From b5f9ba62d063ba34f4690cb4e48d0794c22b094c Mon Sep 17 00:00:00 2001 From: Colin Date: Sun, 15 Sep 2024 11:14:23 +0000 Subject: [PATCH] camera: fix sandboxing for pipewire (so snapshot can open the camera), and share that with megapixels (which opens it directly) N.B. snapshot (pipewire) doesn't work with the current kernel deployment; it requires linux-postmarketos-allwinner and even then only the front camera works (at about 1 fps) this wasn't always the case: i believe that once, the rear camera worked as well. although now i think about it, i'm not positive of that --- hosts/common/programs/megapixels.nix | 13 +++---------- hosts/common/programs/wireplumber.nix | 9 +-------- modules/programs/default.nix | 18 +++++++++++++++--- 3 files changed, 19 insertions(+), 21 deletions(-) diff --git a/hosts/common/programs/megapixels.nix b/hosts/common/programs/megapixels.nix index 063ced4a9..b6e112ffe 100644 --- a/hosts/common/programs/megapixels.nix +++ b/hosts/common/programs/megapixels.nix @@ -38,23 +38,16 @@ # also it addresses a lot via relative path. ]; sandbox.extraPaths = [ - # needs /dev/media*, /dev/video*; easier to give it all of /dev which isn't that bad since it's not running as root. - "/dev" # it passes the raw .dng files to a post-processor, via /tmp "/tmp" "/sys/class/leds" #< for flash, presumably - # "/sys/dev/char" #< not strictly necessary? but referenced in the source (for 1.7.0, not 1.8.0) - "/sys/devices" - "/sys/firmware" - # source code references /proc/device-tree/compatible, but it seems to be alright either way - "/proc" ]; + sandbox.whitelistAvDev = true; sandbox.extraRuntimePaths = [ "dconf" #< else it's very spammy, and slow ]; - # XXX(2024/04/21): without this it fails to convert .dng -> .jpg. - # "bwrap: open /proc/34/ns/ns failed: No such file or directory" - sandbox.keepPidsAndProc = true; + # source code references /proc/device-tree/compatible, but it seems to be alright either way + # sandbox.keepPidsAndProc = true; suggestedPrograms = [ "dconf" ]; #< not sure if necessary }; diff --git a/hosts/common/programs/wireplumber.nix b/hosts/common/programs/wireplumber.nix index 46f240b7f..07f04839c 100644 --- a/hosts/common/programs/wireplumber.nix +++ b/hosts/common/programs/wireplumber.nix @@ -12,14 +12,7 @@ # # "user" #< apparently not needed? # ]; sandbox.whitelistAudio = true; - sandbox.whitelistAvDev = true; #< i think these video inputs (for e.g. webcam) are optional. - sandbox.extraPaths = [ - # "/run/systemd" - "/run/udev" - "/sys/class/sound" - "/sys/class/video4linux" - "/sys/devices" - ]; + sandbox.whitelistAvDev = true; # sandbox.keepPids = true; #< needed if i want rtkit to grant this higher scheduling priority suggestedPrograms = [ "alsa-ucm-conf" ]; diff --git a/modules/programs/default.nix b/modules/programs/default.nix index 8f66c8cd0..b2173956f 100644 --- a/modules/programs/default.nix +++ b/modules/programs/default.nix @@ -539,15 +539,27 @@ let ++ lib.optionals config.sandbox.keepPidsAndProc [ "/proc" ] ++ lib.optionals config.sandbox.whitelistAvDev [ "/dev/media0" + "/dev/media1" "/dev/snd" "/dev/v4l" + "/dev/v4l-subdev0" + "/dev/v4l-subdev1" + "/dev/v4l-subdev2" # /dev/videoN is used for webcam on lappy, and camera on moby "/dev/video0" "/dev/video1" "/dev/video2" - # "/sys/class/sound" - # "/sys/class/video4linux" - # "/sys/devices" + "/dev/video3" + + # specifically for pipewire + wireplumber (for cameras on moby, they seem to both need these identical paths) + "/run/udev" + "/sys/bus/media" #< for moby camera + "/sys/class/sound" + "/sys/class/video4linux" #< for lappy camera + "/sys/dev/char" #< for moby camera + "/sys/devices" + "/sys/firmware" #< for moby camera, to parse its devicetree + # "/dev" ] ; sandbox.extraRuntimePaths =