Remove RestrictNamespaces from systemd service

libcamera uses namespaces to sandbox IPA (Image Processing Algorithm)
modules because they are sometimes proprietary binary blobs.  The
RestrictNamespaces option in Wireplumber's systemd service breaks this
sandboxing when libcamera is loaded via the libcamera SPA module, so
cameras requiring an IPA do not work.

This commit removes RestrictNamespaces so that the sandboxing works
again.  I've confirmed that after this change wireplumber works with
libcamera with an IPA module.

Resolves #466
This commit is contained in:
David Turner
2023-06-13 11:53:03 +01:00
parent 6dc5ac089a
commit f112d424ca
4 changed files with 0 additions and 4 deletions

View File

@@ -8,7 +8,6 @@ Conflicts=pipewire-media-session.service
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
RestrictNamespaces=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
Type=simple

View File

@@ -13,7 +13,6 @@ Conflicts=pipewire-media-session.service
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
RestrictNamespaces=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
Type=simple

View File

@@ -8,7 +8,6 @@ Conflicts=pipewire-media-session.service
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
RestrictNamespaces=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
Type=simple

View File

@@ -13,7 +13,6 @@ Conflicts=pipewire-media-session.service
LockPersonality=yes
MemoryDenyWriteExecute=yes
NoNewPrivileges=yes
RestrictNamespaces=yes
SystemCallArchitectures=native
SystemCallFilter=@system-service
Type=simple