Skip to content

refpolicy-targeted: add Qualcomm-specific PipeWire SELinux support#2013

Closed
rchiluka29 wants to merge 1 commit into
qualcomm-linux:masterfrom
rchiluka29:pipe_policy
Closed

refpolicy-targeted: add Qualcomm-specific PipeWire SELinux support#2013
rchiluka29 wants to merge 1 commit into
qualcomm-linux:masterfrom
rchiluka29:pipe_policy

Conversation

@rchiluka29

@rchiluka29 rchiluka29 commented Apr 21, 2026

Copy link
Copy Markdown

Introduce a new SELinux policy module 'pipewire_stack' to confine the
PipeWire multimedia daemon and its associated runtime under a dedicated
least-privilege domain.

Changes include:

  • pipewire_stack.fc: File context definitions for PipeWire executables,
    configuration, shared data, runtime sockets, and persistent state
    under /usr/bin, /etc/pipewire, /usr/share/pipewire, /run/pipewire,
    and /var/lib/pipewire respectively.

  • pipewire_stack.if: Interface file stub for the pipewire_stack policy
    module, reserved for future cross-module interface definitions.

  • pipewire_stack.te: Type enforcement policy for the pipewire_t domain
    covering:

    • Process control: fork, signal handling, and scheduling (sys_nice)
      for low-latency audio operation
    • Runtime socket and directory management under /run/pipewire
    • ALSA sound device access (sound_device_t)
    • DMA device access (dma_device_t) for hardware audio offload
    • Shared memory (tmpfs/memfd) for zero-copy audio buffer handling
    • PulseAudio runtime compatibility (/run/pulse probing and PID file
      management)
    • sysfs and procfs read access for hardware discovery
    • System logging via syslog and systemd journal
    • Suppressed audit noise for expected /proc scan denials via
      dontaudit rules

- Suppressed audit noise for expected /proc scan denials via
dontaudit rules

Upstream-Status: Inappropriate [Qualcomm specific change]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why/How is it Inappropriate and Qualcomm specific?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks quite generic to me.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated the commit message and patch.

pipewire_stack.fc contains two Qualcomm-specific device node labels (/dev/aud_pasthru.* and /dev/msm_audio_mem.*) which are AudioReach ADSP communication devices present only on Qualcomm platforms

@rchiluka29 rchiluka29 force-pushed the pipe_policy branch 2 times, most recently from ad3f627 to db231f1 Compare April 28, 2026 11:58
/dev/aud_pasthru.* (AudioReach GPR passthrough) and
/dev/msm_audio_mem.* (AudioReach shared memory allocator) are not
present on non-Qualcomm platforms and are not suitable for upstream
refpolicy]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please split this into logical changes. AudioReach-specific changes should go to meta-audioreach.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did split the changes. This pr contains the generic changes. shall I raise for audioreach-specific changes in other PR ?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The audtioreach-specific changes should go to meta-audioreach.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But, in meta-audioreach (https://github.com/Audioreach/meta-audioreach), we don't have selinux related things right ?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right. But nothing stops you from adding the dynamic layer there.

+/run/pipewire(/.*)? gen_context(system_u:object_r:pipewire_run_t,s0)
+
+# --- Persistent state ---
+/var/lib/pipewire(/.*)? gen_context(system_u:object_r:pipewire_var_lib_t,s0)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nothing up to this line is Qualcomm-specific. Should those definitions go to the main repo instead?

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Raised PR on main repo: SELinuxProject/refpolicy#1109

@lumag

Copy link
Copy Markdown
Contributor

No stray merges,

with unconfined_t rules wrapped in optional_policy to handle
builds where the unconfined module is absent

Upstream-Status: Pending [to be submitted to SELinuxProject/refpolicy]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please come back when it's at least Submitted (or better, Backport).

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Dmitry Baryshkov (@lumag), the upstream refpolicy PR has been submitted and is actively under review here:
SELinuxProject/refpolicy#1109

A note on the evolution of that PR: the initial version was written as a system service using init_daemon_domain, since that matched our deployment model on the Qualcomm platform. The upstream maintainer (pebenito) pointed out that the common case for PipeWire is as a user service, not a system service. I reworked the policy accordingly and the module was moved from policy/modules/services/ to policy/modules/apps/, init_daemon_domain was replaced with userdom_user_application_domain, and all other review feedback has been addressed. Please let me know if you'd like any further changes here.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use tunable to support both modes (in the upstream commit). We definitely don't want a separate implementation inside our layer.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Understood. I'll add a pipewire_system_service tunable to the upstream PR so both modes are covered in a single implementation. The tunable will default to false (user service, as requested by pebenito) and when set to true will switch to init_daemon_domain, system runtime paths (/run/pipewire), and system state paths (/var/lib/pipewire). Once that's merged upstream, the Upstream-Status here can be updated to Backport.

Please confirm on this once.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

@rchiluka29

Copy link
Copy Markdown
Author

Hi Dmitry Baryshkov (@lumag), the PipeWire SELinux policy PR (SELinuxProject/refpolicy#1109 (SELinuxProject/refpolicy#1109)) is progressing upstream but blocked on user-service validation, which we can't test on our Qualcomm embedded platform. System-service mode is fully tested and working. Since PipeWire is a GA blocker for audio, can we merge the system-service policy internally into meta-qcom while we continue working on user-service validation for upstream?

@lumag

Copy link
Copy Markdown
Contributor

while we continue working on user-service validation for upstream?

The ETA for such validation? How would you do it? Can't you just validate it on your normal latop, which I assume has PipeWire running as a user service.

@rchiluka29

Copy link
Copy Markdown
Author

Hi Dmitry Baryshkov (@lumag) , upstream Pr #1109 has now been merged into refpolicy main on 2026-06-26. Both user-service and system-service modes have been supported.

This PR has been updated to remove the out-of-tree policy patch and replaced it with only the Qualcomm-specific downstream additions: POLICY_CUSTOM_BUILDOPT for system-service mode and the ADB shell support rules.

And this PR meta-audioreach also updated to label /dev/aud_pasthru.* and /dev/msm_audio_mem.* as sound_device_t.

@rchiluka29

Copy link
Copy Markdown
Author

while we continue working on user-service validation for upstream?

The ETA for such validation? How would you do it? Can't you just validate it on your normal latop, which I assume has PipeWire running as a user service.

validated user-service mode on fedora vm (aarch64) on upstream refpolicy.

+ init_rw_script_stream_sockets(pipewire_t)
+
+ # Allow ADB shell to launch PipeWire client utilities in pipewire_client_t.
+ domtrans_pattern(initrc_t, pipewire_client_exec_t, pipewire_client_t)

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this means that ADB has wrong context. In the end, ADB shell is the remote shell, logically the same as SSH.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. But as of now adb is running as initrc_t. This patch is temporary workaround. The upstream maintainer also asked to keep it downstream till proper adb policy done in upstream.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So, you can proceed with the ADB policy, then there would be no need for temporal workarounds.

PipeWire client utilities (pw-play, pw-record etc.) to transition into
their dedicated pipewire_client_t domain when launched from ADB shell.

On standard Linux desktops ADB shell is not used, but on Qualcomm

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not true, ADBd is available e.g. in Debian.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, description updated.

${@bb.utils.contains('MACHINE_FEATURES', 'optee', '', 'file://0002-Enable-the-tunable-flag-tee_supplicant_qtee.patch', d)} \
"

POLICY_CUSTOM_BUILDOPT:qcom = "pipewire_system_service"

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Separate commit.

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks like a decision that should be made by the distro instead (meta-qcom-distro).

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. Raised PR in meta-qcom-distro:
qualcomm-linux/meta-qcom-distro#383

Please have a look at it.

@rchiluka29 rchiluka29 force-pushed the pipe_policy branch 3 times, most recently from 73e8cc8 to 6e6acae Compare July 1, 2026 13:25
@lumag

Copy link
Copy Markdown
Contributor

This branch has conflicts that must be resolved

@rchiluka29 rchiluka29 changed the title refpolicy-targeted: Add SELinux policy for pipewire_stack refpolicy-targeted: add Qualcomm-specific PipeWire SELinux support Jul 1, 2026
The upstream PipeWire SELinux policy has been merged into refpolicy
(SELinuxProject/refpolicy#1109).
Set POLICY_CUSTOM_BUILDOPT to pipewire_system_service so that PipeWire
runs as a system-wide daemon on Qualcomm embedded targets.

Signed-off-by: Chiluka Rohith <rchiluka@qti.qualcomm.com>
@rchiluka29

Copy link
Copy Markdown
Author

Done. Dropped the ADB shell commit. Will raise a proper ADB domain policy upstream as a follow-up.

@rchiluka29

Copy link
Copy Markdown
Author

This branch has conflicts that must be resolved

Rebased on latest commit and cleared merged conflicts.

@ricardosalveti

Copy link
Copy Markdown
Contributor

Closing in favor of qualcomm-linux/meta-qcom-distro#383.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants