Package: guix-patches;
Reported by: Roman Scherer <roman <at> burningswell.com>
Date: Sun, 30 Mar 2025 12:25:01 UTC
Severity: normal
Tags: patch
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To reply to this bug, email your comments to 77383 AT debbugs.gnu.org.
There is no need to reopen the bug first.
Toggle the display of automated, internal messages from the tracker.
View this report as an mbox folder, status mbox, maintainer mbox
ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Sun, 30 Mar 2025 12:25:01 GMT) Full text and rfc822 format available.Roman Scherer <roman <at> burningswell.com>:ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org.
(Sun, 30 Mar 2025 12:25:01 GMT) Full text and rfc822 format available.Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: guix-patches <at> gnu.org Cc: Roman Scherer <roman <at> burningswell.com> Subject: [PATCH 0/2] Run speakersafetyd as unprivileged user Date: Sun, 30 Mar 2025 14:24:22 +0200
Hello Guix, this patch series updates the speakersafetyd package and its system service to run as an unprivileged user instead of root. Upstream made this possible rercently [1]. Could you please review the patch series? Thank you! [1] https://github.com/AsahiLinux/speakersafetyd/issues/23 Roman Scherer (2): gnu: speakersafetyd: Update to 1.1.2. gnu: speakersafetyd: Run as unprivileged user. doc/guix.texi | 9 ++++++ gnu/packages/rust-apps.scm | 16 +++++------ gnu/services/sound.scm | 57 +++++++++++++++++++++++++++++++++++--- 3 files changed, 69 insertions(+), 13 deletions(-) base-commit: 2ed28b5c24c599b2f9bc60dfc93151cf489ca477 -- 2.49.0
divya <at> subvertising.org, efraim <at> flashner.co.il, steve <at> futurile.net, guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Sun, 30 Mar 2025 12:28:01 GMT) Full text and rfc822 format available.Message #8 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: 77383 <at> debbugs.gnu.org Cc: Roman Scherer <roman <at> burningswell.com> Subject: [PATCH 1/2] gnu: speakersafetyd: Update to 1.1.2. Date: Sun, 30 Mar 2025 14:26:55 +0200
* gnu/packages/rust-apps.scm (speakersafetyd): Update to 1.1.2.
Change-Id: I1c6d7b6080b18bd8228e8b39d1a0b42267e2b7e1
---
gnu/packages/rust-apps.scm | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/gnu/packages/rust-apps.scm b/gnu/packages/rust-apps.scm
index 2f933d836c..1211ccb0c4 100644
--- a/gnu/packages/rust-apps.scm
+++ b/gnu/packages/rust-apps.scm
@@ -3211,14 +3211,14 @@ (define-public sniffglue
(define-public speakersafetyd
(package
(name "speakersafetyd")
- (version "1.0.2")
+ (version "1.1.2")
(source
(origin
(method url-fetch)
(uri (crate-uri "speakersafetyd" version))
(file-name (string-append name "-" version ".tar.gz"))
(sha256
- (base32 "104xgyqhsg2rxa3ndkizrpndibmcbr25h63phcjswadbm8i790bz"))))
+ (base32 "1c4yk8mq8nazshdcasimlgnyhx27wzkad4wzicy5x43grq26b966"))))
(build-system cargo-build-system)
(arguments
(list
@@ -3245,13 +3245,11 @@ (define-public speakersafetyd
((".*SYSTEMD_WANTS.*") ""))))
(add-after 'install 'install-data
(lambda _
- (setenv "BINDIR" (string-append #$output "/bin"))
- (setenv "UNITDIR" (string-append #$output "/lib/systemd/system"))
- (setenv "UDEVDIR" (string-append #$output "/lib/udev/rules.d"))
- (setenv "TMPFILESDIR" (string-append #$output "/usr/lib/tmpfiles.d"))
- (setenv "SHAREDIR" (string-append #$output "/share"))
- (setenv "VARDIR" (string-append #$output "/var"))
- (invoke "make" "install-data"))))))
+ (setenv "DESTDIR" #$output)
+ (setenv "SHAREDIR" "/share")
+ (setenv "SPEAKERSAFETYD_GROUP" "nixbld")
+ (setenv "SPEAKERSAFETYD_USER" "nixbld")
+ (invoke "make" "install"))))))
(inputs (list alsa-lib))
(native-inputs (list pkg-config))
(home-page "https://github.com/AsahiLinux/speakersafetyd/")
--
2.49.0
ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Sun, 30 Mar 2025 12:28:02 GMT) Full text and rfc822 format available.Message #11 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: 77383 <at> debbugs.gnu.org Cc: Roman Scherer <roman <at> burningswell.com> Subject: [PATCH 2/2] gnu: speakersafetyd: Run as unprivileged user. Date: Sun, 30 Mar 2025 14:26:56 +0200
* gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
---
doc/guix.texi | 9 +++++++
gnu/services/sound.scm | 57 +++++++++++++++++++++++++++++++++++++++---
2 files changed, 62 insertions(+), 4 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index f6d774fd13..9a6084e994 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -27268,12 +27268,21 @@ Sound Services
The base directory as a G-expression (@pxref{G-Expressions}) that
contains the configuration files of the speaker models.
+@item @code{group} (default: @code{"speakersafetyd"}) (type: string)
+The group to run the Speaker Safety Daemon as.
+
+@item @code{log-file} (default: @code{"/var/log/speakersafetyd.log"}) (type: string)
+The path to the Speaker Safety Daemon log file.
+
@item @code{maximum-gain-reduction} (default: @code{7}) (type: integer)
Maximum gain reduction before panicking, useful for debugging.
@item @code{speakersafetyd} (default: @code{speakersafetyd}) (type: file-like)
The Speaker Safety Daemon package to use.
+@item @code{user} (default: @code{"speakersafetyd"}) (type: string)
+The user to run the Speaker Safety Daemon as.
+
@end table
@end deftp
@c %end of fragment
diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm
index fbaa55c553..ac87551a18 100644
--- a/gnu/services/sound.scm
+++ b/gnu/services/sound.scm
@@ -29,10 +29,12 @@ (define-module (gnu services sound)
#:use-module (gnu system shadow)
#:use-module (guix diagnostics)
#:use-module (guix gexp)
+ #:use-module (guix modules)
#:use-module (guix packages)
#:use-module (guix records)
#:use-module (guix store)
#:use-module (guix ui)
+ #:use-module (gnu packages admin)
#:use-module (gnu packages audio)
#:use-module (gnu packages linux)
#:use-module (gnu packages pulseaudio)
@@ -288,16 +290,53 @@ (define-configuration/no-serialization speakersafetyd-configuration
(file-like (file-append speakersafetyd "/share/speakersafetyd"))
"The base directory as a G-expression (@pxref{G-Expressions}) that contains
the configuration files of the speaker models.")
+ (group
+ (string "speakersafetyd")
+ "The group to run the Speaker Safety Daemon as.")
+ (log-file
+ (string "/var/log/speakersafetyd.log")
+ "The path to the Speaker Safety Daemon log file.")
(maximum-gain-reduction
(integer 7)
"Maximum gain reduction before panicking, useful for debugging.")
(speakersafetyd
(file-like speakersafetyd)
- "The Speaker Safety Daemon package to use."))
+ "The Speaker Safety Daemon package to use.")
+ (user
+ (string "speakersafetyd")
+ "The user to run the Speaker Safety Daemon as."))
+
+(define speakersafetyd-accounts
+ (match-record-lambda <speakersafetyd-configuration>
+ (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user)
+ (list (user-group
+ (name group)
+ (system? #t))
+ (user-account
+ (name user)
+ (group group)
+ (system? #t)
+ (home-directory "/var/empty")
+ (shell (file-append shadow "/sbin/nologin"))
+ (supplementary-groups '("audio"))))))
+
+(define speakersafetyd-activation
+ (match-record-lambda <speakersafetyd-configuration>
+ (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user)
+ (with-imported-modules (source-module-closure
+ '((gnu build activation)
+ (guix build utils)))
+ #~(begin
+ (use-modules (gnu build activation))
+ (let ((user (getpwnam #$user)))
+ (mkdir-p/perms "/run/speakersafetyd" user #o755)
+ (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
+ ;; Blackbox files contain audio recordings and might be sensitive information
+ (mkdir-p/perms #$blackbox-directory user #o700))))))
(define speakersafetyd-shepherd-service
(match-record-lambda <speakersafetyd-configuration>
- (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
+ (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user)
(shepherd-service
(documentation "Run the speaker safety daemon")
(provision '(speakersafetyd))
@@ -306,7 +345,11 @@ (define speakersafetyd-shepherd-service
(list #$(file-append speakersafetyd "/bin/speakersafetyd")
"--config-path" #$configuration-directory
"--blackbox-path" #$blackbox-directory
- "--max-reduction" (number->string #$maximum-gain-reduction))))
+ "--max-reduction" (number->string #$maximum-gain-reduction))
+ #:group #$group
+ #:log-file #$log-file
+ #:supplementary-groups '("audio")
+ #:user #$user))
(stop #~(make-kill-destructor)))))
(define speakersafetyd-service-type
@@ -324,7 +367,13 @@ (define speakersafetyd-service-type
(compose list speakersafetyd-configuration-speakersafetyd))
(service-extension
profile-service-type
- (compose list speakersafetyd-configuration-speakersafetyd))))
+ (compose list speakersafetyd-configuration-speakersafetyd))
+ (service-extension
+ account-service-type
+ speakersafetyd-accounts)
+ (service-extension
+ activation-service-type
+ speakersafetyd-activation)))
(default-value (speakersafetyd-configuration))))
;;; sound.scm ends here
--
2.49.0
guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Thu, 03 Apr 2025 10:44:02 GMT) Full text and rfc822 format available.Message #14 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Roman Scherer <roman <at> burningswell.com> Cc: 77383 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org> Subject: Re: [bug#77383] [PATCH 2/2] gnu: speakersafetyd: Run as unprivileged user. Date: Thu, 03 Apr 2025 19:43:23 +0900
Hi,
Roman Scherer <roman <at> burningswell.com> writes:
> * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
Sounds good, perhaps also mention it adds a log file (is this related to
this change?).
[...]
> +(define speakersafetyd-accounts
> + (match-record-lambda <speakersafetyd-configuration>
> + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user)
Please break this and next long lines into something that fits < 80
characters. You can use the Emacs indentation hack to do so and leave a
space after the opening parens to ensure it gets indented as data and
not a procedure:
( blackbox-directory configuration-directory ...
speakersafetyd user)
> + (list (user-group
> + (name group)
> + (system? #t))
> + (user-account
> + (name user)
> + (group group)
> + (system? #t)
> + (home-directory "/var/empty")
> + (shell (file-append shadow "/sbin/nologin"))
> + (supplementary-groups '("audio"))))))
> +
> +(define speakersafetyd-activation
> + (match-record-lambda <speakersafetyd-configuration>
> + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user)
Line width > 80 columns.
> + (with-imported-modules (source-module-closure
> + '((gnu build activation)
> + (guix build utils)))
Looks like you only use (gnu build activation), not (guix build utils)
in the below snippet.
> + #~(begin
> + (use-modules (gnu build activation))
> + (let ((user (getpwnam #$user)))
> + (mkdir-p/perms "/run/speakersafetyd" user #o755)
> + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
> + ;; Blackbox files contain audio recordings and might be sensitive information
> + (mkdir-p/perms #$blackbox-directory user #o700))))))
>
> (define speakersafetyd-shepherd-service
> (match-record-lambda <speakersafetyd-configuration>
> - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
> + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user)
Line width > 80 columns.
> (shepherd-service
> (documentation "Run the speaker safety daemon")
> (provision '(speakersafetyd))
> @@ -306,7 +345,11 @@ (define speakersafetyd-shepherd-service
> (list #$(file-append speakersafetyd "/bin/speakersafetyd")
> "--config-path" #$configuration-directory
> "--blackbox-path" #$blackbox-directory
> - "--max-reduction" (number->string #$maximum-gain-reduction))))
> + "--max-reduction" (number->string #$maximum-gain-reduction))
> + #:group #$group
> + #:log-file #$log-file
> + #:supplementary-groups '("audio")
> + #:user #$user))
> (stop #~(make-kill-destructor)))))
>
> (define speakersafetyd-service-type
> @@ -324,7 +367,13 @@ (define speakersafetyd-service-type
> (compose list speakersafetyd-configuration-speakersafetyd))
> (service-extension
> profile-service-type
> - (compose list speakersafetyd-configuration-speakersafetyd))))
> + (compose list speakersafetyd-configuration-speakersafetyd))
> + (service-extension
> + account-service-type
> + speakersafetyd-accounts)
> + (service-extension
> + activation-service-type
> + speakersafetyd-activation)))
nitpick but I like to put at least one argument on the same line unless
respecting the 80 columns max width is challenging, as in:
--8<---------------cut here---------------start------------->8---
(service-extension account-service-type
speakersafetyd-accounts)
--8<---------------cut here---------------end--------------->8---
etc.
Other than these tiny details, it LGTM. Could you please send a v2?
--
Thanks,
Maxim
divya <at> subvertising.org, efraim <at> flashner.co.il, steve <at> futurile.net, guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Thu, 03 Apr 2025 15:45:01 GMT) Full text and rfc822 format available.Message #17 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: 77383 <at> debbugs.gnu.org Cc: Roman Scherer <roman <at> burningswell.com> Subject: [PATCH v2 1/3] gnu: speakersafetyd: Update to 1.1.2. Date: Thu, 3 Apr 2025 17:44:31 +0200
* gnu/packages/rust-apps.scm (speakersafetyd): Update to 1.1.2.
Change-Id: I1c6d7b6080b18bd8228e8b39d1a0b42267e2b7e1
---
gnu/packages/rust-apps.scm | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
diff --git a/gnu/packages/rust-apps.scm b/gnu/packages/rust-apps.scm
index 2f933d836c..1211ccb0c4 100644
--- a/gnu/packages/rust-apps.scm
+++ b/gnu/packages/rust-apps.scm
@@ -3211,14 +3211,14 @@ (define-public sniffglue
(define-public speakersafetyd
(package
(name "speakersafetyd")
- (version "1.0.2")
+ (version "1.1.2")
(source
(origin
(method url-fetch)
(uri (crate-uri "speakersafetyd" version))
(file-name (string-append name "-" version ".tar.gz"))
(sha256
- (base32 "104xgyqhsg2rxa3ndkizrpndibmcbr25h63phcjswadbm8i790bz"))))
+ (base32 "1c4yk8mq8nazshdcasimlgnyhx27wzkad4wzicy5x43grq26b966"))))
(build-system cargo-build-system)
(arguments
(list
@@ -3245,13 +3245,11 @@ (define-public speakersafetyd
((".*SYSTEMD_WANTS.*") ""))))
(add-after 'install 'install-data
(lambda _
- (setenv "BINDIR" (string-append #$output "/bin"))
- (setenv "UNITDIR" (string-append #$output "/lib/systemd/system"))
- (setenv "UDEVDIR" (string-append #$output "/lib/udev/rules.d"))
- (setenv "TMPFILESDIR" (string-append #$output "/usr/lib/tmpfiles.d"))
- (setenv "SHAREDIR" (string-append #$output "/share"))
- (setenv "VARDIR" (string-append #$output "/var"))
- (invoke "make" "install-data"))))))
+ (setenv "DESTDIR" #$output)
+ (setenv "SHAREDIR" "/share")
+ (setenv "SPEAKERSAFETYD_GROUP" "nixbld")
+ (setenv "SPEAKERSAFETYD_USER" "nixbld")
+ (invoke "make" "install"))))))
(inputs (list alsa-lib))
(native-inputs (list pkg-config))
(home-page "https://github.com/AsahiLinux/speakersafetyd/")
base-commit: 2ed28b5c24c599b2f9bc60dfc93151cf489ca477
--
2.49.0
ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Thu, 03 Apr 2025 15:45:02 GMT) Full text and rfc822 format available.Message #20 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: 77383 <at> debbugs.gnu.org Cc: Roman Scherer <roman <at> burningswell.com> Subject: [PATCH v2 2/3] gnu: speakersafetyd: Run as unprivileged user. Date: Thu, 3 Apr 2025 17:44:32 +0200
* gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
* doc/guix.texi: Document user and group fields.
Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
---
doc/guix.texi | 6 +++++
gnu/services/sound.scm | 53 ++++++++++++++++++++++++++++++++++++++----
2 files changed, 55 insertions(+), 4 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index f6d774fd13..a0f2a83c36 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -27268,12 +27268,18 @@ Sound Services
The base directory as a G-expression (@pxref{G-Expressions}) that
contains the configuration files of the speaker models.
+@item @code{group} (default: @code{"speakersafetyd"}) (type: string)
+The group to run the Speaker Safety Daemon as.
+
@item @code{maximum-gain-reduction} (default: @code{7}) (type: integer)
Maximum gain reduction before panicking, useful for debugging.
@item @code{speakersafetyd} (default: @code{speakersafetyd}) (type: file-like)
The Speaker Safety Daemon package to use.
+@item @code{user} (default: @code{"speakersafetyd"}) (type: string)
+The user to run the Speaker Safety Daemon as.
+
@end table
@end deftp
@c %end of fragment
diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm
index fbaa55c553..e5c26e2495 100644
--- a/gnu/services/sound.scm
+++ b/gnu/services/sound.scm
@@ -29,10 +29,12 @@ (define-module (gnu services sound)
#:use-module (gnu system shadow)
#:use-module (guix diagnostics)
#:use-module (guix gexp)
+ #:use-module (guix modules)
#:use-module (guix packages)
#:use-module (guix records)
#:use-module (guix store)
#:use-module (guix ui)
+ #:use-module (gnu packages admin)
#:use-module (gnu packages audio)
#:use-module (gnu packages linux)
#:use-module (gnu packages pulseaudio)
@@ -288,16 +290,52 @@ (define-configuration/no-serialization speakersafetyd-configuration
(file-like (file-append speakersafetyd "/share/speakersafetyd"))
"The base directory as a G-expression (@pxref{G-Expressions}) that contains
the configuration files of the speaker models.")
+ (group
+ (string "speakersafetyd")
+ "The group to run the Speaker Safety Daemon as.")
(maximum-gain-reduction
(integer 7)
"Maximum gain reduction before panicking, useful for debugging.")
(speakersafetyd
(file-like speakersafetyd)
- "The Speaker Safety Daemon package to use."))
+ "The Speaker Safety Daemon package to use.")
+ (user
+ (string "speakersafetyd")
+ "The user to run the Speaker Safety Daemon as."))
+
+(define speakersafetyd-accounts
+ (match-record-lambda <speakersafetyd-configuration>
+ ( blackbox-directory configuration-directory group
+ maximum-gain-reduction speakersafetyd user)
+ (list (user-group
+ (name group)
+ (system? #t))
+ (user-account
+ (name user)
+ (group group)
+ (system? #t)
+ (home-directory "/var/empty")
+ (shell (file-append shadow "/sbin/nologin"))
+ (supplementary-groups '("audio"))))))
+
+(define speakersafetyd-activation
+ (match-record-lambda <speakersafetyd-configuration>
+ ( blackbox-directory configuration-directory group
+ maximum-gain-reduction speakersafetyd user)
+ (with-imported-modules (source-module-closure '((gnu build activation)))
+ #~(begin
+ (use-modules (gnu build activation))
+ (let ((user (getpwnam #$user)))
+ (mkdir-p/perms "/run/speakersafetyd" user #o755)
+ (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
+ ;; Blackbox files contain audio recordings and might be sensitive
+ ;; information
+ (mkdir-p/perms #$blackbox-directory user #o700))))))
(define speakersafetyd-shepherd-service
(match-record-lambda <speakersafetyd-configuration>
- (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
+ ( blackbox-directory configuration-directory group
+ maximum-gain-reduction speakersafetyd user)
(shepherd-service
(documentation "Run the speaker safety daemon")
(provision '(speakersafetyd))
@@ -306,7 +344,10 @@ (define speakersafetyd-shepherd-service
(list #$(file-append speakersafetyd "/bin/speakersafetyd")
"--config-path" #$configuration-directory
"--blackbox-path" #$blackbox-directory
- "--max-reduction" (number->string #$maximum-gain-reduction))))
+ "--max-reduction" (number->string #$maximum-gain-reduction))
+ #:group #$group
+ #:supplementary-groups '("audio")
+ #:user #$user))
(stop #~(make-kill-destructor)))))
(define speakersafetyd-service-type
@@ -324,7 +365,11 @@ (define speakersafetyd-service-type
(compose list speakersafetyd-configuration-speakersafetyd))
(service-extension
profile-service-type
- (compose list speakersafetyd-configuration-speakersafetyd))))
+ (compose list speakersafetyd-configuration-speakersafetyd))
+ (service-extension account-service-type
+ speakersafetyd-accounts)
+ (service-extension activation-service-type
+ speakersafetyd-activation)))
(default-value (speakersafetyd-configuration))))
;;; sound.scm ends here
--
2.49.0
ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Thu, 03 Apr 2025 15:45:02 GMT) Full text and rfc822 format available.Message #23 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: 77383 <at> debbugs.gnu.org Cc: Roman Scherer <roman <at> burningswell.com> Subject: [PATCH v2 3/3] gnu: speakersafetyd: Add log file. Date: Thu, 3 Apr 2025 17:44:33 +0200
* gnu/services/sound.scm (speakersafetyd): Add log file.
* doc/guix.texi: Document log-file field.
Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
---
doc/guix.texi | 3 +++
gnu/services/sound.scm | 10 +++++++---
2 files changed, 10 insertions(+), 3 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index a0f2a83c36..9a6084e994 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -27271,6 +27271,9 @@ Sound Services
@item @code{group} (default: @code{"speakersafetyd"}) (type: string)
The group to run the Speaker Safety Daemon as.
+@item @code{log-file} (default: @code{"/var/log/speakersafetyd.log"}) (type: string)
+The path to the Speaker Safety Daemon log file.
+
@item @code{maximum-gain-reduction} (default: @code{7}) (type: integer)
Maximum gain reduction before panicking, useful for debugging.
diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm
index e5c26e2495..39b5d043a3 100644
--- a/gnu/services/sound.scm
+++ b/gnu/services/sound.scm
@@ -293,6 +293,9 @@ (define-configuration/no-serialization speakersafetyd-configuration
(group
(string "speakersafetyd")
"The group to run the Speaker Safety Daemon as.")
+ (log-file
+ (string "/var/log/speakersafetyd.log")
+ "The path to the Speaker Safety Daemon log file.")
(maximum-gain-reduction
(integer 7)
"Maximum gain reduction before panicking, useful for debugging.")
@@ -305,7 +308,7 @@ (define-configuration/no-serialization speakersafetyd-configuration
(define speakersafetyd-accounts
(match-record-lambda <speakersafetyd-configuration>
- ( blackbox-directory configuration-directory group
+ ( blackbox-directory configuration-directory group log-file
maximum-gain-reduction speakersafetyd user)
(list (user-group
(name group)
@@ -320,7 +323,7 @@ (define speakersafetyd-accounts
(define speakersafetyd-activation
(match-record-lambda <speakersafetyd-configuration>
- ( blackbox-directory configuration-directory group
+ ( blackbox-directory configuration-directory group log-file
maximum-gain-reduction speakersafetyd user)
(with-imported-modules (source-module-closure '((gnu build activation)))
#~(begin
@@ -334,7 +337,7 @@ (define speakersafetyd-activation
(define speakersafetyd-shepherd-service
(match-record-lambda <speakersafetyd-configuration>
- ( blackbox-directory configuration-directory group
+ ( blackbox-directory configuration-directory group log-file
maximum-gain-reduction speakersafetyd user)
(shepherd-service
(documentation "Run the speaker safety daemon")
@@ -346,6 +349,7 @@ (define speakersafetyd-shepherd-service
"--blackbox-path" #$blackbox-directory
"--max-reduction" (number->string #$maximum-gain-reduction))
#:group #$group
+ #:log-file #$log-file
#:supplementary-groups '("audio")
#:user #$user))
(stop #~(make-kill-destructor)))))
--
2.49.0
guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Thu, 03 Apr 2025 15:48:02 GMT) Full text and rfc822 format available.Message #26 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: 77383 <at> debbugs.gnu.org, Roman Scherer <roman <at> burningswell.com>, Ludovic Courtès <ludo <at> gnu.org> Subject: Re: [bug#77383] [PATCH 2/2] gnu: speakersafetyd: Run as unprivileged user. Date: Thu, 03 Apr 2025 17:47:03 +0200
[Message part 1 (text/plain, inline)]
Hi Maxim,
thanks for the review. I just sent a v2 of the patch series.
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> Hi,
>
> Roman Scherer <roman <at> burningswell.com> writes:
>
>> * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
>
> Sounds good, perhaps also mention it adds a log file (is this related to
> this change?).
No, it's not related. I split the log file into another commit.
> [...]
>
>> +(define speakersafetyd-accounts
>> + (match-record-lambda <speakersafetyd-configuration>
>> + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user)
>
> Please break this and next long lines into something that fits < 80
> characters. You can use the Emacs indentation hack to do so and leave a
> space after the opening parens to ensure it gets indented as data and
> not a procedure:
>
> ( blackbox-directory configuration-directory ...
> speakersafetyd user)
>
Interesting, didn't know about this Emacs indentation hack.
>> + (list (user-group
>> + (name group)
>> + (system? #t))
>> + (user-account
>> + (name user)
>> + (group group)
>> + (system? #t)
>> + (home-directory "/var/empty")
>> + (shell (file-append shadow "/sbin/nologin"))
>> + (supplementary-groups '("audio"))))))
>> +
>> +(define speakersafetyd-activation
>> + (match-record-lambda <speakersafetyd-configuration>
>> + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user)
>
> Line width > 80 columns.
>
>> + (with-imported-modules (source-module-closure
>> + '((gnu build activation)
>> + (guix build utils)))
>
> Looks like you only use (gnu build activation), not (guix build utils)
> in the below snippet.
>
>> + #~(begin
>> + (use-modules (gnu build activation))
>> + (let ((user (getpwnam #$user)))
>> + (mkdir-p/perms "/run/speakersafetyd" user #o755)
>> + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
>> + ;; Blackbox files contain audio recordings and might be sensitive information
>> + (mkdir-p/perms #$blackbox-directory user #o700))))))
>>
>> (define speakersafetyd-shepherd-service
>> (match-record-lambda <speakersafetyd-configuration>
>> - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
>> + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user)
>
> Line width > 80 columns.
>
>> (shepherd-service
>> (documentation "Run the speaker safety daemon")
>> (provision '(speakersafetyd))
>> @@ -306,7 +345,11 @@ (define speakersafetyd-shepherd-service
>> (list #$(file-append speakersafetyd "/bin/speakersafetyd")
>> "--config-path" #$configuration-directory
>> "--blackbox-path" #$blackbox-directory
>> - "--max-reduction" (number->string #$maximum-gain-reduction))))
>> + "--max-reduction" (number->string #$maximum-gain-reduction))
>> + #:group #$group
>> + #:log-file #$log-file
>> + #:supplementary-groups '("audio")
>> + #:user #$user))
>> (stop #~(make-kill-destructor)))))
>>
>> (define speakersafetyd-service-type
>> @@ -324,7 +367,13 @@ (define speakersafetyd-service-type
>> (compose list speakersafetyd-configuration-speakersafetyd))
>> (service-extension
>> profile-service-type
>> - (compose list speakersafetyd-configuration-speakersafetyd))))
>> + (compose list speakersafetyd-configuration-speakersafetyd))
>> + (service-extension
>> + account-service-type
>> + speakersafetyd-accounts)
>> + (service-extension
>> + activation-service-type
>> + speakersafetyd-activation)))
>
> nitpick but I like to put at least one argument on the same line unless
> respecting the 80 columns max width is challenging, as in:
>
> --8<---------------cut here---------------start------------->8---
> (service-extension account-service-type
> speakersafetyd-accounts)
> --8<---------------cut here---------------end--------------->8---
>
> etc.
>
> Other than these tiny details, it LGTM. Could you please send a v2?
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Tue, 08 Apr 2025 02:10:02 GMT) Full text and rfc822 format available.Message #29 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Roman Scherer <roman <at> burningswell.com> Cc: 77383 <at> debbugs.gnu.org, Steve George <steve <at> futurile.net>, Efraim Flashner <efraim <at> flashner.co.il>, Divya Ranjan Pattanaik <divya <at> subvertising.org> Subject: Re: [bug#77383] [PATCH v2 1/3] gnu: speakersafetyd: Update to 1.1.2. Date: Tue, 08 Apr 2025 11:09:26 +0900
Hi Roman, 2nd pass over this series. Roman Scherer <roman <at> burningswell.com> writes: > * gnu/packages/rust-apps.scm (speakersafetyd): Update to 1.1.2. > > Change-Id: I1c6d7b6080b18bd8228e8b39d1a0b42267e2b7e1 [...] > - (setenv "BINDIR" (string-append #$output "/bin")) > - (setenv "UNITDIR" (string-append #$output "/lib/systemd/system")) > - (setenv "UDEVDIR" (string-append #$output "/lib/udev/rules.d")) > - (setenv "TMPFILESDIR" (string-append #$output "/usr/lib/tmpfiles.d")) > - (setenv "SHAREDIR" (string-append #$output "/share")) > - (setenv "VARDIR" (string-append #$output "/var")) > - (invoke "make" "install-data")))))) > + (setenv "DESTDIR" #$output) > + (setenv "SHAREDIR" "/share") > + (setenv "SPEAKERSAFETYD_GROUP" "nixbld") > + (setenv "SPEAKERSAFETYD_USER" "nixbld") Since this are just setting environment variables, which are statufel, there's no need to override the install phase, it can go in a 'prepare-to-install or similarly named phase ordered before 'install. -- Thanks, Maxim
guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Tue, 08 Apr 2025 02:14:02 GMT) Full text and rfc822 format available.Message #32 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Roman Scherer <roman <at> burningswell.com> Cc: 77383 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org> Subject: Re: [bug#77383] [PATCH v2 2/3] gnu: speakersafetyd: Run as unprivileged user. Date: Tue, 08 Apr 2025 11:13:03 +0900
Hi,
Roman Scherer <roman <at> burningswell.com> writes:
> * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
> * doc/guix.texi: Document user and group fields.
>
> Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
[...]
> +(define speakersafetyd-accounts
> + (match-record-lambda <speakersafetyd-configuration>
> + ( blackbox-directory configuration-directory group
> + maximum-gain-reduction speakersafetyd user)
You don't need to list all the fields when using match-record, and I
assume match-record-lambda as well. Here only `group' and `user'
appears useful.
> + (list (user-group
> + (name group)
> + (system? #t))
> + (user-account
> + (name user)
> + (group group)
> + (system? #t)
> + (home-directory "/var/empty")
> + (shell (file-append shadow "/sbin/nologin"))
> + (supplementary-groups '("audio"))))))
> +
> +(define speakersafetyd-activation
> + (match-record-lambda <speakersafetyd-configuration>
> + ( blackbox-directory configuration-directory group
> + maximum-gain-reduction speakersafetyd user)
Likewise.
> + (with-imported-modules (source-module-closure '((gnu build activation)))
> + #~(begin
> + (use-modules (gnu build activation))
> + (let ((user (getpwnam #$user)))
> + (mkdir-p/perms "/run/speakersafetyd" user #o755)
> + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
> + ;; Blackbox files contain audio recordings and might be sensitive
> + ;; information
> + (mkdir-p/perms #$blackbox-directory user #o700))))))
>
> (define speakersafetyd-shepherd-service
> (match-record-lambda <speakersafetyd-configuration>
> - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
> + ( blackbox-directory configuration-directory group
> + maximum-gain-reduction speakersafetyd user)
> (shepherd-service
> (documentation "Run the speaker safety daemon")
> (provision '(speakersafetyd))
> @@ -306,7 +344,10 @@ (define speakersafetyd-shepherd-service
> (list #$(file-append speakersafetyd "/bin/speakersafetyd")
> "--config-path" #$configuration-directory
> "--blackbox-path" #$blackbox-directory
> - "--max-reduction" (number->string #$maximum-gain-reduction))))
> + "--max-reduction" (number->string #$maximum-gain-reduction))
> + #:group #$group
> + #:supplementary-groups '("audio")
> + #:user #$user))
> (stop #~(make-kill-destructor)))))
Not for a future improvement: we also have a least-authority-wrapper
defined in (guix least-authority) that can wrap a binary to have it run
in a Linux container, to further sandbox the process.
--
Thanks,
Maxim
guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Tue, 08 Apr 2025 02:16:02 GMT) Full text and rfc822 format available.Message #35 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Roman Scherer <roman <at> burningswell.com> Cc: 77383 <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org> Subject: Re: [bug#77383] [PATCH v2 3/3] gnu: speakersafetyd: Add log file. Date: Tue, 08 Apr 2025 11:15:11 +0900
Hi,
Roman Scherer <roman <at> burningswell.com> writes:
> * gnu/services/sound.scm (speakersafetyd): Add log file.
> * doc/guix.texi: Document log-file field.
>
> Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
> ---
> doc/guix.texi | 3 +++
> gnu/services/sound.scm | 10 +++++++---
> 2 files changed, 10 insertions(+), 3 deletions(-)
>
> diff --git a/doc/guix.texi b/doc/guix.texi
> index a0f2a83c36..9a6084e994 100644
> --- a/doc/guix.texi
> +++ b/doc/guix.texi
> @@ -27271,6 +27271,9 @@ Sound Services
> @item @code{group} (default: @code{"speakersafetyd"}) (type: string)
> The group to run the Speaker Safety Daemon as.
>
> +@item @code{log-file} (default: @code{"/var/log/speakersafetyd.log"}) (type: string)
> +The path to the Speaker Safety Daemon log file.
> +
> @item @code{maximum-gain-reduction} (default: @code{7}) (type: integer)
> Maximum gain reduction before panicking, useful for debugging.
>
> diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm
> index e5c26e2495..39b5d043a3 100644
> --- a/gnu/services/sound.scm
> +++ b/gnu/services/sound.scm
> @@ -293,6 +293,9 @@ (define-configuration/no-serialization speakersafetyd-configuration
> (group
> (string "speakersafetyd")
> "The group to run the Speaker Safety Daemon as.")
> + (log-file
> + (string "/var/log/speakersafetyd.log")
> + "The path to the Speaker Safety Daemon log file.")
The convention in GNU is to use 'path' only for search paths; the
preferred term for file names is 'file name'.
> (maximum-gain-reduction
> (integer 7)
> "Maximum gain reduction before panicking, useful for debugging.")
> @@ -305,7 +308,7 @@ (define-configuration/no-serialization speakersafetyd-configuration
>
> (define speakersafetyd-accounts
> (match-record-lambda <speakersafetyd-configuration>
> - ( blackbox-directory configuration-directory group
> + ( blackbox-directory configuration-directory group log-file
> maximum-gain-reduction speakersafetyd user)
> (list (user-group
> (name group)
> @@ -320,7 +323,7 @@ (define speakersafetyd-accounts
>
> (define speakersafetyd-activation
> (match-record-lambda <speakersafetyd-configuration>
> - ( blackbox-directory configuration-directory group
> + ( blackbox-directory configuration-directory group log-file
> maximum-gain-reduction speakersafetyd user)
> (with-imported-modules (source-module-closure '((gnu build activation)))
> #~(begin
> @@ -334,7 +337,7 @@ (define speakersafetyd-activation
>
> (define speakersafetyd-shepherd-service
> (match-record-lambda <speakersafetyd-configuration>
> - ( blackbox-directory configuration-directory group
> + ( blackbox-directory configuration-directory group log-file
> maximum-gain-reduction speakersafetyd user)
As mentioned earlier, make sure to expose only the fields needed in the
above match-record-lambda forms.
> (shepherd-service
> (documentation "Run the speaker safety daemon")
> @@ -346,6 +349,7 @@ (define speakersafetyd-shepherd-service
> "--blackbox-path" #$blackbox-directory
> "--max-reduction" (number->string #$maximum-gain-reduction))
> #:group #$group
> + #:log-file #$log-file
> #:supplementary-groups '("audio")
> #:user #$user))
> (stop #~(make-kill-destructor)))))
Otherwise, LGTM!
Could you send a hopefully final v3?
--
Thanks,
Maxim
divya <at> subvertising.org, efraim <at> flashner.co.il, hako <at> ultrarare.space, steve <at> futurile.net, guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Wed, 09 Apr 2025 17:27:02 GMT) Full text and rfc822 format available.Message #38 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: 77383 <at> debbugs.gnu.org Cc: Roman Scherer <roman <at> burningswell.com> Subject: [PATCH v3 1/3] gnu: speakersafetyd: Update to 1.1.2. Date: Wed, 9 Apr 2025 19:26:09 +0200
* gnu/packages/rust-apps.scm (speakersafetyd): Update to 1.1.2.
Change-Id: I1c6d7b6080b18bd8228e8b39d1a0b42267e2b7e1
---
gnu/packages/rust-apps.scm | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
diff --git a/gnu/packages/rust-apps.scm b/gnu/packages/rust-apps.scm
index 2f933d836c..4d9430e5da 100644
--- a/gnu/packages/rust-apps.scm
+++ b/gnu/packages/rust-apps.scm
@@ -3211,14 +3211,14 @@ (define-public sniffglue
(define-public speakersafetyd
(package
(name "speakersafetyd")
- (version "1.0.2")
+ (version "1.1.2")
(source
(origin
(method url-fetch)
(uri (crate-uri "speakersafetyd" version))
(file-name (string-append name "-" version ".tar.gz"))
(sha256
- (base32 "104xgyqhsg2rxa3ndkizrpndibmcbr25h63phcjswadbm8i790bz"))))
+ (base32 "1c4yk8mq8nazshdcasimlgnyhx27wzkad4wzicy5x43grq26b966"))))
(build-system cargo-build-system)
(arguments
(list
@@ -3243,15 +3243,13 @@ (define-public speakersafetyd
(lambda _
(substitute* "95-speakersafetyd.rules"
((".*SYSTEMD_WANTS.*") ""))))
- (add-after 'install 'install-data
+ (add-before 'install 'prepare-to-install
(lambda _
- (setenv "BINDIR" (string-append #$output "/bin"))
- (setenv "UNITDIR" (string-append #$output "/lib/systemd/system"))
- (setenv "UDEVDIR" (string-append #$output "/lib/udev/rules.d"))
- (setenv "TMPFILESDIR" (string-append #$output "/usr/lib/tmpfiles.d"))
- (setenv "SHAREDIR" (string-append #$output "/share"))
- (setenv "VARDIR" (string-append #$output "/var"))
- (invoke "make" "install-data"))))))
+ (setenv "DESTDIR" #$output)
+ (setenv "SHAREDIR" "/share")
+ (setenv "SPEAKERSAFETYD_GROUP" "nixbld")
+ (setenv "SPEAKERSAFETYD_USER" "nixbld")
+ (invoke "make" "install"))))))
(inputs (list alsa-lib))
(native-inputs (list pkg-config))
(home-page "https://github.com/AsahiLinux/speakersafetyd/")
base-commit: f0c0769189d11debf7b237a02695c44c9773d52a
--
2.49.0
ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Wed, 09 Apr 2025 17:27:03 GMT) Full text and rfc822 format available.Message #41 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: 77383 <at> debbugs.gnu.org Cc: Roman Scherer <roman <at> burningswell.com> Subject: [PATCH v3 2/3] gnu: speakersafetyd: Run as unprivileged user. Date: Wed, 9 Apr 2025 19:26:10 +0200
* gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
---
doc/guix.texi | 6 +++++
gnu/services/sound.scm | 51 ++++++++++++++++++++++++++++++++++++++----
2 files changed, 53 insertions(+), 4 deletions(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index bee80cd4e2..6acbf1ba55 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -27267,12 +27267,18 @@ Sound Services
The base directory as a G-expression (@pxref{G-Expressions}) that
contains the configuration files of the speaker models.
+@item @code{group} (default: @code{"speakersafetyd"}) (type: string)
+The group to run the Speaker Safety Daemon as.
+
@item @code{maximum-gain-reduction} (default: @code{7}) (type: integer)
Maximum gain reduction before panicking, useful for debugging.
@item @code{speakersafetyd} (default: @code{speakersafetyd}) (type: file-like)
The Speaker Safety Daemon package to use.
+@item @code{user} (default: @code{"speakersafetyd"}) (type: string)
+The user to run the Speaker Safety Daemon as.
+
@end table
@end deftp
@c %end of fragment
diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm
index fbaa55c553..0558d4fce8 100644
--- a/gnu/services/sound.scm
+++ b/gnu/services/sound.scm
@@ -29,10 +29,12 @@ (define-module (gnu services sound)
#:use-module (gnu system shadow)
#:use-module (guix diagnostics)
#:use-module (guix gexp)
+ #:use-module (guix modules)
#:use-module (guix packages)
#:use-module (guix records)
#:use-module (guix store)
#:use-module (guix ui)
+ #:use-module (gnu packages admin)
#:use-module (gnu packages audio)
#:use-module (gnu packages linux)
#:use-module (gnu packages pulseaudio)
@@ -288,16 +290,50 @@ (define-configuration/no-serialization speakersafetyd-configuration
(file-like (file-append speakersafetyd "/share/speakersafetyd"))
"The base directory as a G-expression (@pxref{G-Expressions}) that contains
the configuration files of the speaker models.")
+ (group
+ (string "speakersafetyd")
+ "The group to run the Speaker Safety Daemon as.")
(maximum-gain-reduction
(integer 7)
"Maximum gain reduction before panicking, useful for debugging.")
(speakersafetyd
(file-like speakersafetyd)
- "The Speaker Safety Daemon package to use."))
+ "The Speaker Safety Daemon package to use.")
+ (user
+ (string "speakersafetyd")
+ "The user to run the Speaker Safety Daemon as."))
+
+(define speakersafetyd-accounts
+ (match-record-lambda <speakersafetyd-configuration>
+ (group user)
+ (list (user-group
+ (name group)
+ (system? #t))
+ (user-account
+ (name user)
+ (group group)
+ (system? #t)
+ (home-directory "/var/empty")
+ (shell (file-append shadow "/sbin/nologin"))
+ (supplementary-groups '("audio"))))))
+
+(define speakersafetyd-activation
+ (match-record-lambda <speakersafetyd-configuration>
+ (blackbox-directory group user)
+ (with-imported-modules (source-module-closure '((gnu build activation)))
+ #~(begin
+ (use-modules (gnu build activation))
+ (let ((user (getpwnam #$user)))
+ (mkdir-p/perms "/run/speakersafetyd" user #o755)
+ (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
+ ;; Blackbox files contain audio recordings and might be sensitive
+ ;; information
+ (mkdir-p/perms #$blackbox-directory user #o700))))))
(define speakersafetyd-shepherd-service
(match-record-lambda <speakersafetyd-configuration>
- (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
+ ( blackbox-directory configuration-directory group
+ maximum-gain-reduction speakersafetyd user)
(shepherd-service
(documentation "Run the speaker safety daemon")
(provision '(speakersafetyd))
@@ -306,7 +342,10 @@ (define speakersafetyd-shepherd-service
(list #$(file-append speakersafetyd "/bin/speakersafetyd")
"--config-path" #$configuration-directory
"--blackbox-path" #$blackbox-directory
- "--max-reduction" (number->string #$maximum-gain-reduction))))
+ "--max-reduction" (number->string #$maximum-gain-reduction))
+ #:group #$group
+ #:supplementary-groups '("audio")
+ #:user #$user))
(stop #~(make-kill-destructor)))))
(define speakersafetyd-service-type
@@ -324,7 +363,11 @@ (define speakersafetyd-service-type
(compose list speakersafetyd-configuration-speakersafetyd))
(service-extension
profile-service-type
- (compose list speakersafetyd-configuration-speakersafetyd))))
+ (compose list speakersafetyd-configuration-speakersafetyd))
+ (service-extension account-service-type
+ speakersafetyd-accounts)
+ (service-extension activation-service-type
+ speakersafetyd-activation)))
(default-value (speakersafetyd-configuration))))
;;; sound.scm ends here
--
2.49.0
ludo <at> gnu.org, maxim.cournoyer <at> gmail.com, guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Wed, 09 Apr 2025 17:27:03 GMT) Full text and rfc822 format available.Message #44 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: 77383 <at> debbugs.gnu.org Cc: Roman Scherer <roman <at> burningswell.com> Subject: [PATCH v3 3/3] gnu: speakersafetyd: Add log file. Date: Wed, 9 Apr 2025 19:26:11 +0200
* gnu/services/sound.scm (speakersafetyd): Add log file.
Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
---
doc/guix.texi | 3 +++
gnu/services/sound.scm | 6 +++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/doc/guix.texi b/doc/guix.texi
index 6acbf1ba55..60a82081d4 100644
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -27270,6 +27270,9 @@ Sound Services
@item @code{group} (default: @code{"speakersafetyd"}) (type: string)
The group to run the Speaker Safety Daemon as.
+@item @code{log-file} (default: @code{"/var/log/speakersafetyd.log"}) (type: string)
+The file name to the Speaker Safety Daemon log file.
+
@item @code{maximum-gain-reduction} (default: @code{7}) (type: integer)
Maximum gain reduction before panicking, useful for debugging.
diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm
index 0558d4fce8..23f92f6bee 100644
--- a/gnu/services/sound.scm
+++ b/gnu/services/sound.scm
@@ -293,6 +293,9 @@ (define-configuration/no-serialization speakersafetyd-configuration
(group
(string "speakersafetyd")
"The group to run the Speaker Safety Daemon as.")
+ (log-file
+ (string "/var/log/speakersafetyd.log")
+ "The file name to the Speaker Safety Daemon log file.")
(maximum-gain-reduction
(integer 7)
"Maximum gain reduction before panicking, useful for debugging.")
@@ -332,7 +335,7 @@ (define speakersafetyd-activation
(define speakersafetyd-shepherd-service
(match-record-lambda <speakersafetyd-configuration>
- ( blackbox-directory configuration-directory group
+ ( blackbox-directory configuration-directory group log-file
maximum-gain-reduction speakersafetyd user)
(shepherd-service
(documentation "Run the speaker safety daemon")
@@ -344,6 +347,7 @@ (define speakersafetyd-shepherd-service
"--blackbox-path" #$blackbox-directory
"--max-reduction" (number->string #$maximum-gain-reduction))
#:group #$group
+ #:log-file #$log-file
#:supplementary-groups '("audio")
#:user #$user))
(stop #~(make-kill-destructor)))))
--
2.49.0
guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Wed, 09 Apr 2025 17:31:01 GMT) Full text and rfc822 format available.Message #47 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: 77383 <at> debbugs.gnu.org, Roman Scherer <roman <at> burningswell.com>, Ludovic Courtès <ludo <at> gnu.org> Subject: Re: [bug#77383] [PATCH v2 3/3] gnu: speakersafetyd: Add log file. Date: Wed, 09 Apr 2025 19:30:02 +0200
[Message part 1 (text/plain, inline)]
Hi Maxim,
I just sent a v3 of the patch series.
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> Hi,
>
> Roman Scherer <roman <at> burningswell.com> writes:
>
>> * gnu/services/sound.scm (speakersafetyd): Add log file.
>> * doc/guix.texi: Document log-file field.
>>
>> Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
>> ---
>> doc/guix.texi | 3 +++
>> gnu/services/sound.scm | 10 +++++++---
>> 2 files changed, 10 insertions(+), 3 deletions(-)
>>
>> diff --git a/doc/guix.texi b/doc/guix.texi
>> index a0f2a83c36..9a6084e994 100644
>> --- a/doc/guix.texi
>> +++ b/doc/guix.texi
>> @@ -27271,6 +27271,9 @@ Sound Services
>> @item @code{group} (default: @code{"speakersafetyd"}) (type: string)
>> The group to run the Speaker Safety Daemon as.
>>
>> +@item @code{log-file} (default: @code{"/var/log/speakersafetyd.log"}) (type: string)
>> +The path to the Speaker Safety Daemon log file.
>> +
>> @item @code{maximum-gain-reduction} (default: @code{7}) (type: integer)
>> Maximum gain reduction before panicking, useful for debugging.
>>
>> diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm
>> index e5c26e2495..39b5d043a3 100644
>> --- a/gnu/services/sound.scm
>> +++ b/gnu/services/sound.scm
>> @@ -293,6 +293,9 @@ (define-configuration/no-serialization speakersafetyd-configuration
>> (group
>> (string "speakersafetyd")
>> "The group to run the Speaker Safety Daemon as.")
>> + (log-file
>> + (string "/var/log/speakersafetyd.log")
>> + "The path to the Speaker Safety Daemon log file.")
>
> The convention in GNU is to use 'path' only for search paths; the
> preferred term for file names is 'file name'.
>
I changed it.
>> (maximum-gain-reduction
>> (integer 7)
>> "Maximum gain reduction before panicking, useful for debugging.")
>> @@ -305,7 +308,7 @@ (define-configuration/no-serialization speakersafetyd-configuration
>>
>> (define speakersafetyd-accounts
>> (match-record-lambda <speakersafetyd-configuration>
>> - ( blackbox-directory configuration-directory group
>> + ( blackbox-directory configuration-directory group log-file
>> maximum-gain-reduction speakersafetyd user)
>> (list (user-group
>> (name group)
>> @@ -320,7 +323,7 @@ (define speakersafetyd-accounts
>>
>> (define speakersafetyd-activation
>> (match-record-lambda <speakersafetyd-configuration>
>> - ( blackbox-directory configuration-directory group
>> + ( blackbox-directory configuration-directory group log-file
>> maximum-gain-reduction speakersafetyd user)
>> (with-imported-modules (source-module-closure '((gnu build activation)))
>> #~(begin
>> @@ -334,7 +337,7 @@ (define speakersafetyd-activation
>>
>> (define speakersafetyd-shepherd-service
>> (match-record-lambda <speakersafetyd-configuration>
>> - ( blackbox-directory configuration-directory group
>> + ( blackbox-directory configuration-directory group log-file
>> maximum-gain-reduction speakersafetyd user)
>
> As mentioned earlier, make sure to expose only the fields needed in the
> above match-record-lambda forms.
>
Nice! I somehow thought I had to list all of them, and even in the right
order :)
>> (shepherd-service
>> (documentation "Run the speaker safety daemon")
>> @@ -346,6 +349,7 @@ (define speakersafetyd-shepherd-service
>> "--blackbox-path" #$blackbox-directory
>> "--max-reduction" (number->string #$maximum-gain-reduction))
>> #:group #$group
>> + #:log-file #$log-file
>> #:supplementary-groups '("audio")
>> #:user #$user))
>> (stop #~(make-kill-destructor)))))
>
> Otherwise, LGTM!
>
> Could you send a hopefully final v3?
Thanks for your review. Could you have another look?
Roman.
[signature.asc (application/pgp-signature, inline)]
guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Wed, 09 Apr 2025 17:32:02 GMT) Full text and rfc822 format available.Message #50 received at 77383 <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: 77383 <at> debbugs.gnu.org, Roman Scherer <roman <at> burningswell.com>, Ludovic Courtès <ludo <at> gnu.org> Subject: Re: [bug#77383] [PATCH v2 2/3] gnu: speakersafetyd: Run as unprivileged user. Date: Wed, 09 Apr 2025 19:31:06 +0200
[Message part 1 (text/plain, inline)]
References: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman <at> burningswell.com>
<2788a4ea937715053ca7210a52ed0be3976fd0b6.1743695029.git.roman <at> burningswell.com>
<87h62zz9hs.fsf <at> gmail.com>
User-Agent: mu4e 1.12.9; emacs 29.4
Hi Maxim,
Date: Wed, 09 Apr 2025 19:31:06 +0200
Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes:
> Hi,
>
> Roman Scherer <roman <at> burningswell.com> writes:
>
>> * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user.
>> * doc/guix.texi: Document user and group fields.
>>
>> Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
>
> [...]
>
>> +(define speakersafetyd-accounts
>> + (match-record-lambda <speakersafetyd-configuration>
>> + ( blackbox-directory configuration-directory group
>> + maximum-gain-reduction speakersafetyd user)
>
> You don't need to list all the fields when using match-record, and I
> assume match-record-lambda as well. Here only `group' and `user'
> appears useful.
>
>> + (list (user-group
>> + (name group)
>> + (system? #t))
>> + (user-account
>> + (name user)
>> + (group group)
>> + (system? #t)
>> + (home-directory "/var/empty")
>> + (shell (file-append shadow "/sbin/nologin"))
>> + (supplementary-groups '("audio"))))))
>> +
>> +(define speakersafetyd-activation
>> + (match-record-lambda <speakersafetyd-configuration>
>> + ( blackbox-directory configuration-directory group
>> + maximum-gain-reduction speakersafetyd user)
>
> Likewise.
>
>> + (with-imported-modules (source-module-closure '((gnu build activation)))
>> + #~(begin
>> + (use-modules (gnu build activation))
>> + (let ((user (getpwnam #$user)))
>> + (mkdir-p/perms "/run/speakersafetyd" user #o755)
>> + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
>> + ;; Blackbox files contain audio recordings and might be sensitive
>> + ;; information
>> + (mkdir-p/perms #$blackbox-directory user #o700))))))
>>
>> (define speakersafetyd-shepherd-service
>> (match-record-lambda <speakersafetyd-configuration>
>> - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
>> + ( blackbox-directory configuration-directory group
>> + maximum-gain-reduction speakersafetyd user)
>> (shepherd-service
>> (documentation "Run the speaker safety daemon")
>> (provision '(speakersafetyd))
>> @@ -306,7 +344,10 @@ (define speakersafetyd-shepherd-service
>> (list #$(file-append speakersafetyd "/bin/speakersafetyd")
>> "--config-path" #$configuration-directory
>> "--blackbox-path" #$blackbox-directory
>> - "--max-reduction" (number->string #$maximum-gain-reduction))))
>> + "--max-reduction" (number->string #$maximum-gain-reduction))
>> + #:group #$group
>> + #:supplementary-groups '("audio")
>> + #:user #$user))
>> (stop #~(make-kill-destructor)))))
>
> Not for a future improvement: we also have a least-authority-wrapper
> defined in (guix least-authority) that can wrap a binary to have it run
> in a Linux container, to further sandbox the process.
Interesting. Didn't know that module. I will take a look.
[signature.asc (application/pgp-signature, inline)]
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:Roman Scherer <roman <at> burningswell.com>:Message #55 received at 77383-done <at> debbugs.gnu.org (full text, mbox):
From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> To: Roman Scherer <roman <at> burningswell.com> Cc: Ludovic Courtès <ludo <at> gnu.org>, 77383-done <at> debbugs.gnu.org Subject: Re: [bug#77383] [PATCH v3 2/3] gnu: speakersafetyd: Run as unprivileged user. Date: Mon, 14 Apr 2025 15:47:12 +0900
Hi Roman, Roman Scherer <roman <at> burningswell.com> writes: > * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. I've pushed this series, expounding the GNU ChangeLog commit messages for completeness. See 01a66639efe and the subsequent commit for the commit message additions. In Magit (emacs-magit), pressing 'C' in each hunk symbol/thing to document helps automate some of it. -- Thanks, Maxim
guix-patches <at> gnu.org:bug#77383; Package guix-patches.
(Mon, 14 Apr 2025 07:32:02 GMT) Full text and rfc822 format available.Message #58 received at 77383-done <at> debbugs.gnu.org (full text, mbox):
From: Roman Scherer <roman <at> burningswell.com> To: Maxim Cournoyer <maxim.cournoyer <at> gmail.com> Cc: Roman Scherer <roman <at> burningswell.com>, 77383-done <at> debbugs.gnu.org, Ludovic Courtès <ludo <at> gnu.org> Subject: Re: [bug#77383] [PATCH v3 2/3] gnu: speakersafetyd: Run as unprivileged user. Date: Mon, 14 Apr 2025 09:30:54 +0200
[Message part 1 (text/plain, inline)]
References: <58e6296eb44b3e82e5d6367ae85b681463a38613.1744217514.git.roman <at> burningswell.com> <140f135aa4f94ad69765f7c2a7b38684342ca382.1744217514.git.roman <at> burningswell.com> <87cydfutn3.fsf <at> gmail.com> User-Agent: mu4e 1.12.9; emacs 29.4 Hi Maxim, thanks for your help on this. I will give your magit suggestion a try next time. I didn't know about that trick. Thanks Roman. Date: Mon, 14 Apr 2025 09:30:54 +0200 Maxim Cournoyer <maxim.cournoyer <at> gmail.com> writes: > Hi Roman, > > Roman Scherer <roman <at> burningswell.com> writes: > >> * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. > > I've pushed this series, expounding the GNU ChangeLog commit messages > for completeness. See 01a66639efe and the subsequent commit for the > commit message additions. In Magit (emacs-magit), pressing 'C' in each > hunk symbol/thing to document helps automate some of it.
[signature.asc (application/pgp-signature, inline)]
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.