diff mbox series

[bug#77383,v2,2/3] gnu: speakersafetyd: Run as unprivileged user.

Message ID 2788a4ea937715053ca7210a52ed0be3976fd0b6.1743695029.git.roman@burningswell.com
State New
Headers
Series [bug#77383,v2,1/3] gnu: speakersafetyd: Update to 1.1.2. |

Commit Message

Roman Scherer April 3, 2025, 3:44 p.m. UTC 
  * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
* doc/guix.texi: Document user and group fields.

Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
---
 doc/guix.texi          |  6 +++++
 gnu/services/sound.scm | 53 ++++++++++++++++++++++++++++++++++++++----
 2 files changed, 55 insertions(+), 4 deletions(-)
diff mbox series

Patch

diff --git a/doc/guix.texi b/doc/guix.texi
index f6d774fd13..a0f2a83c36 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -27268,12 +27268,18 @@  Sound Services
 The base directory as a G-expression (@pxref{G-Expressions}) that
 contains the configuration files of the speaker models.
 
+@item @code{group} (default: @code{"speakersafetyd"}) (type: string)
+The group to run the Speaker Safety Daemon as.
+
 @item @code{maximum-gain-reduction} (default: @code{7}) (type: integer)
 Maximum gain reduction before panicking, useful for debugging.
 
 @item @code{speakersafetyd} (default: @code{speakersafetyd}) (type: file-like)
 The Speaker Safety Daemon package to use.
 
+@item @code{user} (default: @code{"speakersafetyd"}) (type: string)
+The user to run the Speaker Safety Daemon as.
+
 @end table
 @end deftp
 @c %end of fragment
diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm
index fbaa55c553..e5c26e2495 100644
--- a/gnu/services/sound.scm
+++ b/gnu/services/sound.scm
@@ -29,10 +29,12 @@  (define-module (gnu services sound)
   #:use-module (gnu system shadow)
   #:use-module (guix diagnostics)
   #:use-module (guix gexp)
+  #:use-module (guix modules)
   #:use-module (guix packages)
   #:use-module (guix records)
   #:use-module (guix store)
   #:use-module (guix ui)
+  #:use-module (gnu packages admin)
   #:use-module (gnu packages audio)
   #:use-module (gnu packages linux)
   #:use-module (gnu packages pulseaudio)
@@ -288,16 +290,52 @@  (define-configuration/no-serialization speakersafetyd-configuration
    (file-like (file-append speakersafetyd "/share/speakersafetyd"))
    "The base directory as a G-expression (@pxref{G-Expressions}) that contains
 the configuration files of the speaker models.")
+  (group
+   (string "speakersafetyd")
+   "The group to run the Speaker Safety Daemon as.")
   (maximum-gain-reduction
    (integer 7)
    "Maximum gain reduction before panicking, useful for debugging.")
   (speakersafetyd
    (file-like speakersafetyd)
-   "The Speaker Safety Daemon package to use."))
+   "The Speaker Safety Daemon package to use.")
+  (user
+   (string "speakersafetyd")
+   "The user to run the Speaker Safety Daemon as."))
+
+(define speakersafetyd-accounts
+  (match-record-lambda <speakersafetyd-configuration>
+      ( blackbox-directory configuration-directory group
+        maximum-gain-reduction speakersafetyd user)
+    (list (user-group
+           (name group)
+           (system? #t))
+          (user-account
+           (name user)
+           (group group)
+           (system? #t)
+           (home-directory "/var/empty")
+           (shell (file-append shadow "/sbin/nologin"))
+           (supplementary-groups '("audio"))))))
+
+(define speakersafetyd-activation
+  (match-record-lambda <speakersafetyd-configuration>
+      ( blackbox-directory configuration-directory group
+        maximum-gain-reduction speakersafetyd user)
+    (with-imported-modules (source-module-closure '((gnu build activation)))
+      #~(begin
+          (use-modules (gnu build activation))
+          (let ((user (getpwnam #$user)))
+            (mkdir-p/perms "/run/speakersafetyd" user #o755)
+            (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
+            ;; Blackbox files contain audio recordings and might be sensitive
+            ;; information
+            (mkdir-p/perms #$blackbox-directory user #o700))))))
 
 (define speakersafetyd-shepherd-service
   (match-record-lambda <speakersafetyd-configuration>
-      (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
+      ( blackbox-directory configuration-directory group
+        maximum-gain-reduction speakersafetyd user)
     (shepherd-service
      (documentation "Run the speaker safety daemon")
      (provision '(speakersafetyd))
@@ -306,7 +344,10 @@  (define speakersafetyd-shepherd-service
                (list #$(file-append speakersafetyd "/bin/speakersafetyd")
                      "--config-path" #$configuration-directory
                      "--blackbox-path" #$blackbox-directory
-                     "--max-reduction" (number->string #$maximum-gain-reduction))))
+                     "--max-reduction" (number->string #$maximum-gain-reduction))
+               #:group #$group
+               #:supplementary-groups '("audio")
+               #:user #$user))
      (stop #~(make-kill-destructor)))))
 
 (define speakersafetyd-service-type
@@ -324,7 +365,11 @@  (define speakersafetyd-service-type
            (compose list speakersafetyd-configuration-speakersafetyd))
           (service-extension
            profile-service-type
-           (compose list speakersafetyd-configuration-speakersafetyd))))
+           (compose list speakersafetyd-configuration-speakersafetyd))
+          (service-extension account-service-type
+                             speakersafetyd-accounts)
+          (service-extension activation-service-type
+                             speakersafetyd-activation)))
    (default-value (speakersafetyd-configuration))))
 
 ;;; sound.scm ends here