mirrors/pipewire
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/pipewire/pipewire.git synced 2026-05-09 23:50:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

pulse-server: block arbitrary filter-graphs

Browse source 
Add a special 'blocked' spa-libs value that returns EPERM when trying to
load the factory.

Only allow loading the LADSPA filter.graph nodes for the LADSPA sink and
source. The most problematic part is the pipe filter, that allows it to
spawn arbirary programs as part of the filter.graph.

You can add a filter-graph to any stream with stream_props.
This commit is contained in:
Wim Taymans 2026-05-07 14:08:30 +02:00
parent e3f75314be
commit a4e2856d06
3 changed files with 11 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

6
src/daemon/pipewire-pulse.conf.in
View file

@ -22,6 +22,12 @@ context.properties = {
context.spa-libs = {
audio.convert.* = audioconvert/libspa-audioconvert
support.* = support/libspa-support
# because the pulse server allows dynamic loading of streams and modules
# inside the server, we must be careful with the filter-graph. Only allow
# LADSPA filters.
filter.graph.plugin.ladspa = filter-graph/libspa-filter-graph-plugin-ladspa
filter.graph.plugin.* = blocked
filter.graph = filter-graph/libspa-filter-graph
}
context.modules = [