Skip to content

pipewire-pulse: add snap permissions support

SNAP containers have two main "audio" security rules:

  • audio-playback: the applications inside the container can send audio samples into a sink

  • audio-record: the applications inside the container can get audio samples from a source

Also, old SNAP containers had the "pulseaudio" rule, which just exposed the pulseaudio socket directly, without limits. This is similar to the current Flatpak audio permissions.

In the pulseaudio days, a specific pulseaudio module was used that checked the permissions given to the application and allowed or forbade access to the pulseaudio operations. With the change to pipewire, this functionality must be implemented in pipewire-pulse to guarantee the sandbox security.

This patch adds support for sandboxing permissions in the pulseaudio module, and implements support for the SNAP audio security model, thus forbiding a SNAP application to record audio unless it has permissions to do so.

The current code for pipewire-pulseaudio checks the permissions of the snap and adds three properties to each new client:

  • contains the Snap ID of the client.

  • its value is 'true' if the client has permission to play audio, or 'false' if not.

  • its value is 'true' if the client has permission to record audio, or 'false' if not.

These properties must be processed by wireplumber to add or remove access permissions to the corresponding nodes. That code is available in a separate patch: wireplumber!567 (merged)

Fix #3277 (closed)

Edited by Sergio Costas

Merge request reports