treewide: include PipeWire op and enforce PulseAudio check

This fully replaces PulseAudio with PipeWire and enforces the PulseAudio check and error message. The pipewire-pulse daemon is handled in the NixOS module.

Closes #26.

Signed-off-by: Ophestra <cat@gensokyo.uk>

cmd/hakurei/command.go

@@ -14,6 +14,7 @@ import (
 	_ "unsafe" // for go:linkname
 
 	"hakurei.app/command"
+	"hakurei.app/container"
 	"hakurei.app/container/check"
 	"hakurei.app/container/fhs"
 	"hakurei.app/hst"
@@ -149,9 +150,6 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 			if flagPipeWire || flagPulse {
 				et |= hst.EPipeWire
 			}
-			if flagPulse {
-				et |= hst.EPulse
-			}
 
 			config := &hst.Config{
 				ID:          flagID,
@@ -189,6 +187,14 @@ func buildCommand(ctx context.Context, msg message.Msg, early *earlyHardeningErr
 				}})
 			}
 
+			// start pipewire-pulse: this most likely exists on host if PipeWire is available
+			if flagPulse {
+				config.Container.Filesystem = append(config.Container.Filesystem, hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSDaemon{
+					Target: fhs.AbsRunUser.Append(strconv.Itoa(container.OverflowUid(msg)), "pulse/native"),
+					Exec:   shell, Args: []string{"-lc", "pipewire-pulse"},
+				}})
+			}
+
 			config.Container.Filesystem = append(config.Container.Filesystem,
 				// opportunistically bind kvm
 				hst.FilesystemConfigJSON{FilesystemConfig: &hst.FSBind{

cmd/hakurei/print_test.go

@@ -62,7 +62,7 @@ func TestPrintShowInstance(t *testing.T) {
 		{"nil", nil, nil, false, false, "Error: invalid configuration!\n\n", false},
 		{"config", nil, hst.Template(), false, false, `App
  Identity:       9 (org.chromium.Chromium)
- Enablements:    wayland, dbus, pipewire, pulseaudio
+ Enablements:    wayland, dbus, pipewire
  Groups:         video, dialout, plugdev
  Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Home:           /data/data/org.chromium.Chromium
@@ -159,7 +159,7 @@ Session bus
 
 App
  Identity:       9 (org.chromium.Chromium)
- Enablements:    wayland, dbus, pipewire, pulseaudio
+ Enablements:    wayland, dbus, pipewire
  Groups:         video, dialout, plugdev
  Flags:          multiarch, compat, devel, userns, net, abstract, tty, mapuid, device, runtime, tmpdir
  Home:           /data/data/org.chromium.Chromium
@@ -215,8 +215,7 @@ App
   "enablements": {
     "wayland": true,
     "dbus": true,
-    "pipewire": true,
+    "pipewire": true
-    "pulse": true
   },
   "session_bus": {
     "see": null,
@@ -367,8 +366,7 @@ App
   "enablements": {
     "wayland": true,
     "dbus": true,
-    "pipewire": true,
+    "pipewire": true
-    "pulse": true
   },
   "session_bus": {
     "see": null,
@@ -566,8 +564,7 @@ func TestPrintPs(t *testing.T) {
     "enablements": {
       "wayland": true,
       "dbus": true,
-      "pipewire": true,
+      "pipewire": true
-      "pulse": true
     },
     "session_bus": {
       "see": null,

cmd/hpkg/build.nix

@@ -176,7 +176,6 @@ let
       x11 = allow_x11;
       dbus = allow_dbus;
       pipewire = allow_audio;
-      pulse = allow_audio;
     };
 
     mesa = if gpu then mesaWrappers else null;

cmd/hpkg/test/test.py

@@ -90,13 +90,13 @@ wait_for_window("hakurei@machine-foot")
 machine.send_chars("clear; wayland-info && touch /tmp/success-client\n")
 machine.wait_for_file("/tmp/hakurei.0/tmpdir/2/success-client")
 collect_state_ui("app_wayland")
-check_state("foot", {"wayland": True, "dbus": True, "pipewire": True, "pulse": True})
+check_state("foot", {"wayland": True, "dbus": True, "pipewire": True})
 # Verify acl on XDG_RUNTIME_DIR:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002"))
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot")
 # Verify acl cleanup on XDG_RUNTIME_DIR:
-machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10002")
+machine.wait_until_fails("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10002")
 
 # Exit Sway and verify process exit status 0:
 swaymsg("exit", succeed=False)
@@ -107,4 +107,4 @@ print(machine.succeed("find /tmp/hakurei.0 "
     + "-path '/tmp/hakurei.0/runtime/*/*' -prune -o "
     + "-path '/tmp/hakurei.0/tmpdir/*/*' -prune -o "
     + "-print"))
-print(machine.succeed("find /run/user/1000/hakurei"))
+print(machine.fail("ls /run/user/1000/hakurei"))

hst/config.go

@@ -109,11 +109,9 @@ func (config *Config) Validate() error {
 		}
 	}
 
-	// EPulse without EPipeWire is insecure
+	if et := config.Enablements.Unwrap(); !config.DirectPulse && et&EPulse != 0 {
-	if et := config.Enablements.Unwrap(); !config.DirectPulse &&
-		et&EPipeWire == 0 && et&EPulse != 0 {
 		return &AppError{Step: "validate configuration", Err: ErrInsecure,
-			Msg: "enablement PulseAudio requires PipeWire, which is not set"}
+			Msg: "enablement PulseAudio is insecure and no longer supported"}
 	}
 
 	return nil

hst/config_test.go

@@ -58,7 +58,7 @@ func TestConfigValidate(t *testing.T) {
 			Shell: fhs.AbsTmp,
 			Path:  fhs.AbsTmp,
 		}}, &hst.AppError{Step: "validate configuration", Err: hst.ErrInsecure,
-			Msg: "enablement PulseAudio requires PipeWire, which is not set"}},
+			Msg: "enablement PulseAudio is insecure and no longer supported"}},
 		{"valid", &hst.Config{Container: &hst.ContainerConfig{
 			Home:  fhs.AbsTmp,
 			Shell: fhs.AbsTmp,

hst/hst.go

@@ -70,7 +70,7 @@ func Template() *Config {
 	return &Config{
 		ID: "org.chromium.Chromium",
 
-		Enablements: NewEnablements(EWayland | EDBus | EPipeWire | EPulse),
+		Enablements: NewEnablements(EWayland | EDBus | EPipeWire),
 
 		SessionBus: &BusConfig{
 			See: nil,

hst/hst_test.go

@@ -105,8 +105,7 @@ func TestTemplate(t *testing.T) {
 	"enablements": {
 		"wayland": true,
 		"dbus": true,
-		"pipewire": true,
+		"pipewire": true
-		"pulse": true
 	},
 	"session_bus": {
 		"see": null,

internal/outcome/outcome.go

@@ -295,6 +295,7 @@ func (state *outcomeStateSys) toSystem() error {
 		// optional via enablements
 		&spWaylandOp{},
 		&spX11Op{},
+		spPipeWireOp{},
 		&spPulseOp{},
 		&spDBusOp{},
 

internal/outcome/run_test.go

@@ -27,7 +27,7 @@ import (
 	"hakurei.app/message"
 )
 
-func TestOutcomeMain(t *testing.T) {
+func TestOutcomeRun(t *testing.T) {
 	t.Parallel()
 	msg := message.New(nil)
 	msg.SwapVerbose(testing.Verbose())
@@ -67,18 +67,8 @@ func TestOutcomeMain(t *testing.T) {
 				"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
 			).
 
-			// ensureRuntimeDir
+			// spPipeWireOp
-			Ensure(m("/run/user/1971"), 0700).
+			PipeWire(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pipewire")).
-			UpdatePermType(system.User, m("/run/user/1971"), acl.Execute).
-			Ensure(m("/run/user/1971/hakurei"), 0700).
-			UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
-
-			// runtime
-			Ephemeral(system.Process, m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), 0700).
-			UpdatePerm(m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"), acl.Execute).
-
-			// spPulseOp
-			Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pulse")).
 
 			// spDBusOp
 			MustProxyDBus(
@@ -106,8 +96,7 @@ func TestOutcomeMain(t *testing.T) {
 				"GOOGLE_DEFAULT_CLIENT_ID=77185425430.apps.googleusercontent.com",
 				"GOOGLE_DEFAULT_CLIENT_SECRET=OTJgUOQcT7lO7GsGZq2G4IlT",
 				"HOME=/data/data/org.chromium.Chromium",
-				"PULSE_COOKIE=/.hakurei/pulse-cookie",
+				"PIPEWIRE_REMOTE=/run/user/1971/pipewire-0",
-				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
@@ -157,9 +146,8 @@ func TestOutcomeMain(t *testing.T) {
 				// spWaylandOp
 				Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/wayland"), m("/run/user/1971/wayland-0"), 0).
 
-				// spPulseOp
+				// spPipeWireOp
-				Bind(m("/run/user/1971/hakurei/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pulse"), m("/run/user/1971/pulse/native"), 0).
+				Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/pipewire"), m("/run/user/1971/pipewire-0"), 0).
-				Place(m("/.hakurei/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
 
 				// spDBusOp
 				Bind(m("/tmp/hakurei.0/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/bus"), m("/run/user/1971/bus"), 0).
@@ -298,7 +286,7 @@ func TestOutcomeMain(t *testing.T) {
 				},
 				Filter: true,
 			},
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPulse),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 
 			Container: &hst.ContainerConfig{
 				Filesystem: []hst.FilesystemConfigJSON{
@@ -347,10 +335,7 @@ func TestOutcomeMain(t *testing.T) {
 			Ensure(m("/tmp/hakurei.0/tmpdir/9"), 01700).UpdatePermType(system.User, m("/tmp/hakurei.0/tmpdir/9"), acl.Read, acl.Write, acl.Execute).
 			Ephemeral(system.Process, m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c"), 0711).
 			Wayland(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/1971/wayland-0"), "org.chromium.Chromium", "ebf083d1b175911782d413369b64ce7c").
-			Ensure(m("/run/user/1971"), 0700).UpdatePermType(system.User, m("/run/user/1971"), acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
+			PipeWire(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/pipewire")).
-			Ensure(m("/run/user/1971/hakurei"), 0700).UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
-			Ephemeral(system.Process, m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c"), 0700).UpdatePermType(system.Process, m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c"), acl.Execute).
-			Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse")).
 			MustProxyDBus(&hst.BusConfig{
 				Talk: []string{
 					"org.freedesktop.Notifications",
@@ -397,8 +382,7 @@ func TestOutcomeMain(t *testing.T) {
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/65534/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket",
 				"HOME=/home/chronos",
-				"PULSE_COOKIE=" + hst.PrivateTmp + "/pulse-cookie",
+				"PIPEWIRE_REMOTE=/run/user/65534/pipewire-0",
-				"PULSE_SERVER=unix:/run/user/65534/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=chronos",
@@ -419,8 +403,7 @@ func TestOutcomeMain(t *testing.T) {
 				Place(m("/etc/passwd"), []byte("chronos:x:65534:65534:Hakurei:/home/chronos:/run/current-system/sw/bin/zsh\n")).
 				Place(m("/etc/group"), []byte("hakurei:x:65534:\n")).
 				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/wayland"), m("/run/user/65534/wayland-0"), 0).
-				Bind(m("/run/user/1971/hakurei/ebf083d1b175911782d413369b64ce7c/pulse"), m("/run/user/65534/pulse/native"), 0).
+				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/pipewire"), m("/run/user/65534/pipewire-0"), 0).
-				Place(m(hst.PrivateTmp+"/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
 				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/bus"), m("/run/user/65534/bus"), 0).
 				Bind(m("/tmp/hakurei.0/ebf083d1b175911782d413369b64ce7c/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0).
 				Bind(m("/dev/dri"), m("/dev/dri"), std.BindWritable|std.BindDevice|std.BindOptional).
@@ -440,7 +423,7 @@ func TestOutcomeMain(t *testing.T) {
 
 		{"nixos chromium direct wayland", new(stubNixOS), &hst.Config{
 			ID:          "org.chromium.Chromium",
-			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPulse),
+			Enablements: hst.NewEnablements(hst.EWayland | hst.EDBus | hst.EPipeWire | hst.EPulse),
 			Container: &hst.ContainerConfig{
 				Env: nil,
 				Filesystem: []hst.FilesystemConfigJSON{
@@ -502,9 +485,8 @@ func TestOutcomeMain(t *testing.T) {
 			Ensure(m("/run/user/1971"), 0700).UpdatePermType(system.User, m("/run/user/1971"), acl.Execute). // this is ordered as is because the previous Ensure only calls mkdir if XDG_RUNTIME_DIR is unset
 			Ensure(m("/run/user/1971/hakurei"), 0700).UpdatePermType(system.User, m("/run/user/1971/hakurei"), acl.Execute).
 			UpdatePermType(hst.EWayland, m("/run/user/1971/wayland-0"), acl.Read, acl.Write, acl.Execute).
-			Ephemeral(system.Process, m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1"), 0700).UpdatePermType(system.Process, m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1"), acl.Execute).
-			Link(m("/run/user/1971/pulse/native"), m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse")).
 			Ephemeral(system.Process, m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1"), 0711).
+			PipeWire(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/pipewire")).
 			MustProxyDBus(&hst.BusConfig{
 				Talk: []string{
 					"org.freedesktop.FileManager1", "org.freedesktop.Notifications",
@@ -544,8 +526,7 @@ func TestOutcomeMain(t *testing.T) {
 				"DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1971/bus",
 				"DBUS_SYSTEM_BUS_ADDRESS=unix:path=/var/run/dbus/system_bus_socket",
 				"HOME=/var/lib/persist/module/hakurei/0/1",
-				"PULSE_COOKIE=" + hst.PrivateTmp + "/pulse-cookie",
+				"PIPEWIRE_REMOTE=/run/user/1971/pipewire-0",
-				"PULSE_SERVER=unix:/run/user/1971/pulse/native",
 				"SHELL=/run/current-system/sw/bin/zsh",
 				"TERM=xterm-256color",
 				"USER=u0_a1",
@@ -565,8 +546,7 @@ func TestOutcomeMain(t *testing.T) {
 				Place(m("/etc/passwd"), []byte("u0_a1:x:1971:100:Hakurei:/var/lib/persist/module/hakurei/0/1:/run/current-system/sw/bin/zsh\n")).
 				Place(m("/etc/group"), []byte("hakurei:x:100:\n")).
 				Bind(m("/run/user/1971/wayland-0"), m("/run/user/1971/wayland-0"), 0).
-				Bind(m("/run/user/1971/hakurei/8e2c76b066dabe574cf073bdb46eb5c1/pulse"), m("/run/user/1971/pulse/native"), 0).
+				Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/pipewire"), m("/run/user/1971/pipewire-0"), 0).
-				Place(m(hst.PrivateTmp+"/pulse-cookie"), bytes.Repeat([]byte{0}, pulseCookieSizeMax)).
 				Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/bus"), m("/run/user/1971/bus"), 0).
 				Bind(m("/tmp/hakurei.0/8e2c76b066dabe574cf073bdb46eb5c1/system_bus_socket"), m("/var/run/dbus/system_bus_socket"), 0).
 				Bind(m("/bin"), m("/bin"), 0).

internal/outcome/sppulse.go

@@ -29,7 +29,7 @@ type spPulseOp struct {
 }
 
 func (s *spPulseOp) toSystem(state *outcomeStateSys) error {
-	if state.et&hst.EPulse == 0 {
+	if !state.directPulse || state.et&hst.EPulse == 0 {
 		return errNotEnabled
 	}
 

internal/outcome/sppulse_test.go

@@ -18,24 +18,40 @@ import (
 func TestSpPulseOp(t *testing.T) {
 	t.Parallel()
 
-	config := hst.Template()
+	newConfig := func() *hst.Config {
+		config := hst.Template()
+		config.DirectPulse = true
+		config.Enablements = hst.NewEnablements(hst.EPulse)
+		return config
+	}
+
+	config := newConfig()
 	sampleCookie := bytes.Repeat([]byte{0xfc}, pulseCookieSizeMax)
 
 	checkOpBehaviour(t, []opBehaviourTestCase{
 		{"not enabled", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
 		}, func() *hst.Config {
-			c := hst.Template()
+			c := newConfig()
+			c.DirectPulse = true
 			*c.Enablements = 0
 			return c
 		}, nil, nil, nil, nil, errNotEnabled, nil, nil, nil, nil, nil},
 
+		{"not enabled direct", func(bool, bool) outcomeOp {
+			return new(spPulseOp)
+		}, func() *hst.Config {
+			c := newConfig()
+			c.DirectPulse = false
+			return c
+		}, nil, nil, nil, nil, errNotEnabled, nil, nil, nil, nil, nil},
+
 		{"socketDir stat", func(isShim, _ bool) outcomeOp {
 			if !isShim {
 				return new(spPulseOp)
 			}
 			return &spPulseOp{Cookie: (*[256]byte)(sampleCookie)}
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), stub.UniqueError(2)),
 		}, nil, nil, &hst.AppError{
 			Step: `access PulseAudio directory "/proc/nonexistent/xdg_runtime_dir/pulse"`,
@@ -44,7 +60,7 @@ func TestSpPulseOp(t *testing.T) {
 
 		{"socketDir nonexistent", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), os.ErrNotExist),
 		}, nil, nil, &hst.AppError{
 			Step: "finalise",
@@ -54,7 +70,7 @@ func TestSpPulseOp(t *testing.T) {
 
 		{"socket stat", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, (*stubFi)(nil), stub.UniqueError(1)),
 		}, nil, nil, &hst.AppError{
@@ -64,7 +80,7 @@ func TestSpPulseOp(t *testing.T) {
 
 		{"socket nonexistent", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, (*stubFi)(nil), os.ErrNotExist),
 		}, nil, nil, &hst.AppError{
@@ -75,7 +91,7 @@ func TestSpPulseOp(t *testing.T) {
 
 		{"socket mode", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0660}, nil),
 		}, nil, nil, &hst.AppError{
@@ -86,7 +102,7 @@ func TestSpPulseOp(t *testing.T) {
 
 		{"cookie notAbs", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "proc/nonexistent/cookie", nil),
@@ -97,7 +113,7 @@ func TestSpPulseOp(t *testing.T) {
 
 		{"cookie loadFile", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -118,7 +134,7 @@ func TestSpPulseOp(t *testing.T) {
 				op.CookieSize += +0xfd
 			}
 			return op
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -150,7 +166,7 @@ func TestSpPulseOp(t *testing.T) {
 			sampleCookieTrunc := make([]byte, pulseCookieSizeMax)
 			copy(sampleCookieTrunc, sampleCookie[:len(sampleCookie)-0xe])
 			return &spPulseOp{Cookie: (*[pulseCookieSizeMax]byte)(sampleCookieTrunc), CookieSize: pulseCookieSizeMax - 0xe}
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -183,7 +199,7 @@ func TestSpPulseOp(t *testing.T) {
 				return new(spPulseOp)
 			}
 			return &spPulseOp{Cookie: (*[pulseCookieSizeMax]byte)(sampleCookie), CookieSize: pulseCookieSizeMax}
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, "/proc/nonexistent/cookie", nil),
@@ -213,7 +229,7 @@ func TestSpPulseOp(t *testing.T) {
 
 		{"success", func(bool, bool) outcomeOp {
 			return new(spPulseOp)
-		}, hst.Template, nil, []stub.Call{
+		}, newConfig, nil, []stub.Call{
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse"}, (*stubFi)(nil), nil),
 			call("stat", stub.ExpectArgs{wantRuntimePath + "/pulse/native"}, &stubFi{mode: 0666}, nil),
 			call("lookupEnv", stub.ExpectArgs{"PULSE_COOKIE"}, nil, nil),

internal/store/data_test.go

@@ -47,9 +47,9 @@ func TestEntryData(t *testing.T) {
 
 		{"inconsistent enablement", "\x00\xff\xca\xfe\x00\x00\xff\x00" + templateStateGob, NewTemplateState(), &hst.AppError{
 			Step: "validate state enablement", Err: os.ErrInvalid,
-			Msg: "state entry aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa has unexpected enablement byte 0x1d, 0xff"}},
+			Msg: "state entry aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa has unexpected enablement byte 0xd, 0xff"}},
 
-		{"template", "\x00\xff\xca\xfe\x00\x00\x1d\xe2" + templateStateGob, NewTemplateState(), nil},
+		{"template", "\x00\xff\xca\xfe\x00\x00\x0d\xf2" + templateStateGob, NewTemplateState(), nil},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {

nixos.nix

@@ -196,6 +196,15 @@ in
                             }
                           ]
                         )
+                        ++ optional (app.enablements.pipewire && app.pulse) {
+                          type = "daemon";
+                          dst = if app.mapRealUid then "/run/user/${toString config.users.users.${username}.uid}/pulse/native" else "/run/user/65534/pulse/native";
+                          path = cfg.shell;
+                          args = [
+                            "-lc"
+                            "pipewire-pulse"
+                          ];
+                        }
                         ++ [
                           {
                             type = "bind";

options.nix

@@ -245,14 +245,14 @@ in
                     Whether to share the PipeWire server via SecurityContext.
                   '';
                 };
+              };
 
-                pulse = mkOption {
+              pulse = mkOption {
-                  type = nullOr bool;
+                type = nullOr bool;
-                  default = true;
+                default = true;
-                  description = ''
+                description = ''
-                    Whether to run the PulseAudio compatibility daemon.
+                  Whether to run the PulseAudio compatibility daemon.
-                  '';
+                '';
-                };
               };
 
               share = mkOption {

test/configuration.nix

@@ -134,7 +134,6 @@
         enablements = {
           wayland = false;
           pipewire = false;
-          pulse = false;
         };
       };
 
@@ -154,7 +153,6 @@
         enablements = {
           dbus = false;
           pipewire = false;
-          pulse = false;
         };
       };
 
@@ -170,7 +168,6 @@
         enablements = {
           dbus = false;
           pipewire = false;
-          pulse = false;
         };
       };
 
@@ -203,7 +200,6 @@
           x11 = true;
           dbus = false;
           pipewire = false;
-          pulse = false;
         };
       };
 
@@ -223,7 +219,6 @@
         enablements = {
           dbus = false;
           pipewire = false;
-          pulse = false;
         };
       };
 
@@ -238,7 +233,6 @@
           x11 = false;
           dbus = false;
           pipewire = false;
-          pulse = false;
         };
       };
     };

test/interactive/hakurei.nix

@@ -15,7 +15,7 @@
         command = "foot";
         enablements = {
           dbus = false;
-          pulse = false;
+          pipewire = false;
         };
       };
     };

test/test.py

@@ -160,17 +160,17 @@ machine.succeed("pkill -9 mako")
 # Check revert type selection:
 hakurei("-v run --wayland -X --dbus --pulse -u p0 foot && touch /tmp/p0-exit-ok")
 wait_for_window("p0@machine")
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10000"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10000"))
 hakurei("-v run --wayland -X --dbus --pulse -u p1 foot && touch /tmp/p1-exit-ok")
 wait_for_window("p1@machine")
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10000"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10000"))
 machine.send_chars("exit\n")
 machine.wait_for_file("/tmp/p1-exit-ok", timeout=15)
 # Verify acl is kept alive:
-print(machine.succeed("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10000"))
+print(machine.succeed("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10000"))
 machine.send_chars("exit\n")
 machine.wait_for_file("/tmp/p0-exit-ok", timeout=15)
-machine.fail("getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep 10000")
+machine.fail("getfacl --absolute-names --omit-header --numeric /tmp/hakurei.0/runtime | grep 10000")
 
 # Check invalid identifier fd behaviour:
 machine.fail('echo \'{"container":{"shell":"/proc/nonexistent","home":"/proc/nonexistent","path":"/proc/nonexistent"}}\' | sudo -u alice -i hakurei -v app --identifier-fd 32767 - 2>&1 | tee > /tmp/invalid-identifier-fd')
@@ -219,15 +219,21 @@ machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot", timeout=5)
 machine.fail(f"getfacl --absolute-names --omit-header --numeric /run/user/1000 | grep {hakurei_identity(0) + 10000}", timeout=5)
 
-# Test PulseAudio (hakurei does not support PipeWire yet):
+# Test pipewire-pulse:
 swaymsg("exec pa-foot")
 wait_for_window(f"u0_a{hakurei_identity(1)}@machine")
 machine.send_chars("clear; pactl info && touch /var/tmp/pulse-ok\n")
 machine.wait_for_file("/var/tmp/pulse-ok", timeout=15)
 collect_state_ui("pulse_wayland")
-check_state("pa-foot", {"wayland": True, "pipewire": True, "pulse": True})
+check_state("pa-foot", {"wayland": True, "pipewire": True})
+# Test PipeWire:
+machine.send_chars("clear; pw-cli i 0 && touch /var/tmp/pw-ok\n")
+machine.wait_for_file("/var/tmp/pw-ok", timeout=15)
+collect_state_ui("pipewire_wayland")
 machine.send_chars("exit\n")
 machine.wait_until_fails("pgrep foot", timeout=5)
+# Test PipeWire SecurityContext:
+machine.fail("sudo -u alice -i XDG_RUNTIME_DIR=/run/user/1000 hakurei -v run --pulse pactl set-sink-mute @DEFAULT_SINK@ toggle")
 
 # Test XWayland (foot does not support X):
 swaymsg("exec x11-alacritty")