wireplumber: add SELinux policy module#1138
Open
tkanfade wants to merge 2 commits into
Open
Conversation
tkanfade
force-pushed
the
wireplumber_module
branch
4 times, most recently
from
0ebc4bc to
e2590da
Compare
WavyEbuilder
suggested changes
Jun 2, 2026
Contributor
WavyEbuilder
left a comment
WavyEbuilder
left a comment
There was a problem hiding this comment.
This should also probably be $1_wireplumber_t for the user instances. We also seem to be missing domain transitions and rbac allows for the user, staff, and sysadm roles. How was this patch tested? I'm also a bit concerned that this won't work as expected, especially given that a huge amount of domain transitions seem to be missing.
Member
Having a derived domain typically depends on some specific need we can't specify otherwise, most commonly transitions out of the derived domain to another derived domain or back to the user domain. For example: user_t -> user_foo_t -> user_t user_t -> user_foo_t -> user_bar_t Absent these types of issues, UBAC separations are typically sufficient. |
Add a new SELinux policy module for the PipeWire multimedia daemon
(pipewire.te, pipewire.fc, pipewire.if).
The policy supports both user-service and system-service modes via a
compile-time ifdef(`pipewire_system_service') switch, following the
init_systemd pattern used in docker.te. tunable_policy() cannot be used
here because init_daemon_domain expands to type declarations which must
be resolved at compile time.
Types defined:
- pipewire_t / pipewire_exec_t : main domain and entrypoint
- pipewire_runtime_t : runtime sockets under /run/pipewire
or XDG_RUNTIME_DIR
- pipewire_tmpfs_t : tmpfs-backed shared memory for
zero-copy buffers
- pipewire_home_t (alias pipewire_var_lib_t) : user config and
persistent state
- pipewire_roles : role attribute for user-service mode
File contexts labeled:
- /usr/bin/pipewire, /usr/bin/pw-cat -> pipewire_exec_t
- /run/pipewire(/.*)? -> pipewire_runtime_t
- /run/user/%{USERID}/pipewire(/.*)? -> pipewire_runtime_t
- HOME_DIR/.config/pipewire(/.*)? -> pipewire_home_t
- HOME_DIR/.local/share/pipewire(/.*)?-> pipewire_home_t
- /var/lib/pipewire(/.*)? -> pipewire_var_lib_t
Interfaces added (pipewire.if):
- pipewire_stream_connect(): connect to the daemon socket
- pipewire_use_fds(): use file descriptors passed from PipeWire
- pipewire_rw_tmpfs_files(): read/write/mmap zero-copy shared memory
Policy coverage:
- User-service mode (default): userdom_user_application_domain
- System-service mode: init_daemon_domain, dev_rw_dma_dev, filetrans
rules for /var/lib/pipewire and /run/pipewire
- ALSA sound device access via dev_read_sound / dev_write_sound
- mmap of /usr/share/pipewire/*.conf via files_map_usr_files
- self:unix_stream_socket connectto for pipewire-pulse to connect to
the main daemon socket at /run/pipewire/pipewire-0
- sysfs and procfs read access for hardware discovery
- tmpfs shared memory via dedicated pipewire_tmpfs_t type
- /tmp file read access for pw-play playback use case
- Inherited stream socket r/w from init scripts (e.g. ADB shell)
- System logging via syslog and systemd journal
- D-Bus session and system bus access via optional_policy
- RTKit real-time scheduling via optional_policy
- PulseAudio socket connection via optional_policy
- Suppressed /proc scan denials via domain_dontaudit_read_all_domains_state
Signed-off-by: Chiluka Rohith <rchiluka@qti.qualcomm.com>
WirePlumber is the session manager for the PipeWire multimedia framework. On standard Linux desktops it runs as a user service (systemd --user). On embedded/headless platforms such as Qualcomm QLI 2.0 it runs as a system-wide service (User=pipewire under system systemd). Without a dedicated policy WirePlumber falls back to the generic initrc_t domain. In initrc_t, SELinux blocks D-Bus method replies from modemmanager_t and bluetooth_t which are required for telephony and Bluetooth audio routing. The blocked replies cause WirePlumber to crash with SIGSEGV every ~25 seconds resulting in wpctl set-default and pw-play --target failures. The policy uses a compile-time ifdef(`wireplumber_system_service') switch following the same pattern as pipewire.te to select between system-service and user-service mode at m4 build time. The policy module is placed in apps/ consistent with pipewire. The policy confines the wireplumber_t domain with: - Domain transition via wireplumber_exec_t - PipeWire socket communication via pipewire_stream_connect(), pipewire_use_fds() and pipewire_rw_tmpfs_files() for zero-copy memfd buffer sharing (depends on pipewire policy PR SELinuxProject#1109) - Runtime directory management (system: /run/wireplumber, user: XDG_RUNTIME_DIR/wireplumber) - tmpfs/memfd shared memory for zero-copy audio buffers - Config file mmap via files_map_usr_files() - D-Bus system bus; dbus_system_domain when system service - D-Bus communication with ModemManager, BlueZ and oFono - udev runtime access for device monitoring including netlink_kobject_uevent_socket and xattr filesystem getattr - systemd sessions and logind session directory watch - /etc/machine-id, procfs, sysfs - /dev/snd inotify watch for device monitoring - Bluetooth socket with listen permission for BlueZ audio routing - RTKit realtime scheduling support - systemd journal logging Also adds ofono_dbus_chat() interface to ofono.if to allow bidirectional D-Bus communication between a domain and oFono. Also adds wireplumber_role() interface to wireplumber.if to wire up role access for user-service mode, following the same pattern as pipewire_role() in pipewire.if. Also extends pipewire.fc to label /usr/bin/wpctl as pipewire_exec_t so that wpctl transitions into pipewire_t and operates without AVC denials. Note: This patch depends on the pipewire policy (PR SELinuxProject#1109). Please merge PR SELinuxProject#1109 before this patch, as wireplumber.te uses pipewire_stream_connect(), pipewire_use_fds() and pipewire_rw_tmpfs_files() defined in pipewire.if. Signed-off-by: Tejas Vijay Kanfade <tkanfade@qti.qualcomm.com>
tkanfade
force-pushed
the
wireplumber_module
branch
from
e2590da to
569ab34
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
WirePlumber is the session manager for the PipeWire multimedia framework. On standard Linux desktops it runs as a user service (systemd --user). On embedded/headless platforms such as Qualcomm QLI 2.0 it runs as a system-wide service (User=pipewire under system systemd).
Without a dedicated policy WirePlumber falls back to the generic initrc_t domain. In initrc_t, SELinux blocks D-Bus method replies from modemmanager_t and bluetooth_t which are required for telephony and Bluetooth audio routing. The blocked replies cause WirePlumber to crash with SIGSEGV every ~25 seconds resulting in wpctl set-default and pw-play --target failures.
The policy uses a compile-time ifdef(`wireplumber_system_service') switch following the same pattern as pipewire.te to select between system-service and user-service mode at m4 build time.
The policy module is placed in apps/ consistent with pipewire.
The policy confines the wireplumber_t domain with:
Also adds ofono_dbus_chat() interface to ofono.if to allow bidirectional D-Bus communication between a domain and oFono.
Note: This patch depends on the pipewire policy (PR #1109). Please merge PR #1109 before this patch, as wireplumber.te uses
pipewire_stream_connect() defined in pipewire.if.