mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2025-10-29 05:40:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

systemd: Limit system manager socket permissions

Browse source 
Remove group permission on the system manager socket so that restricted
clients cannot use it to get unrestricted access. It is assumed that the
session manager system service (wireplumber) is running as pipewire user
and will get access to the manager socket, while other clients are
members of the pipewire group and will only get access to the normal
socket.
This commit is contained in:
Jonas Holmberg 2023-11-02 16:24:50 +01:00 committed by Wim Taymans
parent 35b115fd6c
commit 0163d4d440
4 changed files with 16 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/daemon/systemd/system/meson.build
View file

@ -3,7 +3,7 @@ if get_option('systemd-system-unit-dir') != ''
systemd_system_services_dir = get_option('systemd-system-unit-dir')
endif
install_data(sources : 'pipewire.socket',
install_data(sources : ['pipewire.socket', 'pipewire-manager.socket'],
install_dir : systemd_system_services_dir)
systemd_config = configuration_data()

13
src/daemon/systemd/system/pipewire-manager.socket Normal file
View file

@ -0,0 +1,13 @@
[Unit]
Description=PipeWire Multimedia System Manager Socket
[Socket]
Service=pipewire.service
Priority=6
ListenStream=%t/pipewire/pipewire-0-manager
SocketUser=pipewire
SocketGroup=pipewire
SocketMode=0600
[Install]
WantedBy=sockets.target

2
src/daemon/systemd/system/pipewire.service.in
View file

@ -31,5 +31,5 @@ User=pipewire
Environment=PIPEWIRE_RUNTIME_DIR=%t/pipewire
[Install]
Also=pipewire.socket
Also=pipewire.socket pipewire-manager.socket
WantedBy=default.target

3
src/daemon/systemd/system/pipewire.socket
View file

@ -1,10 +1,9 @@
[Unit]
Description=PipeWire Multimedia System Sockets
Description=PipeWire Multimedia System Socket
[Socket]
Priority=6
ListenStream=%t/pipewire/pipewire-0
ListenStream=%t/pipewire/pipewire-0-manager
SocketUser=pipewire
SocketGroup=pipewire
SocketMode=0660