colin/nix-files
1
0
Fork 1
Code Issues Pull Requests Projects Releases Wiki Activity

pipewire,wireplumber: fix sandboxing to allow portal-based camera apps (i.e. snapshot)

Browse Source
This commit is contained in:
Colin
2024-11-29 18:28:22 +00:00
parent 947660ec8f
commit dfe06af8d3
2 changed files with 29 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
hosts/common/programs/pipewire/default.nix
View File

@@ -45,8 +45,21 @@ in
}; };
}; };
# disabling systemd causes pipewire to be built with direct udev support instead packageUnwrapped = pkgs.pipewire.override {
packageUnwrapped = pkgs.pipewire.override { enableSystemd = false; }; # disabling systemd causes pipewire to be built with direct udev support instead.
# i added this probably because i don't use system'd logind?
enableSystemd = false;
# XXX(2024-11-29): patch to fix camera support on moby.
# see: <https://github.com/NixOS/nixpkgs/pull/353336>
# this is identical to the above patch, but less costly than cherry-picking it into nixpkgs-bootstrap,
# as that would force mass rebuilds.
# **remove once 353336 is merged**.
libcamera = pkgs.libcamera.overrideAttrs (upstream: {
postFixup = (upstream.postFixup or "") + ''
../src/ipa/ipa-sign-install.sh src/ipa-priv-key.pem $out/lib/libcamera/ipa_*.so
'';
});
};
suggestedPrograms = [ suggestedPrograms = [
# "rtkit" # "rtkit"
@@ -55,16 +68,16 @@ in
]; ];
sandbox.whitelistAudio = true; sandbox.whitelistAudio = true;
# sandbox.whitelistDbus = [ sandbox.whitelistDbus = [
# # dbus is used for rtkit integration # dbus is used for rtkit integration
# # rtkit runs on the system bus. # rtkit runs on the system bus.
# # xdg-desktop-portal then exposes this to the user bus. # xdg-desktop-portal then exposes this to the user bus.
# # therefore, user bus should be all that's needed, but... # therefore, user bus should be all that's needed, but...
# # xdg-desktop-portal-wlr depends on pipewire, hence pipewire has to start before xdg-desktop-portal. # xdg-desktop-portal-wlr depends on pipewire, hence pipewire has to start before xdg-desktop-portal.
# # then, pipewire has to talk specifically to rtkit (system) and not go through xdp. # then, pipewire has to talk specifically to rtkit (system) and not go through xdp.
# # "user" # "system" #< not required UNLESS i want rtkit integration
# "system" "user" #< required for camera sharing, especially through xdg-desktop-portal, e.g. `snapshot` application
# ]; ];
sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path sandbox.wrapperType = "inplace"; #< its config files refer to its binaries by full path
sandbox.keepPidsAndProc = true; #< TODO: why? sandbox.keepPidsAndProc = true; #< TODO: why?
sandbox.whitelistAvDev = true; sandbox.whitelistAvDev = true;

6
hosts/common/programs/wireplumber.nix
View File

@@ -6,10 +6,10 @@
pipewire = config.sane.programs.pipewire.packageUnwrapped; pipewire = config.sane.programs.pipewire.packageUnwrapped;
}; };
# sandbox.whitelistDbus = [ sandbox.whitelistDbus = [
# "system" #< so it can request better scheduling from rtkit # "system" #< so it can request better scheduling from rtkit
# # "user" #< apparently not needed? "user" #< required for camera sharing, especially through xdg-desktop-portal, e.g. `snapshot` application
# ]; ];
sandbox.whitelistAudio = true; sandbox.whitelistAudio = true;
sandbox.whitelistAvDev = true; sandbox.whitelistAvDev = true;
# sandbox.keepPids = true; #< needed if i want rtkit to grant this higher scheduling priority # sandbox.keepPids = true; #< needed if i want rtkit to grant this higher scheduling priority