-
Notifications
You must be signed in to change notification settings - Fork 184
pipewire: add policy for PipeWire multimedia daemon #1109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
+468
−0
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Some comments aren't visible on the classic Files Changed page.
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,21 @@ | ||
| # PipeWire daemon executable. | ||
| /usr/bin/pipewire -- gen_context(system_u:object_r:pipewire_exec_t,s0) | ||
|
|
||
| # pw-cat is a standalone client utility (plays/captures audio via a running | ||
| # PipeWire daemon); it runs in pipewire_client_t, not pipewire_t. | ||
| # pw-play, pw-record, pw-midiplay etc. are symlinks to pw-cat and | ||
| # automatically inherit this label — no separate entries needed. | ||
| /usr/bin/pw-cat -- gen_context(system_u:object_r:pipewire_client_exec_t,s0) | ||
|
|
||
| # System-service runtime directory (/run/pipewire). | ||
| /run/pipewire(/.*)? gen_context(system_u:object_r:pipewire_runtime_t,s0) | ||
|
|
||
| # User-session runtime sockets live under $XDG_RUNTIME_DIR/pipewire and are | ||
| # labelled at runtime via userdom_user_runtime_filetrans; no static entry needed. | ||
|
|
||
| # Persistent system-service state. | ||
| /var/lib/pipewire(/.*)? gen_context(system_u:object_r:pipewire_var_lib_t,s0) | ||
|
|
||
| # User home configuration and state. | ||
| HOME_DIR/\.config/pipewire(/.*)? gen_context(system_u:object_r:pipewire_home_t,s0) | ||
| HOME_DIR/\.local/share/pipewire(/.*)? gen_context(system_u:object_r:pipewire_home_t,s0) | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,225 @@ | ||
| ## <summary>PipeWire multimedia daemon.</summary> | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Role access for PipeWire (user-service mode). | ||
| ## Call this from unprivuser.te / staff.te in the same | ||
| ## way pulseaudio_role is called. | ||
| ## </summary> | ||
| ## <param name="role_prefix"> | ||
| ## <summary> | ||
| ## The prefix of the user role (e.g., "user" for user_r). | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="user_domain"> | ||
| ## <summary> | ||
| ## User domain for the role (e.g., user_t). | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="user_exec_domain"> | ||
| ## <summary> | ||
| ## User exec domain for execute and transition access | ||
| ## (e.g., user_application_exec_domain). | ||
| ## </summary> | ||
| ## </param> | ||
| ## <param name="role"> | ||
| ## <summary> | ||
| ## Role allowed access (e.g., user_r). | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| template(`pipewire_role',` | ||
| gen_require(` | ||
| attribute_role pipewire_roles; | ||
| type pipewire_t, pipewire_exec_t; | ||
| type pipewire_client_t, pipewire_client_exec_t; | ||
| type pipewire_home_t, pipewire_tmpfs_t, pipewire_runtime_t; | ||
| ') | ||
|
|
||
| roleattribute $4 pipewire_roles; | ||
|
|
||
| domtrans_pattern($2, pipewire_exec_t, pipewire_t) | ||
| domtrans_pattern($3, pipewire_exec_t, pipewire_t) | ||
| domtrans_pattern($2, pipewire_client_exec_t, pipewire_client_t) | ||
| domtrans_pattern($3, pipewire_client_exec_t, pipewire_client_t) | ||
|
|
||
| allow $3 pipewire_t:process { ptrace signal_perms }; | ||
| allow $3 pipewire_t:fd use; | ||
| ps_process_pattern($3, pipewire_t) | ||
|
|
||
| allow pipewire_t $3:unix_stream_socket connectto; | ||
| allow pipewire_t $3:process signull; | ||
|
|
||
| # Allow the user domain to manage and relabel pipewire home state files | ||
| # (e.g. restorecon after reinstall, stale file cleanup). | ||
| allow $2 pipewire_home_t:dir { manage_dir_perms relabel_dir_perms }; | ||
| allow $2 pipewire_home_t:file { mmap_manage_file_perms relabel_file_perms }; | ||
| allow $2 pipewire_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; | ||
|
|
||
| # Allow the user domain to manage and relabel runtime sock files | ||
| # (e.g. stale socket cleanup after daemon crash). | ||
| allow $2 pipewire_runtime_t:dir { manage_dir_perms relabel_dir_perms }; | ||
| allow $2 pipewire_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms }; | ||
|
|
||
| # Allow the user domain to manage shared memory files created by the daemon. | ||
| pipewire_mmap_rw_tmpfs_files($2) | ||
| allow $2 pipewire_tmpfs_t:file relabel_file_perms; | ||
|
|
||
| optional_policy(` | ||
| systemd_user_app_status($1, pipewire_t) | ||
| systemd_user_app_socket_create($1, pipewire_t, pipewire_runtime_t) | ||
| ') | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Execute a domain transition to run the PipeWire daemon. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed to transition. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`pipewire_domtrans',` | ||
| gen_require(` | ||
| type pipewire_t, pipewire_exec_t; | ||
| ') | ||
|
|
||
| corecmd_search_bin($1) | ||
| domtrans_pattern($1, pipewire_exec_t, pipewire_t) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Execute a domain transition to run a PipeWire client utility | ||
| ## (e.g. pw-cat). | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed to transition. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`pipewire_domtrans_client',` | ||
| gen_require(` | ||
| type pipewire_client_t, pipewire_client_exec_t; | ||
| ') | ||
|
|
||
| corecmd_search_bin($1) | ||
| domtrans_pattern($1, pipewire_client_exec_t, pipewire_client_t) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Connect to the PipeWire daemon over a Unix stream socket. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed access. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`pipewire_stream_connect',` | ||
| gen_require(` | ||
| type pipewire_t, pipewire_runtime_t; | ||
| ') | ||
|
|
||
| files_search_runtime($1) | ||
| stream_connect_pattern($1, pipewire_runtime_t, pipewire_runtime_t, pipewire_t) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Read and write connected PipeWire daemon stream sockets. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed access. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`pipewire_rw_stream_sockets',` | ||
| gen_require(` | ||
| type pipewire_t; | ||
| ') | ||
|
|
||
| allow $1 pipewire_t:unix_stream_socket rw_socket_perms; | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Allow a domain to use file descriptors passed from PipeWire. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed access. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`pipewire_use_fds',` | ||
| gen_require(` | ||
| type pipewire_t; | ||
| ') | ||
|
|
||
| allow $1 pipewire_t:fd use; | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Use file descriptors inherited from PipeWire clients. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed access. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`pipewire_use_client_fds',` | ||
| gen_require(` | ||
| type pipewire_client_t; | ||
| ') | ||
|
|
||
| allow $1 pipewire_client_t:fd use; | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Allow a domain to read, write, and map PipeWire shared memory (tmpfs) files. | ||
| ## These are memfd files passed between the daemon and its clients for | ||
| ## zero-copy audio buffer sharing. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed access. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`pipewire_mmap_rw_tmpfs_files',` | ||
| gen_require(` | ||
| type pipewire_tmpfs_t; | ||
| ') | ||
|
|
||
| fs_search_tmpfs($1) | ||
| mmap_rw_files_pattern($1, pipewire_tmpfs_t, pipewire_tmpfs_t) | ||
| ') | ||
|
|
||
| ######################################## | ||
| ## <summary> | ||
| ## Allow a domain to read PipeWire home directory content. | ||
| ## </summary> | ||
| ## <param name="domain"> | ||
| ## <summary> | ||
| ## Domain allowed access. | ||
| ## </summary> | ||
| ## </param> | ||
| # | ||
| interface(`pipewire_read_home_files',` | ||
| gen_require(` | ||
| type pipewire_home_t; | ||
| ') | ||
|
|
||
| userdom_search_user_home_dirs($1) | ||
| read_files_pattern($1, pipewire_home_t, pipewire_home_t) | ||
| read_lnk_files_pattern($1, pipewire_home_t, pipewire_home_t) | ||
| ') |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.