From 6d4d77802a7b77662a9520aea6ed9b9f6241cfa0 Mon Sep 17 00:00:00 2001
From: Pauli Virtanen <pav@iki.fi>
Date: Sun, 31 Jul 2022 15:25:20 +0300
Subject: [PATCH] pulse-server: give Manager permission for Flatpak apps with
 devices=all

Some Flatpak apps want to manage sound fully (change default outputs,
move streams from other applications).  Real Pulseaudio always grants
full permissions, but pipewire-pulse doesn't, which breaks some
applications, e.g. Zoom.

Work around this by granting the manager permission if the application
also has devices=all access.

To do things properly, this probably should use the Portal media roles,
but this would need further work elsewhere.
---
 src/modules/module-protocol-pulse/server.c | 31 ++++++++++++++++++++--
 1 file changed, 29 insertions(+), 2 deletions(-)

diff --git a/src/modules/module-protocol-pulse/server.c b/src/modules/module-protocol-pulse/server.c
index c486d2ed9..b363a66bc 100644
--- a/src/modules/module-protocol-pulse/server.c
+++ b/src/modules/module-protocol-pulse/server.c
@@ -418,7 +418,7 @@ on_connect(void *data, int fd, uint32_t mask)
 		client_access = server->client_access;
 
 	if (server->addr.ss_family == AF_UNIX) {
-		char *app_id = NULL;
+		char *app_id = NULL, *devices = NULL;
 
 #ifdef SO_PRIORITY
 		val = 6;
@@ -426,11 +426,38 @@ on_connect(void *data, int fd, uint32_t mask)
 			pw_log_warn("setsockopt(SO_PRIORITY) failed: %m");
 #endif
 		pid = get_client_pid(client, client_fd);
-		if (pid != 0 && pw_check_flatpak(pid, &app_id, NULL) == 1) {
+		if (pid != 0 && pw_check_flatpak(pid, &app_id, &devices) == 1) {
+			/*
+			 * XXX: we should really use Portal client access here
+			 *
+			 * However, session managers currently support only camera
+			 * permissions, and the XDG Portal doesn't have a "Sound Manager"
+			 * permission defined. So for now, use access=flatpak, and determine
+			 * extra permissions here.
+			 *
+			 * The application has access to the Pulseaudio socket,
+			 * and with real PA it would always then have full sound access.
+			 * We'll restrict the full access here behind devices=all;
+			 * if the application can access all devices it can then
+			 * also sound and camera devices directly, so granting also the
+			 * Manager permissions here is reasonable.
+			 *
+			 * The "Manager" permission in any case is also currently not safe
+			 * as the session manager does not check any permission store
+			 * for it.
+			 */
 			client_access = "flatpak";
 			pw_properties_set(client->props, "pipewire.access.portal.app_id",
 					app_id);
+
+			if (devices && (spa_streq(devices, "all") ||
+							spa_strstartswith(devices, "all;") ||
+							strstr(devices, ";all;")))
+				pw_properties_set(client->props, PW_KEY_MEDIA_CATEGORY, "Manager");
+			else
+				pw_properties_set(client->props, PW_KEY_MEDIA_CATEGORY, NULL);
 		}
+		free(devices);
 		free(app_id);
 	}
 	else if (server->addr.ss_family == AF_INET || server->addr.ss_family == AF_INET6) {