Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions policy/modules/apps/pipewire.fc
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# PipeWire daemon executable.
/usr/bin/pipewire -- gen_context(system_u:object_r:pipewire_exec_t,s0)

# pw-cat is a standalone client utility (plays/captures audio via a running
# PipeWire daemon); it runs in pipewire_client_t, not pipewire_t.
# pw-play, pw-record, pw-midiplay etc. are symlinks to pw-cat and
# automatically inherit this label — no separate entries needed.
/usr/bin/pw-cat -- gen_context(system_u:object_r:pipewire_client_exec_t,s0)

# System-service runtime directory (/run/pipewire).
/run/pipewire(/.*)? gen_context(system_u:object_r:pipewire_runtime_t,s0)
Comment thread
pebenito marked this conversation as resolved.

# User-session runtime sockets live under $XDG_RUNTIME_DIR/pipewire and are
# labelled at runtime via userdom_user_runtime_filetrans; no static entry needed.

# Persistent system-service state.
/var/lib/pipewire(/.*)? gen_context(system_u:object_r:pipewire_var_lib_t,s0)

# User home configuration and state.
HOME_DIR/\.config/pipewire(/.*)? gen_context(system_u:object_r:pipewire_home_t,s0)
HOME_DIR/\.local/share/pipewire(/.*)? gen_context(system_u:object_r:pipewire_home_t,s0)
225 changes: 225 additions & 0 deletions policy/modules/apps/pipewire.if
Original file line number Diff line number Diff line change
@@ -0,0 +1,225 @@
## <summary>PipeWire multimedia daemon.</summary>

########################################
## <summary>
## Role access for PipeWire (user-service mode).
## Call this from unprivuser.te / staff.te in the same
## way pulseaudio_role is called.
## </summary>
## <param name="role_prefix">
## <summary>
## The prefix of the user role (e.g., "user" for user_r).
## </summary>
## </param>
## <param name="user_domain">
## <summary>
## User domain for the role (e.g., user_t).
## </summary>
## </param>
## <param name="user_exec_domain">
## <summary>
## User exec domain for execute and transition access
## (e.g., user_application_exec_domain).
## </summary>
## </param>
## <param name="role">
## <summary>
## Role allowed access (e.g., user_r).
## </summary>
## </param>
#
template(`pipewire_role',`
gen_require(`
attribute_role pipewire_roles;
type pipewire_t, pipewire_exec_t;
type pipewire_client_t, pipewire_client_exec_t;
type pipewire_home_t, pipewire_tmpfs_t, pipewire_runtime_t;
')

roleattribute $4 pipewire_roles;

domtrans_pattern($2, pipewire_exec_t, pipewire_t)
domtrans_pattern($3, pipewire_exec_t, pipewire_t)
domtrans_pattern($2, pipewire_client_exec_t, pipewire_client_t)
domtrans_pattern($3, pipewire_client_exec_t, pipewire_client_t)

allow $3 pipewire_t:process { ptrace signal_perms };
allow $3 pipewire_t:fd use;
ps_process_pattern($3, pipewire_t)

allow pipewire_t $3:unix_stream_socket connectto;
allow pipewire_t $3:process signull;

# Allow the user domain to manage and relabel pipewire home state files
# (e.g. restorecon after reinstall, stale file cleanup).
allow $2 pipewire_home_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 pipewire_home_t:file { mmap_manage_file_perms relabel_file_perms };
allow $2 pipewire_home_t:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms };

# Allow the user domain to manage and relabel runtime sock files
# (e.g. stale socket cleanup after daemon crash).
allow $2 pipewire_runtime_t:dir { manage_dir_perms relabel_dir_perms };
allow $2 pipewire_runtime_t:sock_file { manage_sock_file_perms relabel_sock_file_perms };

# Allow the user domain to manage shared memory files created by the daemon.
pipewire_mmap_rw_tmpfs_files($2)
allow $2 pipewire_tmpfs_t:file relabel_file_perms;

optional_policy(`
systemd_user_app_status($1, pipewire_t)
systemd_user_app_socket_create($1, pipewire_t, pipewire_runtime_t)
')
')

########################################
## <summary>
## Execute a domain transition to run the PipeWire daemon.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`pipewire_domtrans',`
gen_require(`
type pipewire_t, pipewire_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, pipewire_exec_t, pipewire_t)
')

########################################
## <summary>
## Execute a domain transition to run a PipeWire client utility
## (e.g. pw-cat).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed to transition.
## </summary>
## </param>
#
interface(`pipewire_domtrans_client',`
gen_require(`
type pipewire_client_t, pipewire_client_exec_t;
')

corecmd_search_bin($1)
domtrans_pattern($1, pipewire_client_exec_t, pipewire_client_t)
')

########################################
## <summary>
## Connect to the PipeWire daemon over a Unix stream socket.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pipewire_stream_connect',`
gen_require(`
type pipewire_t, pipewire_runtime_t;
')

files_search_runtime($1)
stream_connect_pattern($1, pipewire_runtime_t, pipewire_runtime_t, pipewire_t)
')

########################################
## <summary>
## Read and write connected PipeWire daemon stream sockets.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pipewire_rw_stream_sockets',`
gen_require(`
type pipewire_t;
')

allow $1 pipewire_t:unix_stream_socket rw_socket_perms;
')

########################################
## <summary>
## Allow a domain to use file descriptors passed from PipeWire.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pipewire_use_fds',`
gen_require(`
type pipewire_t;
')

allow $1 pipewire_t:fd use;
')

########################################
## <summary>
## Use file descriptors inherited from PipeWire clients.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pipewire_use_client_fds',`
gen_require(`
type pipewire_client_t;
')

allow $1 pipewire_client_t:fd use;
')

########################################
## <summary>
## Allow a domain to read, write, and map PipeWire shared memory (tmpfs) files.
## These are memfd files passed between the daemon and its clients for
## zero-copy audio buffer sharing.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pipewire_mmap_rw_tmpfs_files',`
gen_require(`
type pipewire_tmpfs_t;
')

fs_search_tmpfs($1)
mmap_rw_files_pattern($1, pipewire_tmpfs_t, pipewire_tmpfs_t)
')

########################################
## <summary>
## Allow a domain to read PipeWire home directory content.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`pipewire_read_home_files',`
gen_require(`
type pipewire_home_t;
')

userdom_search_user_home_dirs($1)
read_files_pattern($1, pipewire_home_t, pipewire_home_t)
read_lnk_files_pattern($1, pipewire_home_t, pipewire_home_t)
')
Loading
Loading