mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-10-29 05:40:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

systemd: Limit system manager socket permissions

Browse source 
Remove group permission on the system manager socket so that restricted
clients cannot use it to get unrestricted access. It is assumed that the
session manager system service (wireplumber) is running as pipewire user
and will get access to the manager socket, while other clients are
members of the pipewire group and will only get access to the normal
socket.
This commit is contained in:
Jonas Holmberg 2023-11-02 16:24:50 +01:00 committed by Wim Taymans
parent 35b115fd6c
commit 0163d4d440
4 changed files with 16 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/daemon/systemd/system/meson.build
View file

@ -3,7 +3,7 @@ if get_option('systemd-system-unit-dir') != ''
systemd_system_services_dir = get_option('systemd-system-unit-dir') systemd_system_services_dir = get_option('systemd-system-unit-dir')
endif endif
install_data(sources : 'pipewire.socket', install_data(sources : ['pipewire.socket', 'pipewire-manager.socket'],
install_dir : systemd_system_services_dir) install_dir : systemd_system_services_dir)
systemd_config = configuration_data() systemd_config = configuration_data()

13
src/daemon/systemd/system/pipewire-manager.socket Normal file
View file

@ -0,0 +1,13 @@
[Unit]
Description=PipeWire Multimedia System Manager Socket
[Socket]
Service=pipewire.service
Priority=6
ListenStream=%t/pipewire/pipewire-0-manager
SocketUser=pipewire
SocketGroup=pipewire
SocketMode=0600
[Install]
WantedBy=sockets.target

2
src/daemon/systemd/system/pipewire.service.in
View file

@ -31,5 +31,5 @@ User=pipewire
Environment=PIPEWIRE_RUNTIME_DIR=%t/pipewire Environment=PIPEWIRE_RUNTIME_DIR=%t/pipewire
[Install] [Install]
Also=pipewire.socket Also=pipewire.socket pipewire-manager.socket
WantedBy=default.target WantedBy=default.target

3
src/daemon/systemd/system/pipewire.socket
View file

@ -1,10 +1,9 @@
[Unit] [Unit]
Description=PipeWire Multimedia System Sockets Description=PipeWire Multimedia System Socket
[Socket] [Socket]
Priority=6 Priority=6
ListenStream=%t/pipewire/pipewire-0 ListenStream=%t/pipewire/pipewire-0
ListenStream=%t/pipewire/pipewire-0-manager
SocketUser=pipewire SocketUser=pipewire
SocketGroup=pipewire SocketGroup=pipewire
SocketMode=0660 SocketMode=0660