-          # "/sys/class/sound"
-          # "/sys/class/video4linux"
-          # "/sys/devices"
+          "/dev/video3"
+
+          # specifically for pipewire + wireplumber (for cameras on moby, they seem to both need these identical paths)
+          "/run/udev"
+          "/sys/bus/media"  #< for moby camera
+          "/sys/class/sound"
+          "/sys/class/video4linux"  #< for lappy camera
+          "/sys/dev/char"  #< for moby camera
+          "/sys/devices"
+          "/sys/firmware"  #< for moby camera, to parse its devicetree
+          # "/dev"
        ]
      ;
      sandbox.extraRuntimePaths =