From patchwork Thu Apr 3 15:44:32 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Roman Scherer X-Patchwork-Id: 41230 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id 63CAA27BBE9; Thu, 3 Apr 2025 16:45:35 +0100 (BST) X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,MAILING_LIST_MULTI,RCVD_IN_DNSWL_BLOCKED, RCVD_IN_MSPIKE_H2,RCVD_IN_VALIDITY_CERTIFIED,RCVD_IN_VALIDITY_RPBL, RCVD_IN_VALIDITY_SAFE,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.6 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 0109C27BBE2 for ; Thu, 3 Apr 2025 16:45:32 +0100 (BST) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1u0Mkc-0007V8-LG; Thu, 03 Apr 2025 11:45:06 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1u0MkZ-0007UG-Eb for guix-patches@gnu.org; Thu, 03 Apr 2025 11:45:04 -0400 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1u0MkY-0006nU-JX; Thu, 03 Apr 2025 11:45:02 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=lM3sqUF9/kmSoYOojXFVugEetqPOLkoQAaJw/Sl/hZ4=; b=uvtU0GJFykTF1yU65QuleJKRsRU1cIHoy5eNfZ5rwkVeJy3pfLDkK893RbawXnn1KQ7yfyj+PRqXqYea+k1DHHL5I4lHAriKSJXrq7BhwWaVLHjsSch1cN4xZOqKbAASk2gj4vqqeEP8eSDLOdmnP3e2b/PyR0eDBQDF8ReNBIynx0Eq0qOVup8NEu9kkuIEY8U4gkGoZkuGbGf0E1XU6ghG06RHVEf/1q9dIjDvFpfT+j02IJcmhEkfzCzS2lvpQBBi692Ack34tdsUQPqp490SXlS7YP2PEX9+4YZ/crZAFA7y4E3sDEVQdvpEBucO11gXdyyzBC1+OVUVzZHASw==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1u0MkY-00067V-4C; Thu, 03 Apr 2025 11:45:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#77383] [PATCH v2 2/3] gnu: speakersafetyd: Run as unprivileged user. Resent-From: Roman Scherer Original-Sender: "Debbugs-submit" Resent-CC: ludo@gnu.org, maxim.cournoyer@gmail.com, guix-patches@gnu.org Resent-Date: Thu, 03 Apr 2025 15:45:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 77383 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 77383@debbugs.gnu.org Cc: Roman Scherer , Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer X-Debbugs-Original-Xcc: Ludovic =?utf-8?q?Court=C3=A8s?= , Maxim Cournoyer Received: via spool by 77383-submit@debbugs.gnu.org id=B77383.174369508823471 (code B ref 77383); Thu, 03 Apr 2025 15:45:02 +0000 Received: (at 77383) by debbugs.gnu.org; 3 Apr 2025 15:44:48 +0000 Received: from localhost ([127.0.0.1]:35271 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u0MkJ-00066R-Fl for submit@debbugs.gnu.org; Thu, 03 Apr 2025 11:44:47 -0400 Received: from mail-wm1-x331.google.com ([2a00:1450:4864:20::331]:59609) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u0MkH-00065v-25 for 77383@debbugs.gnu.org; Thu, 03 Apr 2025 11:44:45 -0400 Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-4394036c0efso7725305e9.2 for <77383@debbugs.gnu.org>; Thu, 03 Apr 2025 08:44:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1743695079; x=1744299879; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lM3sqUF9/kmSoYOojXFVugEetqPOLkoQAaJw/Sl/hZ4=; b=Hemdk32zx9wxkwCV4XtIaxoOSviefDumUPIfCSrzu1gxKtHNWiRP42JNPa7FdmYT3c 8+rkAZNpuMEhd+yB8Lnoqeh4I4pG1qiwjwPeWPrN9JE/MxhSvja/pVWs6i7sORmxWUeN p9xU1NyjI49iXxPjGtl4iM1RDbv/e3icub4v5IkxdHF/rLRBeMUIFmyKzYeZM/naaL0B 8HeNMseCNRRR144ueHkoXimfwf+kdnP1pFvGxPjXcmM5q2l1stG/J+SK2MqlYh1hjX5P S9sRIi6slyCH0B9e41qWM4333jKbwKyT5UWtNN1oSaf3+FCKcAkHYtz2blIXCw+H2USp Ty/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743695079; x=1744299879; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lM3sqUF9/kmSoYOojXFVugEetqPOLkoQAaJw/Sl/hZ4=; b=j2l6wKCytLNR70xJbcr+0qLnQMJ+2ouvnmOC+yX7WeqKqFEPOyQR/fF/lFOk1heY4M ZRxCOQ76D7Lf22PkZQHzYXQRuSZHpVazMJIDbgSXr6v2rq9KkFQ1ArLElNFWXIXHpDDS YI7gU/5D8OanLz3j7nwhKUJo4VO+GCb0qDFZYuWJV8uUbnIuxpYQATBJpVVZn2BiIOvz wPGDCR7ybXLisjQn5uhgwBBQyGBdwfefdmsVowqvdWpRT1hmdTRWTIohBEnx3frWWHVK o2OH8kYU1Gn1XXHADzzv/eVoUQLV8L/gTkvL0yBg0C+WPbaiYh0Ej3JwV6I78n/dbluo VkSw== X-Gm-Message-State: AOJu0Yz7ilzc9n4l1BpfREjvwhYC2WY0pfqzZVWS2dKDhjke1s001naH mVUcshfPn9+WhKDX/wF98ecMqRnAkz9SM3VxFtroIHEM1uIfhSJWkuwti2/1c3FfTeHcl5zfcfw hYUVnqA== X-Gm-Gg: ASbGncv8bN99emBCqrym5KMUNjOleMUIKdg+VWxUCNZk2yfjy0Y7K6KyA6wCfPUKO/B llDHwCZ1E0TuV7tJEuurt7zIG+nGy8t5rWj4DdfxgK4aFSqNP5a1Q3Hk8cy3j47D13NP5yHjP9W o2rVday5r4qX0kFrCnsIlgeirnGxgg7qFcDFkq7vF3nfcDs6L0rjt+yGAQ/yz+Q3+ocH/RkL1BP +D0qr1NtijM+1BekiSOC8CF/SaHjQjKxYI+Bwx3l+puHHKBlZOVRmyAT2e7W7CGSHLTkv52azsc 7bSUFemJk23icBz1ORtg5TvmonL/DjHz2Cwd++c1sEQn6zyU8uDDYofTigTAXNk= X-Google-Smtp-Source: AGHT+IHf6AzNmXpfZOFg16WyYYDvNoEdjG5UcX4ZHem495qHFczYsKfHJbsGZ/F5Xn/aDxOVeeLzYg== X-Received: by 2002:a05:600c:3547:b0:439:86fb:7340 with SMTP id 5b1f17b1804b1-43eb06bd359mr93951425e9.30.1743695078595; Thu, 03 Apr 2025 08:44:38 -0700 (PDT) Received: from localhost.localdomain ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43ec342be6asm22729425e9.5.2025.04.03.08.44.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Apr 2025 08:44:38 -0700 (PDT) From: Roman Scherer Date: Thu, 3 Apr 2025 17:44:32 +0200 Message-ID: <2788a4ea937715053ca7210a52ed0be3976fd0b6.1743695029.git.roman@burningswell.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> References: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> MIME-Version: 1.0 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org X-getmail-retrieved-from-mailbox: Patches * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. * doc/guix.texi: Document user and group fields. Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2 --- doc/guix.texi | 6 +++++ gnu/services/sound.scm | 53 ++++++++++++++++++++++++++++++++++++++---- 2 files changed, 55 insertions(+), 4 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index f6d774fd13..a0f2a83c36 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27268,12 +27268,18 @@ Sound Services The base directory as a G-expression (@pxref{G-Expressions}) that contains the configuration files of the speaker models. +@item @code{group} (default: @code{"speakersafetyd"}) (type: string) +The group to run the Speaker Safety Daemon as. + @item @code{maximum-gain-reduction} (default: @code{7}) (type: integer) Maximum gain reduction before panicking, useful for debugging. @item @code{speakersafetyd} (default: @code{speakersafetyd}) (type: file-like) The Speaker Safety Daemon package to use. +@item @code{user} (default: @code{"speakersafetyd"}) (type: string) +The user to run the Speaker Safety Daemon as. + @end table @end deftp @c %end of fragment diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm index fbaa55c553..e5c26e2495 100644 --- a/gnu/services/sound.scm +++ b/gnu/services/sound.scm @@ -29,10 +29,12 @@ (define-module (gnu services sound) #:use-module (gnu system shadow) #:use-module (guix diagnostics) #:use-module (guix gexp) + #:use-module (guix modules) #:use-module (guix packages) #:use-module (guix records) #:use-module (guix store) #:use-module (guix ui) + #:use-module (gnu packages admin) #:use-module (gnu packages audio) #:use-module (gnu packages linux) #:use-module (gnu packages pulseaudio) @@ -288,16 +290,52 @@ (define-configuration/no-serialization speakersafetyd-configuration (file-like (file-append speakersafetyd "/share/speakersafetyd")) "The base directory as a G-expression (@pxref{G-Expressions}) that contains the configuration files of the speaker models.") + (group + (string "speakersafetyd") + "The group to run the Speaker Safety Daemon as.") (maximum-gain-reduction (integer 7) "Maximum gain reduction before panicking, useful for debugging.") (speakersafetyd (file-like speakersafetyd) - "The Speaker Safety Daemon package to use.")) + "The Speaker Safety Daemon package to use.") + (user + (string "speakersafetyd") + "The user to run the Speaker Safety Daemon as.")) + +(define speakersafetyd-accounts + (match-record-lambda + ( blackbox-directory configuration-directory group + maximum-gain-reduction speakersafetyd user) + (list (user-group + (name group) + (system? #t)) + (user-account + (name user) + (group group) + (system? #t) + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")) + (supplementary-groups '("audio")))))) + +(define speakersafetyd-activation + (match-record-lambda + ( blackbox-directory configuration-directory group + maximum-gain-reduction speakersafetyd user) + (with-imported-modules (source-module-closure '((gnu build activation))) + #~(begin + (use-modules (gnu build activation)) + (let ((user (getpwnam #$user))) + (mkdir-p/perms "/run/speakersafetyd" user #o755) + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755) + ;; Blackbox files contain audio recordings and might be sensitive + ;; information + (mkdir-p/perms #$blackbox-directory user #o700)))))) (define speakersafetyd-shepherd-service (match-record-lambda - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd) + ( blackbox-directory configuration-directory group + maximum-gain-reduction speakersafetyd user) (shepherd-service (documentation "Run the speaker safety daemon") (provision '(speakersafetyd)) @@ -306,7 +344,10 @@ (define speakersafetyd-shepherd-service (list #$(file-append speakersafetyd "/bin/speakersafetyd") "--config-path" #$configuration-directory "--blackbox-path" #$blackbox-directory - "--max-reduction" (number->string #$maximum-gain-reduction)))) + "--max-reduction" (number->string #$maximum-gain-reduction)) + #:group #$group + #:supplementary-groups '("audio") + #:user #$user)) (stop #~(make-kill-destructor))))) (define speakersafetyd-service-type @@ -324,7 +365,11 @@ (define speakersafetyd-service-type (compose list speakersafetyd-configuration-speakersafetyd)) (service-extension profile-service-type - (compose list speakersafetyd-configuration-speakersafetyd)))) + (compose list speakersafetyd-configuration-speakersafetyd)) + (service-extension account-service-type + speakersafetyd-accounts) + (service-extension activation-service-type + speakersafetyd-activation))) (default-value (speakersafetyd-configuration)))) ;;; sound.scm ends here