curlftpfs: document sandbox attempt

pipewire: split rtkit into own file, and use defaults from pipewire project
linux-megous: 6.7-20240306 -> 6.8-20240405
2024-04-23 09:08:05 +00:00 · 2024-04-23 09:08:05 +00:00 · 2024-04-23 09:08:05 +00:00 · 2024-04-23 09:08:05 +00:00 · 2024-04-23 09:08:05 +00:00 · 2024-04-23 09:08:05 +00:00
7 changed files with 107 additions and 23 deletions
--- a/hosts/common/programs/assorted.nix
+++ b/hosts/common/programs/assorted.nix
@ -881,7 +881,7 @@ in
      "/sys/bus/usb"
    ];

-    valgrind = {};
+    valgrind.sandbox.enable = false;  #< it's a launcher: can't sandbox

    visidata.sandbox.method = "bwrap";  # TODO:sandbox: untested
    visidata.sandbox.autodetectCliPaths = true;
--- a/hosts/common/programs/curlftpfs.nix
+++ b/hosts/common/programs/curlftpfs.nix
@ -21,5 +21,15 @@
        ln -s curlftpfs $out/bin/mount.curlftpfs
      '';
    });
+
+    # TODO: try to sandbox this better? maybe i can have fuse (unsandboxed) invoke curlftpfs (sandboxed)?
+    # - landlock gives EPERM
+    # - bwrap just silently doesn't mount it, maybe because of setuid stuff around fuse?
+    # sandbox.method = "capshonly";
+    # sandbox.net = "all";
+    # sandbox.capabilities = [
+    #   "sys_admin"
+    #   "sys_module"
+    # ];
  };
 }
--- a/hosts/common/programs/default.nix
+++ b/hosts/common/programs/default.nix
@ -95,6 +95,7 @@
    ./rhythmbox.nix
    ./ripgrep.nix
    ./rofi
+    ./rtkit.nix
    ./s6-rc.nix
    ./sane-input-handler
    ./sane-sandboxed.nix
--- a/hosts/common/programs/pipewire.nix
+++ b/hosts/common/programs/pipewire.nix
@ -21,10 +21,14 @@ in
      };
    };

-    suggestedPrograms = [ "wireplumber" ];
+    suggestedPrograms = [
+      "rtkit"
+      "wireplumber"
+    ];

-    # sandbox.method = "landlock";  #< also works
-    sandbox.method = "bwrap";
+    # sandbox.method = "landlock";
+    sandbox.method = "bwrap";  #< also works, but can't claim the full scheduling priority it wants
+    sandbox.whitelistAudio = true;
    sandbox.whitelistDbus = [
      # dbus is used for rtkit integration
      # rtkit runs on the system bus.
@ -37,11 +41,14 @@ in
    ];
    sandbox.wrapperType = "inplace";  #< its config files refer to its binaries by full path
    sandbox.extraConfig = [
-      "--sane-sandbox-keep-namespace" "pid"
+      "--sane-sandbox-keep-namespace" "pid"  #< required for rtkit
    ];
+    # sandbox.capabilities = [
+    #   # if rtkit isn't present, and sandboxing is via landlock, these capabilities allow pipewire to claim higher scheduling priority
+    #   "ipc_lock"
+    #   "sys_nice"
+    # ];
    sandbox.usePortal = false;
-    # needs to *create* the various device files, so needs write access to the /run/user/$uid directory itself
-    sandbox.extraRuntimePaths = [ "/" ];
    sandbox.extraPaths = [
      "/dev/snd"
      # desko/lappy don't need these, but moby complains if not present
@ -52,6 +59,7 @@ in
    sandbox.extraHomePaths = [
      # pulseaudio cookie
      ".config/pulse"
+      ".config/pipewire"
    ];

    # note the .conf.d approach: using ~/.config/pipewire/pipewire.conf directly breaks all audio,
@ -83,6 +91,7 @@ in
    services.pipewire = {
      description = "pipewire: multimedia service";
      partOf = [ "sound" ];
+      # depends = [ "rtkit" ];
      # depends = [ "xdg-desktop-portal" ];  # for Realtime portal (dependency cycle)
      # env PIPEWIRE_LOG_SYSTEMD=false"
      # env PIPEWIRE_DEBUG"*:3,mod.raop*:5,pw.rtsp-client*:5"
@ -100,7 +109,10 @@ in
      description = "pipewire-pulse: Pipewire compatibility layer for PulseAudio clients";
      depends = [ "pipewire" ];
      partOf = [ "sound" ];
-      command = "pipewire-pulse";
+      command = pkgs.writeShellScript "pipewire-pulse-start" ''
+        mkdir -p $XDG_RUNTIME_DIR/pulse
+        exec pipewire-pulse
+      '';
      readiness.waitExists = [
        "$XDG_RUNTIME_DIR/pulse/native"
        "$XDG_RUNTIME_DIR/pulse/pid"
@ -128,12 +140,4 @@ in
  services.udev.packages = lib.mkIf cfg.enabled [
    cfg.package
  ];
-
-  # rtkit/RealtimeKit: allow applications which want realtime audio (e.g. Dino? Pulseaudio server?) to request it.
-  # this might require more configuration (e.g. polkit-related) to work exactly as desired.
-  # - readme outlines requirements: <https://github.com/heftig/rtkit>
-  # XXX(2023/10/12): rtkit does not play well on moby. any application sending audio out dies after 10s.
-  # - note that `rtkit-daemon` can be launched with a lot of config: pipewire docs (top of this file)
-  #   suggest using a much less aggressive canary. maybe try that?
-  security.rtkit.enable = lib.mkIf cfg.enabled true;
 }
--- a/hosts/common/programs/rtkit.nix
+++ b/hosts/common/programs/rtkit.nix
@ -0,0 +1,67 @@
+# rtkit/RealtimeKit: allow applications which want realtime audio (e.g. Dino? Pulseaudio server?) to request it.
+# this might require more configuration (e.g. polkit-related) to work exactly as desired.
+# - readme outlines requirements: <https://github.com/heftig/rtkit>
+# XXX(2023/10/12): rtkit does not play well on moby. any application sending audio out dies after 10s.
+# - note that `rtkit-daemon` can be launched with a lot of config
+#   - suggest using a much less aggressive canary. maybe try that?
+#   - see: <https://gitlab.freedesktop.org/pipewire/pipewire/-/wikis/Performance-tuning>
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.sane.programs.rtkit;
+in
+{
+  sane.programs.rtkit = {
+    packageUnwrapped = pkgs.rmDbusServices pkgs.rtkit;
+    # services.rtkit = {
+    #   description = "rtkit: grant realtime scheduling privileges to select processes";
+    #   command = "${cfg.package}/libexec/rtkit-daemon";
+    # };
+  };
+
+  systemd.services.rtkit-daemon = lib.mkIf cfg.enabled {
+    description = "rtkit: grant realtime scheduling privileges to select processes";
+    wantedBy = [ "default.target" ];
+    serviceConfig = {
+      ExecStart = lib.escapeShellArgs [
+        "${cfg.package}/libexec/rtkit-daemon"
+        "--scheduling-policy=FIFO"
+        "--our-realtime-priority=89"
+        "--max-realtime-priority=88"
+        "--min-nice-level=-19"
+        "--rttime-usec-max=2000000"
+        "--users-max=100"
+        "--processes-per-user-max=1000"
+        "--threads-per-user-max=10000"
+        "--actions-burst-sec=10"
+        "--actions-per-burst-max=1000"
+        "--canary-cheep-msec=30000"
+        "--canary-watchdog-msec=60000"
+      ];
+
+      Type = "simple";
+      # Type = "dbus";
+      # BusName = "org.freedesktop.RealtimeKit1";
+      Restart = "on-failure";
+      # User = "rtkit";  # it wants starts as root
+      # Group = "rtkit";
+      # wantedBy = [ "default.target" ];
+      # TODO: harden
+      CapabilityBoundingSet = "CAP_SYS_NICE CAP_DAC_READ_SEARCH CAP_SYS_CHROOT CAP_SETGID CAP_SETUID";
+    };
+  };
+  users.users.rtkit = lib.mkIf cfg.enabled {
+    isSystemUser = true;
+    group = "rtkit";
+    description = "RealtimeKit daemon";
+  };
+  users.groups.rtkit = lib.mkIf cfg.enabled {};
+
+
+  environment.systemPackages = lib.mkIf cfg.enabled [
+    # for /share/polkit-1, but unclear if actually needed
+    cfg.package
+  ];
+  security.polkit = lib.mkIf cfg.enabled {
+    enable = true;
+  };
+}
--- a/hosts/common/programs/wireplumber.nix
+++ b/hosts/common/programs/wireplumber.nix
@ -3,9 +3,8 @@
  sane.programs.wireplumber = {
    sandbox.method = "bwrap";
    sandbox.whitelistDbus = [
-      # i think this isn't strictly necessary; it just wants to ask the portal for realtime perms
-      # "system"
-      "user"
+      "system"  #< so it can request better scheduling from rtkit
+      "user"  #< TODO: is this needed?
    ];
    sandbox.whitelistAudio = true;
    sandbox.extraPaths = [
@ -21,6 +20,10 @@
      "/sys/class/video4linux"
      "/sys/devices"
    ];
+    sandbox.extraConfig = [
+      # needed if i want rtkit to grant this higher scheduling priority
+      "--sane-sandbox-keep-namespace" "pid"
+    ];

    suggestedPrograms = [ "alsa-ucm-conf" ];

--- a/pkgs/additional/linux-megous/default.nix
+++ b/pkgs/additional/linux-megous/default.nix
@ -19,7 +19,6 @@ with lib;
 let
  # HOW TO UPDATE:
  # - see: <https://xnux.eu/log/094.html>
-  # - `wget https://xff.cz/kernels/git/orange-pi-active.bundle`
  # - `git fetch torvalds`
  # - `curl -o .bundle https://xff.cz/kernels/git/orange-pi-active.bundle`
  # - `git fetch .bundle '+refs/heads/*:refs/remotes/megi/*'`
@ -41,9 +40,9 @@ let
  # - orange-pi is listed as the "main integration branch".
  #   - this suggests it's NOT a stable branch, only `orange-pi-X.YY-YYYYMMDD-NNNN` tags are "formal" releases
  #   - specific branches like `pp` (pinephone) are dev branches, and probably less stable.
-  rev = "orange-pi-6.7-20240306-2359";
-  base = "6.7.9";
-  hash = "sha256-UQanb0l9yNWrccQLuKNln4CfvoaMy9zDKtBhnDG7yPE=";
+  rev = "orange-pi-6.8-20240405-1842";
+  base = "6.8.4";
+  hash = "sha256-9PG/P8NxD4HyG+tE59AjHClAmH9E8yuysN5YUyf1qAk=";
  # set to empty if not a release candidate, else `-rc<N>`
  rc = "";
Author	SHA1	Message	Date
Colin	10fc7bbb84	curlftpfs: document sandbox attempt	2024-04-23 09:08:05 +00:00
Colin	87e3f2a9ef	pipewire: split rtkit into own file, and use defaults from pipewire project	2024-04-23 09:08:05 +00:00
Colin	5006692594	linux-megous: 6.7-20240306 -> 6.8-20240405	2024-04-23 09:08:05 +00:00
Colin	9481131daf	pipewire: sandbox with landlock (so that rtkit integration works) and split rtkit into own file	2024-04-23 09:08:05 +00:00
Colin	ae418fb2d1	valgrind: mark as not sandboxable	2024-04-23 09:08:05 +00:00
Colin	c174eddddf	wireplumber: sandbox such that it gets higher sched priority	2024-04-23 09:08:05 +00:00
Colin	6d74c6616c	pipewire: shrink the mount sandbox	2024-04-23 09:08:05 +00:00