Ophestra
2a6c8ba51b
All checks were successful
Test / Create distribution (pull_request) Successful in 28s
Test / Sandbox (pull_request) Successful in 50s
Test / Hakurei (pull_request) Successful in 1m49s
Test / Hpkg (pull_request) Successful in 2m36s
Test / Sandbox (race detector) (pull_request) Successful in 2m48s
Test / Hakurei (race detector) (pull_request) Successful in 3m36s
Test / Flake checks (pull_request) Successful in 1m33s
Test / Create distribution (push) Successful in 26s
Test / Sandbox (push) Successful in 39s
Test / Sandbox (race detector) (push) Successful in 39s
Test / Hakurei (push) Successful in 43s
Test / Hakurei (race detector) (push) Successful in 43s
Test / Hpkg (push) Successful in 40s
Test / Flake checks (push) Successful in 1m28s
This is required for securely providing access to PipeWire. This change has already been manually tested and confirmed to work correctly. This unfortunately cannot be upstreamed in its current state as libpipewire-0.3 breaks static linking. Signed-off-by: Ophestra <cat@gensokyo.uk>
72 lines
1.9 KiB
Go
72 lines
1.9 KiB
Go
package pipewire
|
|
|
|
import (
|
|
"errors"
|
|
"os"
|
|
"syscall"
|
|
|
|
"hakurei.app/container/check"
|
|
)
|
|
|
|
// SecurityContext holds resources associated with a PipeWire security context.
|
|
type SecurityContext struct {
|
|
// Pipe with its write end passed to the PipeWire security context.
|
|
closeFds [2]int
|
|
}
|
|
|
|
// Close releases any resources held by [SecurityContext], and prevents further
|
|
// connections to its associated socket.
|
|
func (sc *SecurityContext) Close() error {
|
|
if sc == nil {
|
|
return os.ErrInvalid
|
|
}
|
|
return errors.Join(
|
|
syscall.Close(sc.closeFds[1]),
|
|
syscall.Close(sc.closeFds[0]),
|
|
)
|
|
}
|
|
|
|
// New creates a new security context on the PipeWire remote at remotePath
|
|
// or auto-detected, and associates it with a new socket bound to bindPath.
|
|
//
|
|
// New does not attach a finalizer to the resulting [SecurityContext] struct.
|
|
// The caller is responsible for calling [SecurityContext.Close].
|
|
//
|
|
// A non-nil error unwraps to concrete type [Error].
|
|
func New(remotePath, bindPath *check.Absolute) (*SecurityContext, error) {
|
|
// ensure bindPath is available
|
|
if f, err := os.Create(bindPath.String()); err != nil {
|
|
return nil, &Error{RCreate, bindPath.String(), err}
|
|
} else if err = f.Close(); err != nil {
|
|
return nil, &Error{RCreate, bindPath.String(), err}
|
|
} else if err = os.Remove(bindPath.String()); err != nil {
|
|
return nil, &Error{RCreate, bindPath.String(), err}
|
|
}
|
|
|
|
// write end passed to PipeWire security context close_fd
|
|
var closeFds [2]int
|
|
if err := syscall.Pipe2(closeFds[0:], syscall.O_CLOEXEC); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// zero value causes auto-detect
|
|
var remotePathVal string
|
|
if remotePath != nil {
|
|
remotePathVal = remotePath.String()
|
|
}
|
|
|
|
// returned error is already wrapped
|
|
if err := securityContextBind(
|
|
bindPath.String(),
|
|
remotePathVal,
|
|
closeFds[1],
|
|
); err != nil {
|
|
return nil, errors.Join(err,
|
|
syscall.Close(closeFds[1]),
|
|
syscall.Close(closeFds[0]),
|
|
)
|
|
} else {
|
|
return &SecurityContext{closeFds}, nil
|
|
}
|
|
}
|