refpolicy-targeted: add Qualcomm-specific PipeWire SELinux support#2013
refpolicy-targeted: add Qualcomm-specific PipeWire SELinux support#2013rchiluka29 wants to merge 1 commit into
Conversation
| - Suppressed audit noise for expected /proc scan denials via | ||
| dontaudit rules | ||
|
|
||
| Upstream-Status: Inappropriate [Qualcomm specific change] |
There was a problem hiding this comment.
Why/How is it Inappropriate and Qualcomm specific?
There was a problem hiding this comment.
This looks quite generic to me.
There was a problem hiding this comment.
Updated the commit message and patch.
pipewire_stack.fc contains two Qualcomm-specific device node labels (/dev/aud_pasthru.* and /dev/msm_audio_mem.*) which are AudioReach ADSP communication devices present only on Qualcomm platforms
ad3f627 to
db231f1
Compare
| /dev/aud_pasthru.* (AudioReach GPR passthrough) and | ||
| /dev/msm_audio_mem.* (AudioReach shared memory allocator) are not | ||
| present on non-Qualcomm platforms and are not suitable for upstream | ||
| refpolicy] |
There was a problem hiding this comment.
Please split this into logical changes. AudioReach-specific changes should go to meta-audioreach.
There was a problem hiding this comment.
I did split the changes. This pr contains the generic changes. shall I raise for audioreach-specific changes in other PR ?
There was a problem hiding this comment.
The audtioreach-specific changes should go to meta-audioreach.
There was a problem hiding this comment.
But, in meta-audioreach (https://github.com/Audioreach/meta-audioreach), we don't have selinux related things right ?
There was a problem hiding this comment.
Right. But nothing stops you from adding the dynamic layer there.
| +/run/pipewire(/.*)? gen_context(system_u:object_r:pipewire_run_t,s0) | ||
| + | ||
| +# --- Persistent state --- | ||
| +/var/lib/pipewire(/.*)? gen_context(system_u:object_r:pipewire_var_lib_t,s0) |
There was a problem hiding this comment.
Nothing up to this line is Qualcomm-specific. Should those definitions go to the main repo instead?
There was a problem hiding this comment.
Raised PR on main repo: SELinuxProject/refpolicy#1109
|
No stray merges, |
| with unconfined_t rules wrapped in optional_policy to handle | ||
| builds where the unconfined module is absent | ||
|
|
||
| Upstream-Status: Pending [to be submitted to SELinuxProject/refpolicy] |
There was a problem hiding this comment.
Please come back when it's at least Submitted (or better, Backport).
There was a problem hiding this comment.
Hi Dmitry Baryshkov (@lumag), the upstream refpolicy PR has been submitted and is actively under review here:
SELinuxProject/refpolicy#1109
A note on the evolution of that PR: the initial version was written as a system service using init_daemon_domain, since that matched our deployment model on the Qualcomm platform. The upstream maintainer (pebenito) pointed out that the common case for PipeWire is as a user service, not a system service. I reworked the policy accordingly and the module was moved from policy/modules/services/ to policy/modules/apps/, init_daemon_domain was replaced with userdom_user_application_domain, and all other review feedback has been addressed. Please let me know if you'd like any further changes here.
There was a problem hiding this comment.
Please use tunable to support both modes (in the upstream commit). We definitely don't want a separate implementation inside our layer.
There was a problem hiding this comment.
Understood. I'll add a pipewire_system_service tunable to the upstream PR so both modes are covered in a single implementation. The tunable will default to false (user service, as requested by pebenito) and when set to true will switch to init_daemon_domain, system runtime paths (/run/pipewire), and system state paths (/var/lib/pipewire). Once that's merged upstream, the Upstream-Status here can be updated to Backport.
Please confirm on this once.
|
Hi Dmitry Baryshkov (@lumag), the PipeWire SELinux policy PR (SELinuxProject/refpolicy#1109 (SELinuxProject/refpolicy#1109)) is progressing upstream but blocked on user-service validation, which we can't test on our Qualcomm embedded platform. System-service mode is fully tested and working. Since PipeWire is a GA blocker for audio, can we merge the system-service policy internally into meta-qcom while we continue working on user-service validation for upstream? |
The ETA for such validation? How would you do it? Can't you just validate it on your normal latop, which I assume has PipeWire running as a user service. |
|
Hi Dmitry Baryshkov (@lumag) , upstream Pr #1109 has now been merged into refpolicy main on 2026-06-26. Both user-service and system-service modes have been supported. This PR has been updated to remove the out-of-tree policy patch and replaced it with only the Qualcomm-specific downstream additions: POLICY_CUSTOM_BUILDOPT for system-service mode and the ADB shell support rules. And this PR meta-audioreach also updated to label /dev/aud_pasthru.* and /dev/msm_audio_mem.* as sound_device_t. |
validated user-service mode on fedora vm (aarch64) on upstream refpolicy. |
| + init_rw_script_stream_sockets(pipewire_t) | ||
| + | ||
| + # Allow ADB shell to launch PipeWire client utilities in pipewire_client_t. | ||
| + domtrans_pattern(initrc_t, pipewire_client_exec_t, pipewire_client_t) |
There was a problem hiding this comment.
I think this means that ADB has wrong context. In the end, ADB shell is the remote shell, logically the same as SSH.
There was a problem hiding this comment.
Agreed. But as of now adb is running as initrc_t. This patch is temporary workaround. The upstream maintainer also asked to keep it downstream till proper adb policy done in upstream.
There was a problem hiding this comment.
So, you can proceed with the ADB policy, then there would be no need for temporal workarounds.
| PipeWire client utilities (pw-play, pw-record etc.) to transition into | ||
| their dedicated pipewire_client_t domain when launched from ADB shell. | ||
|
|
||
| On standard Linux desktops ADB shell is not used, but on Qualcomm |
There was a problem hiding this comment.
This is not true, ADBd is available e.g. in Debian.
| ${@bb.utils.contains('MACHINE_FEATURES', 'optee', '', 'file://0002-Enable-the-tunable-flag-tee_supplicant_qtee.patch', d)} \ | ||
| " | ||
|
|
||
| POLICY_CUSTOM_BUILDOPT:qcom = "pipewire_system_service" |
There was a problem hiding this comment.
Separate commit.
There was a problem hiding this comment.
This looks like a decision that should be made by the distro instead (meta-qcom-distro).
There was a problem hiding this comment.
Agreed. Raised PR in meta-qcom-distro:
qualcomm-linux/meta-qcom-distro#383
Please have a look at it.
73e8cc8 to
6e6acae
Compare
|
The upstream PipeWire SELinux policy has been merged into refpolicy (SELinuxProject/refpolicy#1109). Set POLICY_CUSTOM_BUILDOPT to pipewire_system_service so that PipeWire runs as a system-wide daemon on Qualcomm embedded targets. Signed-off-by: Chiluka Rohith <rchiluka@qti.qualcomm.com>
|
Done. Dropped the ADB shell commit. Will raise a proper ADB domain policy upstream as a follow-up. |
Rebased on latest commit and cleared merged conflicts. |
|
Closing in favor of qualcomm-linux/meta-qcom-distro#383. |
Introduce a new SELinux policy module 'pipewire_stack' to confine the
PipeWire multimedia daemon and its associated runtime under a dedicated
least-privilege domain.
Changes include:
pipewire_stack.fc: File context definitions for PipeWire executables,
configuration, shared data, runtime sockets, and persistent state
under /usr/bin, /etc/pipewire, /usr/share/pipewire, /run/pipewire,
and /var/lib/pipewire respectively.
pipewire_stack.if: Interface file stub for the pipewire_stack policy
module, reserved for future cross-module interface definitions.
pipewire_stack.te: Type enforcement policy for the pipewire_t domain
covering:
for low-latency audio operation
management)
dontaudit rules