pipewire: run with the System::Pipewire smack label

Pipewire shares memory with its clients using open file
descriptors (memfd or shared memory file) which are created within
pipewire and therefore they have the same smack label as the
pipewire process. Clients must be able to read and write to this
memory, therefore they need rw acess to that smack label.

Since all AGL apps have only write access to the System label,
we need to use a different smack label which can be granted rw
access from the applications that need to use audio.
"System::Pipewire" is chosen here to follow the "System::Sub"
pattern that is described in the documentation.

Bug-AGL: SPEC-2554

Change-Id: I81cbf82adfde3ef4f67872bd91293370339b18d7
Signed-off-by: George Kiagiadakis <george.kiagiadakis@collabora.com>

diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service b/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service
index 7ecdcc4..a603fdb 100644 (file)
--- a/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service
+++ b/meta-pipewire/recipes-multimedia/pipewire/pipewire/pipewire@.service
@@ -15,6 +15,7 @@ Environment=DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/%i/bus
 
 User=%i
 Slice=user-%i.slice
+SmackProcessLabel=System::Pipewire
 SupplementaryGroups=audio
 UMask=0077
 CapabilityBoundingSet=

diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire/smack-pipewire b/meta-pipewire/recipes-multimedia/pipewire/pipewire/smack-pipewire
new file mode 100644 (file)
index 0000000..8d5b541
--- /dev/null
+++ b/meta-pipewire/recipes-multimedia/pipewire/pipewire/smack-pipewire
@@ -0,0 +1,8 @@
+System System::Pipewire rwxa--
+System::Pipewire System -wx---
+System::Pipewire System::Shared r-x---
+System::Pipewire System::Run rwxat-
+System::Pipewire System::Log rwxa--
+System::Pipewire _ r-x--l
+System::Pipewire User::Home r-x--l
+System::Pipewire User::App-Shared rwxat-

diff --git a/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend b/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend
index 31253d0..8a0b074 100644 (file)
--- a/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend
+++ b/meta-pipewire/recipes-multimedia/pipewire/pipewire_git.bbappend
@@ -1,11 +1,12 @@
 SRC_URI += "\
     file://pipewire@.service \
     file://pipewire@.socket \
+    file://smack-pipewire \
     "
 
 do_install_append() {
     if ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'true', 'false', d)}; then
-        # remote the original user unit files shipped by pipewire
+        # remove the original user unit files shipped by pipewire
         rm -rf ${D}${systemd_unitdir}
 
         # install our own system-level templates
@@ -16,7 +17,14 @@ do_install_append() {
         # enable the socket to start together with afm-user-session
         mkdir -p ${D}${systemd_system_unitdir}/afm-user-session@.target.wants
         ln -sf ../pipewire@.socket ${D}${systemd_system_unitdir}/afm-user-session@.target.wants/pipewire@.socket
+
+        # install smack rules
+        mkdir -p ${D}${sysconfdir}/smack/accesses.d
+        install -m 0644 ${WORKDIR}/smack-pipewire ${D}${sysconfdir}/smack/accesses.d/pipewire
     fi
 }
 
-FILES_${PN} += "${systemd_system_unitdir}/*"
+FILES_${PN} += "\
+    ${systemd_system_unitdir}/* \
+    ${sysconfdir}/smack/accesses.d/* \
+"