colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

camera: fix sandboxing for pipewire (so snapshot can open the camera), and share that with megapixels (which opens it directly)

Browse Source 
N.B. snapshot (pipewire) doesn't work with the current kernel deployment; it requires linux-postmarketos-allwinner and even then only the front camera works (at about 1 fps)

this wasn't always the case: i believe that once, the rear camera worked as well. although now i think about it, i'm not positive of that
This commit is contained in:
Colin
2024-09-15 11:14:23 +00:00
parent 6e0c83b4f3
commit b5f9ba62d0
3 changed files with 19 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
hosts/common/programs/megapixels.nix
View File

@@ -38,23 +38,16 @@
# also it addresses a lot via relative path. # also it addresses a lot via relative path.
]; ];
sandbox.extraPaths = [ sandbox.extraPaths = [
# needs /dev/media*, /dev/video*; easier to give it all of /dev which isn't that bad since it's not running as root.
"/dev"
# it passes the raw .dng files to a post-processor, via /tmp # it passes the raw .dng files to a post-processor, via /tmp
"/tmp" "/tmp"
"/sys/class/leds" #< for flash, presumably "/sys/class/leds" #< for flash, presumably
# "/sys/dev/char" #< not strictly necessary? but referenced in the source (for 1.7.0, not 1.8.0)
"/sys/devices"
"/sys/firmware"
# source code references /proc/device-tree/compatible, but it seems to be alright either way
"/proc"
]; ];
sandbox.whitelistAvDev = true;
sandbox.extraRuntimePaths = [ sandbox.extraRuntimePaths = [
"dconf" #< else it's very spammy, and slow "dconf" #< else it's very spammy, and slow
]; ];
# XXX(2024/04/21): without this it fails to convert .dng -> .jpg. # source code references /proc/device-tree/compatible, but it seems to be alright either way
# "bwrap: open /proc/34/ns/ns failed: No such file or directory" # sandbox.keepPidsAndProc = true;
sandbox.keepPidsAndProc = true;
suggestedPrograms = [ "dconf" ]; #< not sure if necessary suggestedPrograms = [ "dconf" ]; #< not sure if necessary
}; };

9
hosts/common/programs/wireplumber.nix
View File

@@ -12,14 +12,7 @@
# # "user" #< apparently not needed? # # "user" #< apparently not needed?
# ]; # ];
sandbox.whitelistAudio = true; sandbox.whitelistAudio = true;
sandbox.whitelistAvDev = true; #< i think these video inputs (for e.g. webcam) are optional. sandbox.whitelistAvDev = true;
sandbox.extraPaths = [
# "/run/systemd"
"/run/udev"
"/sys/class/sound"
"/sys/class/video4linux"
"/sys/devices"
];
# sandbox.keepPids = true; #< needed if i want rtkit to grant this higher scheduling priority # sandbox.keepPids = true; #< needed if i want rtkit to grant this higher scheduling priority
suggestedPrograms = [ "alsa-ucm-conf" ]; suggestedPrograms = [ "alsa-ucm-conf" ];

18
modules/programs/default.nix
View File

@@ -539,15 +539,27 @@ let
++ lib.optionals config.sandbox.keepPidsAndProc [ "/proc" ] ++ lib.optionals config.sandbox.keepPidsAndProc [ "/proc" ]
++ lib.optionals config.sandbox.whitelistAvDev [ ++ lib.optionals config.sandbox.whitelistAvDev [
"/dev/media0" "/dev/media0"
"/dev/media1"
"/dev/snd" "/dev/snd"
"/dev/v4l" "/dev/v4l"
"/dev/v4l-subdev0"
"/dev/v4l-subdev1"
"/dev/v4l-subdev2"
# /dev/videoN is used for webcam on lappy, and camera on moby # /dev/videoN is used for webcam on lappy, and camera on moby
"/dev/video0" "/dev/video0"
"/dev/video1" "/dev/video1"
"/dev/video2" "/dev/video2"
# "/sys/class/sound" "/dev/video3"
# "/sys/class/video4linux"
# "/sys/devices" # specifically for pipewire + wireplumber (for cameras on moby, they seem to both need these identical paths)
"/run/udev"
"/sys/bus/media" #< for moby camera
"/sys/class/sound"
"/sys/class/video4linux" #< for lappy camera
"/sys/dev/char" #< for moby camera
"/sys/devices"
"/sys/firmware" #< for moby camera, to parse its devicetree
# "/dev"
] ]
; ;
sandbox.extraRuntimePaths = sandbox.extraRuntimePaths =