SNAP containers have two main "audio" security rules:
* audio-playback: the applications inside the container can
send audio samples into a sink
* audio-record: the applications inside the container can
get audio samples from a source
Also, old SNAP containers had the "pulseaudio" rule, which just
exposed the pulseaudio socket directly, without limits. This
is similar to the current Flatpak audio permissions.
In the pulseaudio days, a specific pulseaudio module was used
that checked the permissions given to the application and
allowed or forbade access to the pulseaudio operations.
With the change to pipewire, this functionality must be
implemented in pipewire-pulse to guarantee the sandbox
security.
This patch adds support for sandboxing permissions in the
pulseaudio module, and implements support for the SNAP audio
security model, thus forbiding a SNAP application to record
audio unless it has permissions to do so.
The current code for pipewire-pulseaudio checks the permissions
of the snap and adds three properties to each new client:
* pipewire.snap.id: contains the Snap ID of the client.
* pipewire.snap.audio.playback: its value is 'true' if the client
has permission to play audio, or 'false' if not.
* pipewire.snap.audio.record: its value is 'true' if the client
has permission to record audio, or 'false' if not.
These properties must be processed by wireplumber to add or
remove access permissions to the corresponding nodes. That
code is available in a separate patch: https://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/567
Handle extend == 0 and don't expand the array but return -ENOSPC.
This makes it possible to handle static arrays, make a function to
make this easier. Remove pw_array_add_fixed() now that we support
this with extend==0 and because it was not used.
Round up the required space to next extend so that the total allocated
size if always a multiple of the extend.
Make pw_array_add_ptr() check for allocation errors instead of crashing.
Try to use `media.name` as the display name for a node
when none of the other keys are found in its properties.
For example, `pw_stream_new_simple()` only sets `media.name`
on the created node object by default.
Only names in the `org.freedesktop.ReserveDevice1` namespace
are interesting for the purposes of device reservation, so
use `arg0namespace` in the dbus match rule to filter out others.
Add a /core message to set the log level of the pulse-server.
An alternative would be to watch the settings metadata and follow the
server settings. This is however less flexible so the custom message
was chosen.
Add a function to check if a specfic custom log level has been defined
for a topic.
We can use this to dynamically check if we need to do the connection debug
messages.
We can also get rid of the conn.* pattern hack to disable connection
messages by default.
When there is no specific level for a topic we store the global log level
in the topic level. Make sure this invariant is preserved when the
the global log level is updated.
We can then simply update the log level after we processed the log level
string to update all topics.
This should also make it possible to just use the level from the topic
in all cases and remove a check.
Make the topic registration/unregistration threadsafe, as they can be
called from constructors of static objects which don't necessarily run
in the main loop thread.
Handle log level patterns in libpipewire instead of the SPA logger.
This allows dynamically changing the log levels also for log topics,
which we do when log.level metadata changes.
The syntax for PIPEWIRE_DEBUG and log.level in config files and metadata
is now the same.
get_device_info() requires us to call update_object_info() in the added
and updated events.
Fixes a bug where the properties were invalid in the avahi txt record.
When the session manager sends an error to the client, it typically
also destroys the node after the error, which causes the stream to go
to STATE_UNCONNECTED via proxy_removed(). In that case, make sure
we exit the loop early, otherwise it will take 30 seconds to unblock
gst_element_set_state()
This is a revised version of the fix that was commited via !1763
and then reverted, as it was problematic. Now the code ensures
that it breaks out only if the state was previously CONNECTING
or higher.
GStreamer uses a time stamp for the decoding time, but PipeWire uses an
offset to the presentation time. Thus, the pipewiresink must not use the
DTS as dts_offset, but has to calculate the offset.
If the buffer's DTS is invalid, assume that dts is pts.
That is indeed 0 for nearly any device. However the NTP value in the session identification part plays a crucial role for distinguishing between streams in some implementations, e.g. Dante.
Dante Controller does not recognize next stream having the same NTP value. Work around that by adding current number of sessions to the time and the magic value.
Co-authored-by: Dewi Seignard <dewiweb@gmail.com>
This should be done to match packet size requirements (e.g. 1 ms) while allowing user's software to run at higher buffer size to not stutter.
This will require scheduling multiple rtp_audio_flush_packets calls per one rtp_audio_process_capture call
It's better for PHC identification in multi-NIC systems. PHC numbering might be dependent on the probe order yet no bugs was observed. Still recommend this for more comfortable configuration.
Also added some guidance on what must be changed
The monitor sources also list the port of the sink and so the active
port needs to be collected as well so it doesn't fall back to the first
port (which might not be available).
