Skip to content

wireplumber: add SELinux policy module#1138

Open
tkanfade wants to merge 2 commits into
SELinuxProject:mainfrom
tkanfade:wireplumber_module
Open

wireplumber: add SELinux policy module#1138
tkanfade wants to merge 2 commits into
SELinuxProject:mainfrom
tkanfade:wireplumber_module

Conversation

@tkanfade
Copy link
Copy Markdown

@tkanfade tkanfade commented May 25, 2026

WirePlumber is the session manager for the PipeWire multimedia framework. On standard Linux desktops it runs as a user service (systemd --user). On embedded/headless platforms such as Qualcomm QLI 2.0 it runs as a system-wide service (User=pipewire under system systemd).

Without a dedicated policy WirePlumber falls back to the generic initrc_t domain. In initrc_t, SELinux blocks D-Bus method replies from modemmanager_t and bluetooth_t which are required for telephony and Bluetooth audio routing. The blocked replies cause WirePlumber to crash with SIGSEGV every ~25 seconds resulting in wpctl set-default and pw-play --target failures.

The policy uses a compile-time ifdef(`wireplumber_system_service') switch following the same pattern as pipewire.te to select between system-service and user-service mode at m4 build time.

The policy module is placed in apps/ consistent with pipewire.

The policy confines the wireplumber_t domain with:

  • Domain transition via wireplumber_exec_t
  • PipeWire socket communication via pipewire_stream_connect() (depends on pipewire policy PR pipewire: add policy for PipeWire multimedia daemon #1109)
  • Runtime directory management (system: /run/wireplumber, user: XDG_RUNTIME_DIR/wireplumber)
  • tmpfs/memfd shared memory for zero-copy audio buffers
  • Config file mmap via files_map_usr_files()
  • D-Bus system bus; dbus_system_domain when system service
  • D-Bus communication with ModemManager, BlueZ and oFono
  • udev runtime access for device monitoring
  • systemd sessions, /etc/machine-id, procfs, sysfs
  • /dev/snd inotify watch for device monitoring
  • RTKit realtime scheduling support
  • systemd journal logging

Also adds ofono_dbus_chat() interface to ofono.if to allow bidirectional D-Bus communication between a domain and oFono.

Note: This patch depends on the pipewire policy (PR #1109). Please merge PR #1109 before this patch, as wireplumber.te uses
pipewire_stream_connect() defined in pipewire.if.

@rchiluka29
pipewire: add SELinux policy for PipeWire multimedia daemon
5434c95 
Add a new SELinux policy module for the PipeWire multimedia daemon
(pipewire.te, pipewire.fc, pipewire.if).

The policy supports both user-service and system-service modes via a
compile-time ifdef(`pipewire_system_service') switch, following the
init_systemd pattern used in docker.te. tunable_policy() cannot be used
here because init_daemon_domain expands to type declarations which must
be resolved at compile time.

Types defined:
- pipewire_t / pipewire_exec_t     : main domain and entrypoint
- pipewire_runtime_t               : runtime sockets under /run/pipewire
                                     or XDG_RUNTIME_DIR
- pipewire_tmpfs_t                 : tmpfs-backed shared memory for
                                     zero-copy buffers
- pipewire_home_t (alias pipewire_var_lib_t) : user config and
                                     persistent state
- pipewire_roles                   : role attribute for user-service mode

File contexts labeled:
- /usr/bin/pipewire, /usr/bin/pw-cat  -> pipewire_exec_t
- /run/pipewire(/.*)?                 -> pipewire_runtime_t
- /run/user/%{USERID}/pipewire(/.*)?  -> pipewire_runtime_t
- HOME_DIR/.config/pipewire(/.*)?     -> pipewire_home_t
- HOME_DIR/.local/share/pipewire(/.*)?-> pipewire_home_t
- /var/lib/pipewire(/.*)?             -> pipewire_var_lib_t

Interfaces added (pipewire.if):
- pipewire_stream_connect(): connect to the daemon socket
- pipewire_use_fds(): use file descriptors passed from PipeWire
- pipewire_rw_tmpfs_files(): read/write/mmap zero-copy shared memory

Policy coverage:
- User-service mode (default): userdom_user_application_domain
- System-service mode: init_daemon_domain, dev_rw_dma_dev, filetrans
  rules for /var/lib/pipewire and /run/pipewire
- ALSA sound device access via dev_read_sound / dev_write_sound
- mmap of /usr/share/pipewire/*.conf via files_map_usr_files
- self:unix_stream_socket connectto for pipewire-pulse to connect to
  the main daemon socket at /run/pipewire/pipewire-0
- sysfs and procfs read access for hardware discovery
- tmpfs shared memory via dedicated pipewire_tmpfs_t type
- /tmp file read access for pw-play playback use case
- Inherited stream socket r/w from init scripts (e.g. ADB shell)
- System logging via syslog and systemd journal
- D-Bus session and system bus access via optional_policy
- RTKit real-time scheduling via optional_policy
- PulseAudio socket connection via optional_policy
- Suppressed /proc scan denials via domain_dontaudit_read_all_domains_state

Signed-off-by: Chiluka Rohith <rchiluka@qti.qualcomm.com>
@tkanfade tkanfade force-pushed the wireplumber_module branch 3 times, most recently from 249c7a1 to 0ebc4bc Compare May 27, 2026 13:07
@tkanfade
wireplumber: add SELinux policy module
e2590da 
WirePlumber is the session manager for the PipeWire multimedia
framework. On standard Linux desktops it runs as a user service
(systemd --user). On embedded/headless platforms such as Qualcomm
QLI 2.0 it runs as a system-wide service (User=pipewire under
system systemd).

Without a dedicated policy WirePlumber falls back to the generic
initrc_t domain. In initrc_t, SELinux blocks D-Bus method replies
from modemmanager_t and bluetooth_t which are required for telephony
and Bluetooth audio routing. The blocked replies cause WirePlumber
to crash with SIGSEGV every ~25 seconds resulting in wpctl set-default
and pw-play --target failures.

The policy uses a compile-time ifdef(`wireplumber_system_service')
switch following the same pattern as pipewire.te to select between
system-service and user-service mode at m4 build time.

The policy module is placed in apps/ consistent with pipewire.

The policy confines the wireplumber_t domain with:
- Domain transition via wireplumber_exec_t
- PipeWire socket communication via pipewire_stream_connect(),
  pipewire_use_fds() and pipewire_rw_tmpfs_files() for zero-copy
  memfd buffer sharing (depends on pipewire policy PR SELinuxProject#1109)
- Runtime directory management (system: /run/wireplumber,
  user: XDG_RUNTIME_DIR/wireplumber)
- tmpfs/memfd shared memory for zero-copy audio buffers
- Config file mmap via files_map_usr_files()
- D-Bus system bus; dbus_system_domain when system service
- D-Bus communication with ModemManager, BlueZ and oFono
- udev runtime access for device monitoring including
  netlink_kobject_uevent_socket and xattr filesystem getattr
- systemd sessions and logind session directory watch
- /etc/machine-id, procfs, sysfs
- /dev/snd inotify watch for device monitoring
- Bluetooth socket with listen permission for BlueZ audio routing
- RTKit realtime scheduling support
- systemd journal logging

Also adds ofono_dbus_chat() interface to ofono.if to allow
bidirectional D-Bus communication between a domain and oFono.

Also extends pipewire.fc to label /usr/bin/wpctl as pipewire_exec_t
so that wpctl transitions into pipewire_t and operates without AVC
denials.

Note: This patch depends on the pipewire policy (PR SELinuxProject#1109).
Please merge PR SELinuxProject#1109 before this patch, as wireplumber.te uses
pipewire_stream_connect(), pipewire_use_fds() and
pipewire_rw_tmpfs_files() defined in pipewire.if.

Signed-off-by: Tejas Vijay Kanfade <tkanfade@qti.qualcomm.com>
@tkanfade tkanfade force-pushed the wireplumber_module branch from 0ebc4bc to e2590da Compare May 27, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tkanfade @rchiluka29