From unknown Wed Jun 18 23:04:50 2025 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-Mailer: MIME-tools 5.509 (Entity 5.509) Content-Type: text/plain; charset=utf-8 From: bug#77383 <77383@debbugs.gnu.org> To: bug#77383 <77383@debbugs.gnu.org> Subject: Status: [PATCH 0/2] Run speakersafetyd as unprivileged user Reply-To: bug#77383 <77383@debbugs.gnu.org> Date: Thu, 19 Jun 2025 06:04:50 +0000 retitle 77383 [PATCH 0/2] Run speakersafetyd as unprivileged user reassign 77383 guix-patches submitter 77383 Roman Scherer severity 77383 normal tag 77383 patch thanks From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 30 08:24:41 2025 Received: (at submit) by debbugs.gnu.org; 30 Mar 2025 12:24:41 +0000 Received: from localhost ([127.0.0.1]:35145 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tyriS-0005L1-VD for submit@debbugs.gnu.org; Sun, 30 Mar 2025 08:24:41 -0400 Received: from lists.gnu.org ([2001:470:142::17]:50992) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1tyriR-0005Km-7f for submit@debbugs.gnu.org; Sun, 30 Mar 2025 08:24:39 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tyriL-0001m8-KR for guix-patches@gnu.org; Sun, 30 Mar 2025 08:24:33 -0400 Received: from mail-ed1-x530.google.com ([2a00:1450:4864:20::530]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tyriJ-0007uw-8n for guix-patches@gnu.org; Sun, 30 Mar 2025 08:24:33 -0400 Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-5e5c9662131so5575944a12.3 for ; Sun, 30 Mar 2025 05:24:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1743337468; x=1743942268; darn=gnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=uXFpQQpfyNOK1HB9cE79IQMkaxXK1IRwX8m+spTXrDk=; b=yEob5rqdXCSDp23T4uOaatvsWcrPfmAxNadb0WpJ/lMA9tI9IVMMvhnCl4OuBJ64xh asBmrHuPHn55+rOxI/22VTTtJRDroweadqcltHhN/88DzNO7eEnOx7sEa/B7tOONHnGg M664GZiGWUYEI12hUHJ7HrrKPsXqKkm6XBQmseslg7CggkuzOlNFvRB/hdn7J0aOVJrK uKmpsyJsU/QoC9LPV0ZpUf3G4dsGpgJ9E1/usSDA9h8/ChUQ0Ajy+qfRDFyosossN+XM NHEz75NTDifSROHaxGBEoK+69GKhpQWKedzNQb6PcKrN0G0WIF8vaD8+mUI6nWMr/yKR HSrA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743337468; x=1743942268; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uXFpQQpfyNOK1HB9cE79IQMkaxXK1IRwX8m+spTXrDk=; b=pSBz62k1ky/otHko/sgmd6RrAOXk/HQPCkYusXNMes29fS0panvLeDPGeBxizFtjv3 JvMlay70OU04+4f0eoEbgZvhCHLCtamIxkk8En+jWLbbXh0SUjf5D6bOOvKdTVqbFhvO QOQV2qtEWLGqvGWDezDuOwrraHBA6XAOVyOdmsWjerbcSn1UYv6V5dO0URcKPBRT7SeB JskksERPyWq5rm32kvts5D1QJ5GTZh58U14tnKqf4/1y6KbHb2kXys08aOwTeraqiKzd spnetALOVL9GDmY7DJJFT91/kpJXVMdVm04mTvZrnWa9q2ji7OH1wjXt4zlHatUqh/Fg AzpA== X-Gm-Message-State: AOJu0YwRwQtp3b4PzjB2cM3fve0QGYTa4fh3U4kQWvJsEYgSdPasyio2 9focLe/G2dPtuptpURwThKna4BsUcPEnSegMnUKnpRtcAMPadTdeZmMpjgF6XOvYxtboegWAu+q 0 X-Gm-Gg: ASbGncsGO54z3g7bAochU4cp1HNcoyXPbW+p5WKauMehhuFoQ1EXbrDkNPPfkSUPxGx N0p8sMS23B+rcCDA5dBlLwISFqUHCL3GapKd/6PC578AeC/+EXK+EcKwO7vzdzsBtXoRvqs+54M dq9DRYrgFDJqZx1GlpmxdQe0F+wvRFD9nDpEHxEh5ctc578MG8Egmtoj9w+aUUnijC4J1qhNADH W82p93cKpImos+uH8XrqWUhYWh3Q3Us/9Gw6/pKQYKL4b5KZ9auwFR8PAUpfiBXICYkMCPSgPAK fF8AXwkv6lmATbalbazCy+Q3IjGiRK/xo6Trxg0PdE4/dPbnhKBCvdk9kJV+rbg= X-Google-Smtp-Source: AGHT+IHLi8qhC3RMn0sCZIkeWUMPaaSXIe1o7PW/FjxXcgMNrroWZCGCiElRzYdw5mLSjvb2mKx8lw== X-Received: by 2002:a05:6402:34d0:b0:5e6:bba0:6778 with SMTP id 4fb4d7f45d1cf-5edfdbff065mr4313714a12.23.1743337467867; Sun, 30 Mar 2025 05:24:27 -0700 (PDT) Received: from localhost.localdomain ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5edfaacd006sm2681852a12.79.2025.03.30.05.24.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Mar 2025 05:24:27 -0700 (PDT) From: Roman Scherer To: guix-patches@gnu.org Subject: [PATCH 0/2] Run speakersafetyd as unprivileged user Date: Sun, 30 Mar 2025 14:24:22 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit Received-SPF: none client-ip=2a00:1450:4864:20::530; envelope-from=roman@burningswell.com; helo=mail-ed1-x530.google.com X-Spam_score_int: -18 X-Spam_score: -1.9 X-Spam_bar: - X-Spam_report: (-1.9 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: submit Cc: Roman Scherer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hello Guix, this patch series updates the speakersafetyd package and its system service to run as an unprivileged user instead of root. Upstream made this possible rercently [1]. Could you please review the patch series? Thank you! [1] https://github.com/AsahiLinux/speakersafetyd/issues/23 Roman Scherer (2): gnu: speakersafetyd: Update to 1.1.2. gnu: speakersafetyd: Run as unprivileged user. doc/guix.texi | 9 ++++++ gnu/packages/rust-apps.scm | 16 +++++------ gnu/services/sound.scm | 57 +++++++++++++++++++++++++++++++++++--- 3 files changed, 69 insertions(+), 13 deletions(-) base-commit: 2ed28b5c24c599b2f9bc60dfc93151cf489ca477 -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 30 08:27:10 2025 Received: (at 77383) by debbugs.gnu.org; 30 Mar 2025 12:27:10 +0000 Received: from localhost ([127.0.0.1]:35154 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tyrkr-0005Vt-RL for submit@debbugs.gnu.org; Sun, 30 Mar 2025 08:27:10 -0400 Received: from mail-ed1-x52d.google.com ([2a00:1450:4864:20::52d]:55625) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1tyrkp-0005VB-JP for 77383@debbugs.gnu.org; Sun, 30 Mar 2025 08:27:08 -0400 Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-5eb5ecf3217so6697268a12.3 for <77383@debbugs.gnu.org>; Sun, 30 Mar 2025 05:27:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1743337621; x=1743942421; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lyC7ZOlQ3957RBwavF9N0ulYJ7oxT9No+0KyruwpeS8=; b=HU7LWoVRZtcQtGmIuCO7YFmqef4ro7+7O9tXFX7ii2hYatnQ7+YHqOWUSuAdx6SHHx fpkILNLYZINOD/bfkDJAHTzLYYv+YnA4gzxx1cOyouiSCMufd9OGTSddmgpB3X/QE0Yp o2WhjGLC/uT3CeMZ5DskXwqlogvqOX+NBHnlolNKftXbaHRsbrLTFVGxztkowumcNcva +7Eo5vGItTnOjbowSfnO4OObNtNLENWHdDcn1eFH8V4o1QUfAMQJSMkPxaRVlYruk1GI 7KvjiAko/QFclOj52wYkKg0ljnb5dWSSMYdULTOwdyh40jRyLlH6vPSQBxJOXppJVxzb nAWg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743337621; x=1743942421; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lyC7ZOlQ3957RBwavF9N0ulYJ7oxT9No+0KyruwpeS8=; b=gWjfv/GXvhCVmp6Jwj4Omff2Vc8c0q3eMoBWFfG8aQ1BUmCaYCf9BhB/jZZ7vOcRhr UJZS32OXLiip8KCxSEZCkIS9RO2IByodnl6abYtP2JDXhc51Y1CoXNBDRwl4oRbW36pV L+K8bod55mrbwUk7L03n9LQte6jg9Xlpz8eI9zT1ZEWSqBgIylBo8/PdgrHjBnCMGjS7 ci/JLjBWaLNXw+pjf1Xh90wuZ4jjHDa2tpazCTdWVQO4epBCHb/1Uzii0XU4C7HMNvMT zQ8mICsa6bXsJLVm2PFEgS8vro+0XgHAD1tmWNIQBI5aBmx7MDc9DqcGZ2Ux5rxro8vr CCGA== X-Gm-Message-State: AOJu0YyvkpCWFdoibg0qzD9jTehD+uBIXRevkKBESpwsA1iSThJPZYGj 6bQEgkx5trIrHiPZ0VyNuEzMItUF7gug9tHHK+uH2u1FytE6fOOj/VZjnGlJg8wQjMlRMaY8W0g nhvs= X-Gm-Gg: ASbGncs+3JRmR1gZHPgzfuAxfGrvhl/rGs+7/3hIk9sJ4/Z5R432UZVn/tThRJQ/PhD O1czIkny5Tvbe6IDV1vv3rQfhRZNlHm48Z037+uFr/Emy8rcXvOeuYwQVxTmv89Z3S3LGvFFxfT 5CbvWE0cCj94xIHShuglmm9qfGB5gPo4RxDH6PqbSPPoSBotG2NWEln6g/tD8Icx3I23XuPjouj P0DjfCDskhUNUyEi7ZKp9yUiLIENAEuBs9b94WKInf14jZ3p0iH5zXpTY0Fk3ngOG5pYSIB7CNS gYX5smQwqPSKL0RZlL7kwSXaKVDm1KHp0Jie6TwMJUUxMzO/WY4VWU8YQDRwfQI= X-Google-Smtp-Source: AGHT+IE4w2k5Sc2DB1QuKFPQ71rV6rhmnz8PqnJu16O9o4o0kON6yRWvHoZKnSteW84lMRxpCevK5A== X-Received: by 2002:a05:6402:5112:b0:5e6:17db:898d with SMTP id 4fb4d7f45d1cf-5edfcbd3374mr4245089a12.2.1743337621108; Sun, 30 Mar 2025 05:27:01 -0700 (PDT) Received: from localhost.localdomain ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5edc17b1ffcsm4229334a12.50.2025.03.30.05.27.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Mar 2025 05:27:00 -0700 (PDT) From: Roman Scherer To: 77383@debbugs.gnu.org Subject: [PATCH 1/2] gnu: speakersafetyd: Update to 1.1.2. Date: Sun, 30 Mar 2025 14:26:55 +0200 Message-ID: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743337065.git.roman@burningswell.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: Divya Ranjan Pattanaik , Efraim Flashner , Steve George Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: Roman Scherer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/rust-apps.scm (speakersafetyd): Update to 1.1.2. Change-Id: I1c6d7b6080b18bd8228e8b39d1a0b42267e2b7e1 --- gnu/packages/rust-apps.scm | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/gnu/packages/rust-apps.scm b/gnu/packages/rust-apps.scm index 2f933d836c..1211ccb0c4 100644 --- a/gnu/packages/rust-apps.scm +++ b/gnu/packages/rust-apps.scm @@ -3211,14 +3211,14 @@ (define-public sniffglue (define-public speakersafetyd (package (name "speakersafetyd") - (version "1.0.2") + (version "1.1.2") (source (origin (method url-fetch) (uri (crate-uri "speakersafetyd" version)) (file-name (string-append name "-" version ".tar.gz")) (sha256 - (base32 "104xgyqhsg2rxa3ndkizrpndibmcbr25h63phcjswadbm8i790bz")))) + (base32 "1c4yk8mq8nazshdcasimlgnyhx27wzkad4wzicy5x43grq26b966")))) (build-system cargo-build-system) (arguments (list @@ -3245,13 +3245,11 @@ (define-public speakersafetyd ((".*SYSTEMD_WANTS.*") "")))) (add-after 'install 'install-data (lambda _ - (setenv "BINDIR" (string-append #$output "/bin")) - (setenv "UNITDIR" (string-append #$output "/lib/systemd/system")) - (setenv "UDEVDIR" (string-append #$output "/lib/udev/rules.d")) - (setenv "TMPFILESDIR" (string-append #$output "/usr/lib/tmpfiles.d")) - (setenv "SHAREDIR" (string-append #$output "/share")) - (setenv "VARDIR" (string-append #$output "/var")) - (invoke "make" "install-data")))))) + (setenv "DESTDIR" #$output) + (setenv "SHAREDIR" "/share") + (setenv "SPEAKERSAFETYD_GROUP" "nixbld") + (setenv "SPEAKERSAFETYD_USER" "nixbld") + (invoke "make" "install")))))) (inputs (list alsa-lib)) (native-inputs (list pkg-config)) (home-page "https://github.com/AsahiLinux/speakersafetyd/") -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Sun Mar 30 08:27:18 2025 Received: (at 77383) by debbugs.gnu.org; 30 Mar 2025 12:27:19 +0000 Received: from localhost ([127.0.0.1]:35157 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tyrl0-0005WG-CY for submit@debbugs.gnu.org; Sun, 30 Mar 2025 08:27:18 -0400 Received: from mail-ed1-x531.google.com ([2a00:1450:4864:20::531]:52549) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1tyrkt-0005Vf-K9 for 77383@debbugs.gnu.org; Sun, 30 Mar 2025 08:27:12 -0400 Received: by mail-ed1-x531.google.com with SMTP id 4fb4d7f45d1cf-5e5e8274a74so5797576a12.1 for <77383@debbugs.gnu.org>; Sun, 30 Mar 2025 05:27:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1743337625; x=1743942425; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YOZ1Pr+qRQBa9Cmuy2UYdUzVQRyMxN1u0q/KafwPcbU=; b=WOFpER31+iCc2gVHXlgZOqf9j0lVr+H4Ep9AlgUxyjSEBkz1nKfcZX08/jiqsBL28j NuTStWKYktgDVUuCgBbYs38n5uaaCBh/T0b5fn42Cm/kIOm2l+De4jEurpKIPXEe9SEp Vl3b6pk6tOPL7xMjO51M+1A2zSxVh+CdI77p3eE4SyuNzPiZ+gPyRTYlNevLElyA/Hgc 5noMXf9mcjU03qMWfQtqN5ywrgXcJ2nqGS6rA27/wWAVFKS4R+Nbfx1JQaRevA5Z8Hyt R6lzLcfgCO2YKDP+en7+LRrHuz8jLGHN+OeR4ckGmK7z8wGfcRcuyCkrdx73YI8t3SYx g1Cw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743337625; x=1743942425; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YOZ1Pr+qRQBa9Cmuy2UYdUzVQRyMxN1u0q/KafwPcbU=; b=ucRKfDVE8nnki7ClBxqgzvsSAFR2v3p1CRMrSVOCa1d8RsDhkakRmuz2Hd9LqYhRtR Ypb9zJrJdRpLcFoUnOM/W4jjYV14pzBRdQvB4aTTxh/8N+h0KkY0xnXoR3BgKnTAk8XV hnycGfT2Mz+Z6agF4CnGYXyNTsBPtAfxUuLmLXihLMMsLPM6vCCGoddD5qfwPBdpo6+F dctKdvxiEWT0Kumyu8XW7EIH4HVRIHCMEja2LUbGO0dqoAqW9KHybK3pZ3XH6XGpELoV BrRts3DaG11c8UGVloffgSF3hFXzLjLPf5gyN+NXVOyE6zpbCMK3T5Fj1mr1DUTekuyW ZECA== X-Gm-Message-State: AOJu0YzaeXZ5UgQffpsPoqNxtCx+9goTSBmwdNAQp5H6tYhAs5mUtmO4 xSoxVDIxDRJT7iFwQ548c9o2kHWuds/1CAcMoHIO/OLjD9kIWDmd+ruznLyD8lvXsUGC4fM6CgH /Enk= X-Gm-Gg: ASbGnctTz/GVHtp7rQU/7GFAgjKYB5sD/nm98AFc+iHBWaxrVjsE5i5ugRys3z+w3GR HLdNjWnTwW8hK/MSN3I3U9L60Ri9RIxovetbm1YUs92TBuWJ0L+hA70K2pdIIioNC5HqZFbcXyD 64LKTw1VyBdezHD8MQoaKa8rsnTn5cmelOKK8dKuRw53EU9oNiJxjs/+dWnVNyF6v1iHZGcAA2k TXgi1lb0uWmWvDy2uRwAOB5hRxhOnZ1LJPG1GQ0Dv2TTjaC1XGJ8Q3POwLXLoJSmPL/W8tWMDuU HPzRpMTRqNqBnVTBPZZQOVZP62udJrHRMtuBspYviD2W2cy3w6EHyILUK9SmoBM= X-Google-Smtp-Source: AGHT+IFzPj6vkC3tQJBFcRuTCHqqsmBQIVTmgCiTLFod8D90hdz4gSFoW4pqEXy6E1/Df+2nQ4NVTg== X-Received: by 2002:a05:6402:348e:b0:5e7:b015:ad42 with SMTP id 4fb4d7f45d1cf-5edfdd21affmr4286271a12.28.1743337624700; Sun, 30 Mar 2025 05:27:04 -0700 (PDT) Received: from localhost.localdomain ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id 4fb4d7f45d1cf-5edc17b1ffcsm4229334a12.50.2025.03.30.05.27.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 30 Mar 2025 05:27:04 -0700 (PDT) From: Roman Scherer To: 77383@debbugs.gnu.org Subject: [PATCH 2/2] gnu: speakersafetyd: Run as unprivileged user. Date: Sun, 30 Mar 2025 14:26:56 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: References: MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: Roman Scherer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2 --- doc/guix.texi | 9 +++++++ gnu/services/sound.scm | 57 +++++++++++++++++++++++++++++++++++++++--- 2 files changed, 62 insertions(+), 4 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index f6d774fd13..9a6084e994 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27268,12 +27268,21 @@ Sound Services The base directory as a G-expression (@pxref{G-Expressions}) that contains the configuration files of the speaker models. +@item @code{group} (default: @code{"speakersafetyd"}) (type: string) +The group to run the Speaker Safety Daemon as. + +@item @code{log-file} (default: @code{"/var/log/speakersafetyd.log"}) (type: string) +The path to the Speaker Safety Daemon log file. + @item @code{maximum-gain-reduction} (default: @code{7}) (type: integer) Maximum gain reduction before panicking, useful for debugging. @item @code{speakersafetyd} (default: @code{speakersafetyd}) (type: file-like) The Speaker Safety Daemon package to use. +@item @code{user} (default: @code{"speakersafetyd"}) (type: string) +The user to run the Speaker Safety Daemon as. + @end table @end deftp @c %end of fragment diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm index fbaa55c553..ac87551a18 100644 --- a/gnu/services/sound.scm +++ b/gnu/services/sound.scm @@ -29,10 +29,12 @@ (define-module (gnu services sound) #:use-module (gnu system shadow) #:use-module (guix diagnostics) #:use-module (guix gexp) + #:use-module (guix modules) #:use-module (guix packages) #:use-module (guix records) #:use-module (guix store) #:use-module (guix ui) + #:use-module (gnu packages admin) #:use-module (gnu packages audio) #:use-module (gnu packages linux) #:use-module (gnu packages pulseaudio) @@ -288,16 +290,53 @@ (define-configuration/no-serialization speakersafetyd-configuration (file-like (file-append speakersafetyd "/share/speakersafetyd")) "The base directory as a G-expression (@pxref{G-Expressions}) that contains the configuration files of the speaker models.") + (group + (string "speakersafetyd") + "The group to run the Speaker Safety Daemon as.") + (log-file + (string "/var/log/speakersafetyd.log") + "The path to the Speaker Safety Daemon log file.") (maximum-gain-reduction (integer 7) "Maximum gain reduction before panicking, useful for debugging.") (speakersafetyd (file-like speakersafetyd) - "The Speaker Safety Daemon package to use.")) + "The Speaker Safety Daemon package to use.") + (user + (string "speakersafetyd") + "The user to run the Speaker Safety Daemon as.")) + +(define speakersafetyd-accounts + (match-record-lambda + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) + (list (user-group + (name group) + (system? #t)) + (user-account + (name user) + (group group) + (system? #t) + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")) + (supplementary-groups '("audio")))))) + +(define speakersafetyd-activation + (match-record-lambda + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) + (with-imported-modules (source-module-closure + '((gnu build activation) + (guix build utils))) + #~(begin + (use-modules (gnu build activation)) + (let ((user (getpwnam #$user))) + (mkdir-p/perms "/run/speakersafetyd" user #o755) + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755) + ;; Blackbox files contain audio recordings and might be sensitive information + (mkdir-p/perms #$blackbox-directory user #o700)))))) (define speakersafetyd-shepherd-service (match-record-lambda - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd) + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) (shepherd-service (documentation "Run the speaker safety daemon") (provision '(speakersafetyd)) @@ -306,7 +345,11 @@ (define speakersafetyd-shepherd-service (list #$(file-append speakersafetyd "/bin/speakersafetyd") "--config-path" #$configuration-directory "--blackbox-path" #$blackbox-directory - "--max-reduction" (number->string #$maximum-gain-reduction)))) + "--max-reduction" (number->string #$maximum-gain-reduction)) + #:group #$group + #:log-file #$log-file + #:supplementary-groups '("audio") + #:user #$user)) (stop #~(make-kill-destructor))))) (define speakersafetyd-service-type @@ -324,7 +367,13 @@ (define speakersafetyd-service-type (compose list speakersafetyd-configuration-speakersafetyd)) (service-extension profile-service-type - (compose list speakersafetyd-configuration-speakersafetyd)))) + (compose list speakersafetyd-configuration-speakersafetyd)) + (service-extension + account-service-type + speakersafetyd-accounts) + (service-extension + activation-service-type + speakersafetyd-activation))) (default-value (speakersafetyd-configuration)))) ;;; sound.scm ends here -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 03 06:43:52 2025 Received: (at 77383) by debbugs.gnu.org; 3 Apr 2025 10:43:52 +0000 Received: from localhost ([127.0.0.1]:32959 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u0I36-0004z6-9V for submit@debbugs.gnu.org; Thu, 03 Apr 2025 06:43:52 -0400 Received: from mail-pf1-x42e.google.com ([2607:f8b0:4864:20::42e]:58635) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u0I31-0004yk-Pj for 77383@debbugs.gnu.org; Thu, 03 Apr 2025 06:43:48 -0400 Received: by mail-pf1-x42e.google.com with SMTP id d2e1a72fcca58-736e52948ebso802013b3a.1 for <77383@debbugs.gnu.org>; Thu, 03 Apr 2025 03:43:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1743677021; x=1744281821; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=gxcLEZy/gUz/dSwPldqzhLR05DZliMVAeLarKtXKmPk=; b=jMP79rD0jC59ii836SwLMwbPqIEB1XTJv+fh/lP/hi0/gLeT3sbT4w7+RAm8ky66iu nY2DkZKREOO6CyhvJclytJ74xpUJiAZ7X0qJY1r+EMsE/M/fb9AYK3JN+WaxHFAFgFQM /LPd2acRPcxsLnU1wNSTOpAHgPlzDDpjcKEu6++y9DmNoC/P2vQmV2VDln/PPw7g913Y F3yhpigPB9Mds6Pl+A7+ynGHqTBkkintLLX4/5tEMO1ZM3qev7cnOoFdk8SD6tAd7lFj ByRSJ4I9AcfPcGgrbQd1NXbKibbAs4vAenarcvJigNG3PCRCxB3du4N5C67KsqJ0/KrW x5Nw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743677021; x=1744281821; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=gxcLEZy/gUz/dSwPldqzhLR05DZliMVAeLarKtXKmPk=; b=F2hmoha1JdaUnbuqjALIkrR5Gel15ETAVk4YIT7Cdi33VPDdP6Eo6AFvG9Ce+cSs13 cgpkOE2LWgqZX/iEyWL5vOFpBGXpUX0a9bE1mYREMVspglrZKW2z5NnEAcnUdmExIqvg LHfT4FJy1fsVynrPiDp2DaO6+QaCe85nlVQxKGYQZB/yMTbdi/LXEnpkLj80G6MJVwZH RplTkts5b+KTvBADtr+2szd+rMSGKr4v8MkCU7d+o6Zp2ztuq5QmWrr1T/kgVSN1dZQ5 nY7uXfw+XufXdbyEGRPUTd/nfqGmTGGF0qcRFE48JucSGu2uGxW0ZQqOi8e9Y0cxY4g0 Cj9g== X-Gm-Message-State: AOJu0YyKabqmE+pKpai3X2lMzw1b6mMAw3PeKeld7p3zeKyEZX9u9wtx fQpZVE8V0d7L15BXFCzaV2+qh9qTC1DOredr14KJsC+tN9BFlFJK X-Gm-Gg: ASbGnctPoTQYaAbzsw+jLpCa8+efhm1a3ybA8dWaqJP07un4/TNwnLL5UwGNdM/kdHn qDZ7u5ajkF+8qY+GByzcPKz3w/8WFeq1hK6sjEroA1uxC9VX1x13i3rLUpHL7lg971f1grjZjH6 atz8XTLSfapvZOm/M23bN4PDOs3t8vabF6M1P6cKKeg1L3Nmz8BvNiCed4CZX4mknjDY2L9bBkW HBPs54ywDsVlGN42+JukTnZ1WpBDhWszVz2yxD60KcdfJ8O+UDlzGOwcUtfH4egvGxiy2xGhdJB v/L6yQflqkK1PngEMx/mxEUalCnJ9m80RNiPjgjEobw= X-Google-Smtp-Source: AGHT+IHClXGEVXTcqrImWBTxH+pSdIVV9FrgulXnO5oMn77So5oGwcOpnhf7AqjBKH0zRtvzWQUlFQ== X-Received: by 2002:a05:6a00:3d12:b0:736:ff65:3fd0 with SMTP id d2e1a72fcca58-73980462a28mr30415283b3a.16.1743677021418; Thu, 03 Apr 2025 03:43:41 -0700 (PDT) Received: from terra ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-739d97f3724sm1179448b3a.66.2025.04.03.03.43.39 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Apr 2025 03:43:40 -0700 (PDT) From: Maxim Cournoyer To: Roman Scherer Subject: Re: [bug#77383] [PATCH 2/2] gnu: speakersafetyd: Run as unprivileged user. In-Reply-To: (Roman Scherer's message of "Sun, 30 Mar 2025 14:26:56 +0200") References: Date: Thu, 03 Apr 2025 19:43:23 +0900 Message-ID: <87sempzfsk.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: 77383@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, Roman Scherer writes: > * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. Sounds good, perhaps also mention it adds a log file (is this related to this change?). [...] > +(define speakersafetyd-accounts > + (match-record-lambda > + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) Please break this and next long lines into something that fits < 80 characters. You can use the Emacs indentation hack to do so and leave a space after the opening parens to ensure it gets indented as data and not a procedure: ( blackbox-directory configuration-directory ... speakersafetyd user) > + (list (user-group > + (name group) > + (system? #t)) > + (user-account > + (name user) > + (group group) > + (system? #t) > + (home-directory "/var/empty") > + (shell (file-append shadow "/sbin/nologin")) > + (supplementary-groups '("audio")))))) > + > +(define speakersafetyd-activation > + (match-record-lambda > + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) Line width > 80 columns. > + (with-imported-modules (source-module-closure > + '((gnu build activation) > + (guix build utils))) Looks like you only use (gnu build activation), not (guix build utils) in the below snippet. > + #~(begin > + (use-modules (gnu build activation)) > + (let ((user (getpwnam #$user))) > + (mkdir-p/perms "/run/speakersafetyd" user #o755) > + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755) > + ;; Blackbox files contain audio recordings and might be sensitive information > + (mkdir-p/perms #$blackbox-directory user #o700)))))) > > (define speakersafetyd-shepherd-service > (match-record-lambda > - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd) > + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) Line width > 80 columns. > (shepherd-service > (documentation "Run the speaker safety daemon") > (provision '(speakersafetyd)) > @@ -306,7 +345,11 @@ (define speakersafetyd-shepherd-service > (list #$(file-append speakersafetyd "/bin/speakersafetyd") > "--config-path" #$configuration-directory > "--blackbox-path" #$blackbox-directory > - "--max-reduction" (number->string #$maximum-gain-reduction)))) > + "--max-reduction" (number->string #$maximum-gain-reduction)) > + #:group #$group > + #:log-file #$log-file > + #:supplementary-groups '("audio") > + #:user #$user)) > (stop #~(make-kill-destructor))))) > > (define speakersafetyd-service-type > @@ -324,7 +367,13 @@ (define speakersafetyd-service-type > (compose list speakersafetyd-configuration-speakersafetyd)) > (service-extension > profile-service-type > - (compose list speakersafetyd-configuration-speakersafetyd)))) > + (compose list speakersafetyd-configuration-speakersafetyd)) > + (service-extension > + account-service-type > + speakersafetyd-accounts) > + (service-extension > + activation-service-type > + speakersafetyd-activation))) nitpick but I like to put at least one argument on the same line unless respecting the 80 columns max width is challenging, as in: --8<---------------cut here---------------start------------->8--- (service-extension account-service-type speakersafetyd-accounts) --8<---------------cut here---------------end--------------->8--- etc. Other than these tiny details, it LGTM. Could you please send a v2? -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 03 11:44:47 2025 Received: (at 77383) by debbugs.gnu.org; 3 Apr 2025 15:44:47 +0000 Received: from localhost ([127.0.0.1]:35269 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u0MkJ-00066N-38 for submit@debbugs.gnu.org; Thu, 03 Apr 2025 11:44:47 -0400 Received: from mail-wm1-x331.google.com ([2a00:1450:4864:20::331]:50353) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u0MkG-00065t-7R for 77383@debbugs.gnu.org; Thu, 03 Apr 2025 11:44:44 -0400 Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-43690d4605dso7733915e9.0 for <77383@debbugs.gnu.org>; Thu, 03 Apr 2025 08:44:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1743695078; x=1744299878; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=T7Z8O4dC+YIo7mMBR1350RhmkdLndnOnJrLxsqy8m28=; b=0PdRomHVXrg/j3poKdpBivCox4CNa90UladBfQg1ClH6GIiBjsePriq8UwvPB1vWBv QgT3gGT/GACfga+V9fKbZscgLvY/DNx6N0bSMakNcOhrgRv5Pws9o6RYKPgq3Ap448Kf TSNp+oWlQik42zx3HuSRcPD+LnHSrlx9WKVEg8R5hKEBZJAFe0L6h618yd6Hdm18C7v2 1rnyJAZaTR4yrOgi7vDBS80lriWRg9XQ0wT8MRZmAccGg4IIz8nPzkjz3ETaCe3LwQZp 6Y8LQMxZQTi83IvWqpULNu8Q4t9V5S3x4D1ULWLcYvF86CyOfNRJ0+goswq4awM9nVYa 7r4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743695078; x=1744299878; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=T7Z8O4dC+YIo7mMBR1350RhmkdLndnOnJrLxsqy8m28=; b=bmlhzsu+jloOj9k0goIowMGnB3hQOmGmcr05aFKNok3PlOV5HmYbNpCNdnrigI2iwc sPMxCdd4WCXFUUPC4oFkP9pgTLoK9fJ5IAk0ZJw/ipUkZDMs+VUvMJ4YpbtOd+vuvShJ 0CXAPkgivEYdms8CABN8hHg3eeoT+L1DGGuB9P3Z8d2XEW7V1AUzo5zysTyfM8RbO3Ev U3YYdsdBck9Y9EJpLVLjpOJZGnRcEe45VDXdFZgKn1g9zMUr1ktZakMqzDHpdyNNjO4a Ch7+VonT30H+7/vfr989sUJ7FIIIzqdNQA2ltYYRKA5xkDVhxrzoay5ZQrdY+U8rCFEg TrhA== X-Gm-Message-State: AOJu0Yw85qRqRi8Hnd+Tbc+N4nnDpDMNT9+d7pINcaCl3I/ZLIzdpAsK 9lwgxgbc4JMZh/Z1p7lvU7fX2DqweJcRmVZM/09JFArhM07szWo/WW1x+2V0rBrsUFEssD1NGtT HmDRbnw== X-Gm-Gg: ASbGncv+vBcn1hUpGq8QNS/6ZgY4fQqDmNndM2JhjNor+mMuzbugv2s1nQJg0A1y/Ze OpLJ0JE6iqQPTl5tfYmPR2JazTnZnpFMpjMdMGftFyQtSMdzfp104yxA5u31lqSbrbz+3e+vHrR pihlZ/eY2Z3d2oOdpWu7Vo9k5kpmkwkN2uogyxQDCcqgxpUec5ZGy4vhpObzg/4aSESzO5aXoW6 dpMbcTc0eheTEKa1RECld5JXzpN18pNk6wJvl6ipPWQYaREgDQklp9O2DrTvHlU5EX94tEouy6P iffK5MPKMYBa7zM2QZEGYSC2tZyvTlRnGCuOYRlMGQgtpWcgvxPZV65a/6fkDJA= X-Google-Smtp-Source: AGHT+IGO8RoiTpjn/nMJ+H4+3IxFwWVHMjtMkzMzR3LTJ1NwFPtQ3rxcvSpFl4Iq6YXrq7kOsvAz9w== X-Received: by 2002:a05:600c:510c:b0:43c:fffc:7886 with SMTP id 5b1f17b1804b1-43ec139aa3amr31216755e9.8.1743695077614; Thu, 03 Apr 2025 08:44:37 -0700 (PDT) Received: from localhost.localdomain ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43ec342be6asm22729425e9.5.2025.04.03.08.44.36 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Apr 2025 08:44:36 -0700 (PDT) From: Roman Scherer To: 77383@debbugs.gnu.org Subject: [PATCH v2 1/3] gnu: speakersafetyd: Update to 1.1.2. Date: Thu, 3 Apr 2025 17:44:31 +0200 Message-ID: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-Debbugs-Cc: Divya Ranjan Pattanaik , Efraim Flashner , Steve George Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: Roman Scherer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/rust-apps.scm (speakersafetyd): Update to 1.1.2. Change-Id: I1c6d7b6080b18bd8228e8b39d1a0b42267e2b7e1 --- gnu/packages/rust-apps.scm | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/gnu/packages/rust-apps.scm b/gnu/packages/rust-apps.scm index 2f933d836c..1211ccb0c4 100644 --- a/gnu/packages/rust-apps.scm +++ b/gnu/packages/rust-apps.scm @@ -3211,14 +3211,14 @@ (define-public sniffglue (define-public speakersafetyd (package (name "speakersafetyd") - (version "1.0.2") + (version "1.1.2") (source (origin (method url-fetch) (uri (crate-uri "speakersafetyd" version)) (file-name (string-append name "-" version ".tar.gz")) (sha256 - (base32 "104xgyqhsg2rxa3ndkizrpndibmcbr25h63phcjswadbm8i790bz")))) + (base32 "1c4yk8mq8nazshdcasimlgnyhx27wzkad4wzicy5x43grq26b966")))) (build-system cargo-build-system) (arguments (list @@ -3245,13 +3245,11 @@ (define-public speakersafetyd ((".*SYSTEMD_WANTS.*") "")))) (add-after 'install 'install-data (lambda _ - (setenv "BINDIR" (string-append #$output "/bin")) - (setenv "UNITDIR" (string-append #$output "/lib/systemd/system")) - (setenv "UDEVDIR" (string-append #$output "/lib/udev/rules.d")) - (setenv "TMPFILESDIR" (string-append #$output "/usr/lib/tmpfiles.d")) - (setenv "SHAREDIR" (string-append #$output "/share")) - (setenv "VARDIR" (string-append #$output "/var")) - (invoke "make" "install-data")))))) + (setenv "DESTDIR" #$output) + (setenv "SHAREDIR" "/share") + (setenv "SPEAKERSAFETYD_GROUP" "nixbld") + (setenv "SPEAKERSAFETYD_USER" "nixbld") + (invoke "make" "install")))))) (inputs (list alsa-lib)) (native-inputs (list pkg-config)) (home-page "https://github.com/AsahiLinux/speakersafetyd/") base-commit: 2ed28b5c24c599b2f9bc60dfc93151cf489ca477 -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 03 11:44:47 2025 Received: (at 77383) by debbugs.gnu.org; 3 Apr 2025 15:44:48 +0000 Received: from localhost ([127.0.0.1]:35271 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u0MkJ-00066R-Fl for submit@debbugs.gnu.org; Thu, 03 Apr 2025 11:44:47 -0400 Received: from mail-wm1-x331.google.com ([2a00:1450:4864:20::331]:59609) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u0MkH-00065v-25 for 77383@debbugs.gnu.org; Thu, 03 Apr 2025 11:44:45 -0400 Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-4394036c0efso7725305e9.2 for <77383@debbugs.gnu.org>; Thu, 03 Apr 2025 08:44:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1743695079; x=1744299879; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=lM3sqUF9/kmSoYOojXFVugEetqPOLkoQAaJw/Sl/hZ4=; b=Hemdk32zx9wxkwCV4XtIaxoOSviefDumUPIfCSrzu1gxKtHNWiRP42JNPa7FdmYT3c 8+rkAZNpuMEhd+yB8Lnoqeh4I4pG1qiwjwPeWPrN9JE/MxhSvja/pVWs6i7sORmxWUeN p9xU1NyjI49iXxPjGtl4iM1RDbv/e3icub4v5IkxdHF/rLRBeMUIFmyKzYeZM/naaL0B 8HeNMseCNRRR144ueHkoXimfwf+kdnP1pFvGxPjXcmM5q2l1stG/J+SK2MqlYh1hjX5P S9sRIi6slyCH0B9e41qWM4333jKbwKyT5UWtNN1oSaf3+FCKcAkHYtz2blIXCw+H2USp Ty/w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743695079; x=1744299879; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=lM3sqUF9/kmSoYOojXFVugEetqPOLkoQAaJw/Sl/hZ4=; b=j2l6wKCytLNR70xJbcr+0qLnQMJ+2ouvnmOC+yX7WeqKqFEPOyQR/fF/lFOk1heY4M ZRxCOQ76D7Lf22PkZQHzYXQRuSZHpVazMJIDbgSXr6v2rq9KkFQ1ArLElNFWXIXHpDDS YI7gU/5D8OanLz3j7nwhKUJo4VO+GCb0qDFZYuWJV8uUbnIuxpYQATBJpVVZn2BiIOvz wPGDCR7ybXLisjQn5uhgwBBQyGBdwfefdmsVowqvdWpRT1hmdTRWTIohBEnx3frWWHVK o2OH8kYU1Gn1XXHADzzv/eVoUQLV8L/gTkvL0yBg0C+WPbaiYh0Ej3JwV6I78n/dbluo VkSw== X-Gm-Message-State: AOJu0Yz7ilzc9n4l1BpfREjvwhYC2WY0pfqzZVWS2dKDhjke1s001naH mVUcshfPn9+WhKDX/wF98ecMqRnAkz9SM3VxFtroIHEM1uIfhSJWkuwti2/1c3FfTeHcl5zfcfw hYUVnqA== X-Gm-Gg: ASbGncv8bN99emBCqrym5KMUNjOleMUIKdg+VWxUCNZk2yfjy0Y7K6KyA6wCfPUKO/B llDHwCZ1E0TuV7tJEuurt7zIG+nGy8t5rWj4DdfxgK4aFSqNP5a1Q3Hk8cy3j47D13NP5yHjP9W o2rVday5r4qX0kFrCnsIlgeirnGxgg7qFcDFkq7vF3nfcDs6L0rjt+yGAQ/yz+Q3+ocH/RkL1BP +D0qr1NtijM+1BekiSOC8CF/SaHjQjKxYI+Bwx3l+puHHKBlZOVRmyAT2e7W7CGSHLTkv52azsc 7bSUFemJk23icBz1ORtg5TvmonL/DjHz2Cwd++c1sEQn6zyU8uDDYofTigTAXNk= X-Google-Smtp-Source: AGHT+IHf6AzNmXpfZOFg16WyYYDvNoEdjG5UcX4ZHem495qHFczYsKfHJbsGZ/F5Xn/aDxOVeeLzYg== X-Received: by 2002:a05:600c:3547:b0:439:86fb:7340 with SMTP id 5b1f17b1804b1-43eb06bd359mr93951425e9.30.1743695078595; Thu, 03 Apr 2025 08:44:38 -0700 (PDT) Received: from localhost.localdomain ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43ec342be6asm22729425e9.5.2025.04.03.08.44.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Apr 2025 08:44:38 -0700 (PDT) From: Roman Scherer To: 77383@debbugs.gnu.org Subject: [PATCH v2 2/3] gnu: speakersafetyd: Run as unprivileged user. Date: Thu, 3 Apr 2025 17:44:32 +0200 Message-ID: <2788a4ea937715053ca7210a52ed0be3976fd0b6.1743695029.git.roman@burningswell.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> References: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: Roman Scherer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. * doc/guix.texi: Document user and group fields. Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2 --- doc/guix.texi | 6 +++++ gnu/services/sound.scm | 53 ++++++++++++++++++++++++++++++++++++++---- 2 files changed, 55 insertions(+), 4 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index f6d774fd13..a0f2a83c36 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27268,12 +27268,18 @@ Sound Services The base directory as a G-expression (@pxref{G-Expressions}) that contains the configuration files of the speaker models. +@item @code{group} (default: @code{"speakersafetyd"}) (type: string) +The group to run the Speaker Safety Daemon as. + @item @code{maximum-gain-reduction} (default: @code{7}) (type: integer) Maximum gain reduction before panicking, useful for debugging. @item @code{speakersafetyd} (default: @code{speakersafetyd}) (type: file-like) The Speaker Safety Daemon package to use. +@item @code{user} (default: @code{"speakersafetyd"}) (type: string) +The user to run the Speaker Safety Daemon as. + @end table @end deftp @c %end of fragment diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm index fbaa55c553..e5c26e2495 100644 --- a/gnu/services/sound.scm +++ b/gnu/services/sound.scm @@ -29,10 +29,12 @@ (define-module (gnu services sound) #:use-module (gnu system shadow) #:use-module (guix diagnostics) #:use-module (guix gexp) + #:use-module (guix modules) #:use-module (guix packages) #:use-module (guix records) #:use-module (guix store) #:use-module (guix ui) + #:use-module (gnu packages admin) #:use-module (gnu packages audio) #:use-module (gnu packages linux) #:use-module (gnu packages pulseaudio) @@ -288,16 +290,52 @@ (define-configuration/no-serialization speakersafetyd-configuration (file-like (file-append speakersafetyd "/share/speakersafetyd")) "The base directory as a G-expression (@pxref{G-Expressions}) that contains the configuration files of the speaker models.") + (group + (string "speakersafetyd") + "The group to run the Speaker Safety Daemon as.") (maximum-gain-reduction (integer 7) "Maximum gain reduction before panicking, useful for debugging.") (speakersafetyd (file-like speakersafetyd) - "The Speaker Safety Daemon package to use.")) + "The Speaker Safety Daemon package to use.") + (user + (string "speakersafetyd") + "The user to run the Speaker Safety Daemon as.")) + +(define speakersafetyd-accounts + (match-record-lambda + ( blackbox-directory configuration-directory group + maximum-gain-reduction speakersafetyd user) + (list (user-group + (name group) + (system? #t)) + (user-account + (name user) + (group group) + (system? #t) + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")) + (supplementary-groups '("audio")))))) + +(define speakersafetyd-activation + (match-record-lambda + ( blackbox-directory configuration-directory group + maximum-gain-reduction speakersafetyd user) + (with-imported-modules (source-module-closure '((gnu build activation))) + #~(begin + (use-modules (gnu build activation)) + (let ((user (getpwnam #$user))) + (mkdir-p/perms "/run/speakersafetyd" user #o755) + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755) + ;; Blackbox files contain audio recordings and might be sensitive + ;; information + (mkdir-p/perms #$blackbox-directory user #o700)))))) (define speakersafetyd-shepherd-service (match-record-lambda - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd) + ( blackbox-directory configuration-directory group + maximum-gain-reduction speakersafetyd user) (shepherd-service (documentation "Run the speaker safety daemon") (provision '(speakersafetyd)) @@ -306,7 +344,10 @@ (define speakersafetyd-shepherd-service (list #$(file-append speakersafetyd "/bin/speakersafetyd") "--config-path" #$configuration-directory "--blackbox-path" #$blackbox-directory - "--max-reduction" (number->string #$maximum-gain-reduction)))) + "--max-reduction" (number->string #$maximum-gain-reduction)) + #:group #$group + #:supplementary-groups '("audio") + #:user #$user)) (stop #~(make-kill-destructor))))) (define speakersafetyd-service-type @@ -324,7 +365,11 @@ (define speakersafetyd-service-type (compose list speakersafetyd-configuration-speakersafetyd)) (service-extension profile-service-type - (compose list speakersafetyd-configuration-speakersafetyd)))) + (compose list speakersafetyd-configuration-speakersafetyd)) + (service-extension account-service-type + speakersafetyd-accounts) + (service-extension activation-service-type + speakersafetyd-activation))) (default-value (speakersafetyd-configuration)))) ;;; sound.scm ends here -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 03 11:44:50 2025 Received: (at 77383) by debbugs.gnu.org; 3 Apr 2025 15:44:50 +0000 Received: from localhost ([127.0.0.1]:35273 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u0MkL-00066e-V7 for submit@debbugs.gnu.org; Thu, 03 Apr 2025 11:44:50 -0400 Received: from mail-wm1-x336.google.com ([2a00:1450:4864:20::336]:53670) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u0MkI-00065x-DC for 77383@debbugs.gnu.org; Thu, 03 Apr 2025 11:44:46 -0400 Received: by mail-wm1-x336.google.com with SMTP id 5b1f17b1804b1-43cfba466b2so11044685e9.3 for <77383@debbugs.gnu.org>; Thu, 03 Apr 2025 08:44:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1743695079; x=1744299879; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=j1+LrFyBmo2taTXdwDnVtm6I4MQYtVjYkHagLJw24Yk=; b=iP4rznvN0nOrKY0evJp6kcBM2qWipHN3xWlxnsTSilJJtq0Vc3CDClNwNtKSCBs+Fc 2KuFE0R4kbIniWGhWmss5jHOqYJOh/U09DOeYC/aLGmU0r3pAl06IqkW9dscmxMWFz2Q g7/M9G/Xo8xlyvJyuqYXZmHVCEo4EjZrf7uDfRbEpF+cz1qMsl5CwMor7LXmfzFgkfEh fUAse0nuoNZRMlTvC6uVbCNzmSR6QaL0cQD8bjzRAKLjwq52IUa0WVxdnTqwvSPoqCHA lQcxqvDtOaN4lsr5uTAOWlx2FGSGsNTTuilAVJmHq/e7Lkhn6DGoVTV/Aq8XdZi6dzl+ DagQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743695079; x=1744299879; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=j1+LrFyBmo2taTXdwDnVtm6I4MQYtVjYkHagLJw24Yk=; b=jZSut2j1V7fRhAEioljT681ZLhNrBs4jDVpX+vosUVXaNykFBxgIdDnNF6cnZD5+QN JPNCCfuiBDahz9i58bbrEnjDozR+TORJgY7cNsqP2xC4P1b7kWcf49eQNiONoOhH/Itn OmsnNWUaB/losZdK/Mj4Evo3mBvuCWeUIugZi88IWoyZp8DWVwNsP7JOBMYtmJjgCROU L/BkhcN9yEe2aTwGR7R9Cp0p4dpeGE/BMss+QZSO5cgY7iHTdlui785KdIFboK2Xgvvm vRkyue9UaSkO9h2fjlMr5P4Z9QAShwsiYNT7DdPEkv2iDxisXWBo7aYEsaC1E004aLYN pX3g== X-Gm-Message-State: AOJu0Yzng5QPuIZYLWfoFQunsfABe7hjpcfQTG3u+Qs7HLzULXyddvT6 SIfqggg4n4Bl5RKtEWyxXAq2lwvnKH/H1aLYNGzJpexA7LgkDVWzyK7TQWad86/bcUOsREFM2ga +GdNI8w== X-Gm-Gg: ASbGncvERyLrUH5/BfwEN1KyOLNYaD8yXKqSFEUFwgNUZrnv47yhcb7zFG1FfLhEVqw RRPTffkb0p8N+JXR3h4crxFUirSqyYTzg5BnrnrKEcBhy68qCs63IHtK54gg4AJ1jUJ9hja10KY EJIlzkSOhKO3jdpdgXC6k8kJecICy+aeBQUu0BCt/zFST9M7FqmX+P6AdVkPKRb3LlOR/bykXSg F5+ag5lRecttnODvUfoeVO2dwevD4RyqLJ26/5ej6KTIKguVFQvawLXZGQFL4Auhts0/I1ebGVe FhqDqN6NbQ5a39HEHKwXKivnnF7hS+j/6lPbY5/5AgrGowznrZ/BgapLA8iLbkw= X-Google-Smtp-Source: AGHT+IFpcJKdCYnMBkIa36HkbnoyiJekRNgj5lvoCSJ2BottVTPUxEGFVfFZfcT9kyAaMJCkYaL9ew== X-Received: by 2002:a05:600c:154d:b0:43c:fbe2:df3c with SMTP id 5b1f17b1804b1-43ec14cd5bfmr26126735e9.26.1743695079628; Thu, 03 Apr 2025 08:44:39 -0700 (PDT) Received: from localhost.localdomain ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-43ec342be6asm22729425e9.5.2025.04.03.08.44.38 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Apr 2025 08:44:39 -0700 (PDT) From: Roman Scherer To: 77383@debbugs.gnu.org Subject: [PATCH v2 3/3] gnu: speakersafetyd: Add log file. Date: Thu, 3 Apr 2025 17:44:33 +0200 Message-ID: <5ba23c403131cee486e54fd2c8dfcd21d2bf3b6f.1743695029.git.roman@burningswell.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> References: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: Roman Scherer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/sound.scm (speakersafetyd): Add log file. * doc/guix.texi: Document log-file field. Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2 --- doc/guix.texi | 3 +++ gnu/services/sound.scm | 10 +++++++--- 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index a0f2a83c36..9a6084e994 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27271,6 +27271,9 @@ Sound Services @item @code{group} (default: @code{"speakersafetyd"}) (type: string) The group to run the Speaker Safety Daemon as. +@item @code{log-file} (default: @code{"/var/log/speakersafetyd.log"}) (type: string) +The path to the Speaker Safety Daemon log file. + @item @code{maximum-gain-reduction} (default: @code{7}) (type: integer) Maximum gain reduction before panicking, useful for debugging. diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm index e5c26e2495..39b5d043a3 100644 --- a/gnu/services/sound.scm +++ b/gnu/services/sound.scm @@ -293,6 +293,9 @@ (define-configuration/no-serialization speakersafetyd-configuration (group (string "speakersafetyd") "The group to run the Speaker Safety Daemon as.") + (log-file + (string "/var/log/speakersafetyd.log") + "The path to the Speaker Safety Daemon log file.") (maximum-gain-reduction (integer 7) "Maximum gain reduction before panicking, useful for debugging.") @@ -305,7 +308,7 @@ (define-configuration/no-serialization speakersafetyd-configuration (define speakersafetyd-accounts (match-record-lambda - ( blackbox-directory configuration-directory group + ( blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) (list (user-group (name group) @@ -320,7 +323,7 @@ (define speakersafetyd-accounts (define speakersafetyd-activation (match-record-lambda - ( blackbox-directory configuration-directory group + ( blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) (with-imported-modules (source-module-closure '((gnu build activation))) #~(begin @@ -334,7 +337,7 @@ (define speakersafetyd-activation (define speakersafetyd-shepherd-service (match-record-lambda - ( blackbox-directory configuration-directory group + ( blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) (shepherd-service (documentation "Run the speaker safety daemon") @@ -346,6 +349,7 @@ (define speakersafetyd-shepherd-service "--blackbox-path" #$blackbox-directory "--max-reduction" (number->string #$maximum-gain-reduction)) #:group #$group + #:log-file #$log-file #:supplementary-groups '("audio") #:user #$user)) (stop #~(make-kill-destructor))))) -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Thu Apr 03 11:47:15 2025 Received: (at 77383) by debbugs.gnu.org; 3 Apr 2025 15:47:15 +0000 Received: from localhost ([127.0.0.1]:35288 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u0Mmg-0006HG-Rf for submit@debbugs.gnu.org; Thu, 03 Apr 2025 11:47:15 -0400 Received: from mail-wr1-x431.google.com ([2a00:1450:4864:20::431]:45355) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u0Mme-0006H0-4p for 77383@debbugs.gnu.org; Thu, 03 Apr 2025 11:47:12 -0400 Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-399749152b4so768442f8f.3 for <77383@debbugs.gnu.org>; Thu, 03 Apr 2025 08:47:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1743695226; x=1744300026; darn=debbugs.gnu.org; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=/Yuhvs4XgRgnpOTnNI0j+1Oyv52/kkovxgdVPL6E+bE=; b=wf4fAWBv7iUmNAo1S7TqOjVRNNxa0AZGUANaa6RCbwRTCR90qIwTXZe14H/Ex3Wl9o FrVSIHvM+0PAQRp8WlD+13jxNbOdvWB7E3c2Hm20K2UnOLgzdKT8SMse816VC9sfmSmX 3kCl7Xw3UFsMkowvHK0KAZroSUJNQ2cSEdDyxZDHwajabZ9ksRaVkTtic7cl9J8PPVc8 ZGF6trsLTtStJsZCHRHkaPllbV5Ge0W7H6rhN4AB2ydRd+C/HyvIQruBeATPKvZV/mU8 xFDZ+CT/p6naTDChEpBQ+0MWiCRKUNkR9e+qTNoi+7xiIEq8PC9n3ePT8DXE93rBBFiK LBcQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743695226; x=1744300026; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=/Yuhvs4XgRgnpOTnNI0j+1Oyv52/kkovxgdVPL6E+bE=; b=Rp3aOFcmarcUUZySB2ilMcHQo46fpDCTWitJYGm42450tz24Gtjgphuq9TLkvtnpBD IprhMUs0isUe6kcooD9u9iFSWLE+4ngBEncd9wPf9HFbrN0m4lw6U0w7KKPLeu2W3qWw 6P97Vesr01OIKkWM5/kzQelhQ6pRZk0yFmFTRF3AXPJPjywMTLieIFQaLwfHnMT8c3ef VtmFj5xC/PB+d4Bl0w1Wfm+xVvWdpAvxa9mCtkBEg0nOvH6IM0g5ouRBR4mtH1tf4iu/ e3nv9hGIFBJbaxc+eLjcVE1YCeNgJ3txl/+/RlfOXPUFGrGoX7Yy2Sf68uSe5kanpfp4 ijiQ== X-Forwarded-Encrypted: i=1; AJvYcCU7zNFgYvyYMwzI5hl4WZqiJ83R4x+XvBg4AbYyh5kh184VtVMEGxZtvtq7j6DrU+hX158Nww==@debbugs.gnu.org X-Gm-Message-State: AOJu0Yy5tgHADQTyjHEkaErkhDmDY2eM1S96I2wv6g4v0ZI75Qy5vK+K SN/oTskbpaOXb0ACmd8DQYBKutvlIRnydPxseTIDm/jZSChxz8vhheGPJ+Zx9SU= X-Gm-Gg: ASbGncuGFjXAKNfW78pyOz+rwJB6M76MFE+1/nRfxSrdJYqkp1D2dMMVM4EkMeQoshh tIwr+jW68v0KKmxSmzSbac2oZ166EqFDJzgijoNGGpCUR5XJKAbcXHTZbD8FiBLuulnZ1G3be3g uzTpyrBTy5SL3/lycICZsMqiMuI8/DYJHBSiZXC7Ks9fnv4a8S9Wf0Ahh68vQCXTytxILxwN7xj 9xMYhWX7c0WLnnp1FB8PRSHNYhYIag4NaVOIIZX3s6FZYNI0yQAm+V6oEjkae9S3yRfGi8HMzzY VmvfpVyjSR2BAJpam4zsWRfx3hK9lte22Hb2NA== X-Google-Smtp-Source: AGHT+IHy4yDNTGxKJc7urGziE5vwS+4qQRBiunHQTPkMHik1KJ+SWzOyjeI0p7zVEOHlOFPPxEMwlg== X-Received: by 2002:a5d:648f:0:b0:391:3aaf:1d5d with SMTP id ffacd0b85a97d-39c30338ae4mr2827005f8f.27.1743695225532; Thu, 03 Apr 2025 08:47:05 -0700 (PDT) Received: from m1 ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-39c3020d6c8sm2083955f8f.73.2025.04.03.08.47.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 03 Apr 2025 08:47:04 -0700 (PDT) From: Roman Scherer To: Maxim Cournoyer Subject: Re: [bug#77383] [PATCH 2/2] gnu: speakersafetyd: Run as unprivileged user. In-Reply-To: <87sempzfsk.fsf@gmail.com> (Maxim Cournoyer's message of "Thu, 03 Apr 2025 19:43:23 +0900") References: <87sempzfsk.fsf@gmail.com> User-Agent: mu4e 1.12.9; emacs 29.4 Date: Thu, 03 Apr 2025 17:47:03 +0200 Message-ID: <86iknl2qo8.fsf@burningswell.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: 77383@debbugs.gnu.org, Roman Scherer , Ludovic =?utf-8?Q?Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Hi Maxim, thanks for the review. I just sent a v2 of the patch series. Maxim Cournoyer writes: > Hi, > > Roman Scherer writes: > >> * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. > > Sounds good, perhaps also mention it adds a log file (is this related to > this change?). No, it's not related. I split the log file into another commit. > [...] > >> +(define speakersafetyd-accounts >> + (match-record-lambda >> + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) > > Please break this and next long lines into something that fits < 80 > characters. You can use the Emacs indentation hack to do so and leave a > space after the opening parens to ensure it gets indented as data and > not a procedure: > > ( blackbox-directory configuration-directory ... > speakersafetyd user) > Interesting, didn't know about this Emacs indentation hack. >> + (list (user-group >> + (name group) >> + (system? #t)) >> + (user-account >> + (name user) >> + (group group) >> + (system? #t) >> + (home-directory "/var/empty") >> + (shell (file-append shadow "/sbin/nologin")) >> + (supplementary-groups '("audio")))))) >> + >> +(define speakersafetyd-activation >> + (match-record-lambda >> + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) > > Line width > 80 columns. > >> + (with-imported-modules (source-module-closure >> + '((gnu build activation) >> + (guix build utils))) > > Looks like you only use (gnu build activation), not (guix build utils) > in the below snippet. > >> + #~(begin >> + (use-modules (gnu build activation)) >> + (let ((user (getpwnam #$user))) >> + (mkdir-p/perms "/run/speakersafetyd" user #o755) >> + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755) >> + ;; Blackbox files contain audio recordings and might be sensitive information >> + (mkdir-p/perms #$blackbox-directory user #o700)))))) >> >> (define speakersafetyd-shepherd-service >> (match-record-lambda >> - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd) >> + (blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) > > Line width > 80 columns. > >> (shepherd-service >> (documentation "Run the speaker safety daemon") >> (provision '(speakersafetyd)) >> @@ -306,7 +345,11 @@ (define speakersafetyd-shepherd-service >> (list #$(file-append speakersafetyd "/bin/speakersafetyd") >> "--config-path" #$configuration-directory >> "--blackbox-path" #$blackbox-directory >> - "--max-reduction" (number->string #$maximum-gain-reduction)))) >> + "--max-reduction" (number->string #$maximum-gain-reduction)) >> + #:group #$group >> + #:log-file #$log-file >> + #:supplementary-groups '("audio") >> + #:user #$user)) >> (stop #~(make-kill-destructor))))) >> >> (define speakersafetyd-service-type >> @@ -324,7 +367,13 @@ (define speakersafetyd-service-type >> (compose list speakersafetyd-configuration-speakersafetyd)) >> (service-extension >> profile-service-type >> - (compose list speakersafetyd-configuration-speakersafetyd)))) >> + (compose list speakersafetyd-configuration-speakersafetyd)) >> + (service-extension >> + account-service-type >> + speakersafetyd-accounts) >> + (service-extension >> + activation-service-type >> + speakersafetyd-activation))) > > nitpick but I like to put at least one argument on the same line unless > respecting the 80 columns max width is challenging, as in: > > --8<---------------cut here---------------start------------->8--- > (service-extension account-service-type > speakersafetyd-accounts) > --8<---------------cut here---------------end--------------->8--- > > etc. > > Other than these tiny details, it LGTM. Could you please send a v2? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEE0iajOdjfRIFd3gygPdpSUn0qwZkFAmfurXcXHHJvbWFuQGJ1 cm5pbmdzd2VsbC5jb20ACgkQPdpSUn0qwZkeKgf+K1UZ2hiliPTD5Alfd6BIIflg yQ3csta7VeoJQTObaFHV+AbS9QRg1+FsrSj0wwznGd3I1gmoHZHhFiPAAQ5gIHbR BTJZFwOrl8xwKrJQxEg3HEv6jpBZgiagiVbllZs3jQuTxoozXBRvfgzJt8ob+l9j AUKdL3bY5sLvaXYsJqdR91O4YRzuJ+Cp8TnUr6RJ3KRTcfxQ1lLOd9jSAk6V/6AQ trnMgjNqrlX4q8CR6B7kz4lw/sHYIqCu4OsMm3W2qRPKv6vHJrcWvBrF8Tcdfjux x7a8GVkURAsuDgltgliHVuRtUSY/nb696Bh3yGX8V5LYjw8lufkHaLJ2w1ujAw== =Nhwh -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 07 22:09:54 2025 Received: (at 77383) by debbugs.gnu.org; 8 Apr 2025 02:09:54 +0000 Received: from localhost ([127.0.0.1]:57795 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u1yPS-0000rH-34 for submit@debbugs.gnu.org; Mon, 07 Apr 2025 22:09:54 -0400 Received: from mail-qt1-x82f.google.com ([2607:f8b0:4864:20::82f]:61520) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u1yPP-0000qk-TV for 77383@debbugs.gnu.org; Mon, 07 Apr 2025 22:09:52 -0400 Received: by mail-qt1-x82f.google.com with SMTP id d75a77b69052e-4769aef457bso52217281cf.2 for <77383@debbugs.gnu.org>; Mon, 07 Apr 2025 19:09:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744078186; x=1744682986; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=mUVnEjCXrXf9VwtXmeIXdce9q617A1+PstKwMgpdSus=; b=dl7Ei/FKEPLKrw+6Ql5YoaSmpB4OcnB4eMb2W4oiBD8bwl7rFgzoxE30u6kZhscI1p RHRI+ywtZk05tiBW2mWs+HN+H7j6u/1+AIjvUnCz2DVSkLx+hz99VtaYMlgKQgUl62ZN znmPe/cLgg/4pAHnv8S+856fWGkkJTY/fucFWOKA9C6jfisDmIxUOoQuippQC4RLTQ+U JpFsoBMPTrks2fhwa8wy0Ld/Csj4MD4BlMG6/RWkSNS4kxkjriTeYaDfFVmQauJIKOon v9MV+UpmrC4F6ejZbUapVvBvGWhjmfAhXSAkqnqdvHppFJIzaXLb6qMF+pmuc50t09aj KIuA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744078186; x=1744682986; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=mUVnEjCXrXf9VwtXmeIXdce9q617A1+PstKwMgpdSus=; b=FTpIMTJmWbCdZ78VAa4eog+oIWea6FiRB02r/w4HYhOJrZGH8BjwpdXLS5JSR4uFIv /WheQrko8ZG9g2Tmu+PIg/f6OgOxWtYuB6aLffLb7mum/e+apVLlrCl/jD/fUecKGjXS kW1NBHFJiEfnp5rBDjFFdRFUlSt7GDh8rdmPIn07t6OU7AKMwME+QG/UHAy3pZLde2X0 g9bwncytFdfwwEljt+o3PFynBvZp5iZUP+NA0gAl4ghaXwHzFw3Umk+0vSsQyKHxvBzJ mXPZwfcIGuOCbaTl7C0tvvVGH+1apNKQFvkbF7HD0v2+/BmenwmQQ2YqL0zBYpklUPQG djfA== X-Gm-Message-State: AOJu0Ywa8FSdhdZM9uXZZhsuve1iLVcJs+MUb1R0cR/fpxG6/iv38qrk 0CsAKgUYXuXrE0eyJ1gbwQmcEBWjJOP7cipOlNgN7Cck3lwfkY4F X-Gm-Gg: ASbGncugItkBGjbOd401VjZ1RmKnUevdeJDJivoyKL547mgUTzmESmdbN8VlcoNppTz 39kZhfCT8TO4TRRaddn74OGUu4BX4ht1ET1xOQi+x2zDXVGHkA6Xysf3FqjnMAYajmjpgQAdjXz YtE19hV6P3hf8lOQrEcRHrceJOlUUTrd/C4LhKftvUkDFBwq4ftsPlGGyVhRSVBA3u8/21AEvGs Ch5Pa3r6bUNDGkywReWBDYW+bngmDZItym3ULmcEwIfHg2K+q0Lbv8fW0r6KATqRZmnW5PO2lKh qN6bbQYbmSpgcpkwqnVSSzUfQcDRvdGRJlzKupr46lWTBuuHOckdcengpwQ/FT+qHQ== X-Google-Smtp-Source: AGHT+IGzh2fhWk89r3ZSp43JmPamHavwHH90fXsFcEgMDxQm17ckvTAUqiSY4CU6izfbeE4tEyUYSg== X-Received: by 2002:a05:620a:40ce:b0:7c5:61b2:b7c with SMTP id af79cd13be357-7c775b15d55mr2150173185a.47.1744078185984; Mon, 07 Apr 2025 19:09:45 -0700 (PDT) Received: from terra (vps-6234970c.vps.ovh.ca. [51.222.13.224]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-4791b088412sm68819341cf.39.2025.04.07.19.09.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Apr 2025 19:09:45 -0700 (PDT) From: Maxim Cournoyer To: Roman Scherer Subject: Re: [bug#77383] [PATCH v2 1/3] gnu: speakersafetyd: Update to 1.1.2. In-Reply-To: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> (Roman Scherer's message of "Thu, 3 Apr 2025 17:44:31 +0200") References: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> Date: Tue, 08 Apr 2025 11:09:26 +0900 Message-ID: <87ldsbz9nt.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: 77383@debbugs.gnu.org, Steve George , Efraim Flashner , Divya Ranjan Pattanaik X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Roman, 2nd pass over this series. Roman Scherer writes: > * gnu/packages/rust-apps.scm (speakersafetyd): Update to 1.1.2. > > Change-Id: I1c6d7b6080b18bd8228e8b39d1a0b42267e2b7e1 [...] > - (setenv "BINDIR" (string-append #$output "/bin")) > - (setenv "UNITDIR" (string-append #$output "/lib/systemd/system")) > - (setenv "UDEVDIR" (string-append #$output "/lib/udev/rules.d")) > - (setenv "TMPFILESDIR" (string-append #$output "/usr/lib/tmpfiles.d")) > - (setenv "SHAREDIR" (string-append #$output "/share")) > - (setenv "VARDIR" (string-append #$output "/var")) > - (invoke "make" "install-data")))))) > + (setenv "DESTDIR" #$output) > + (setenv "SHAREDIR" "/share") > + (setenv "SPEAKERSAFETYD_GROUP" "nixbld") > + (setenv "SPEAKERSAFETYD_USER" "nixbld") Since this are just setting environment variables, which are statufel, there's no need to override the install phase, it can go in a 'prepare-to-install or similarly named phase ordered before 'install. -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 07 22:13:40 2025 Received: (at 77383) by debbugs.gnu.org; 8 Apr 2025 02:13:40 +0000 Received: from localhost ([127.0.0.1]:57803 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u1yT5-0001A5-Cw for submit@debbugs.gnu.org; Mon, 07 Apr 2025 22:13:40 -0400 Received: from mail-qt1-x833.google.com ([2607:f8b0:4864:20::833]:58659) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u1ySv-000195-BH for 77383@debbugs.gnu.org; Mon, 07 Apr 2025 22:13:35 -0400 Received: by mail-qt1-x833.google.com with SMTP id d75a77b69052e-47662449055so26823011cf.1 for <77383@debbugs.gnu.org>; Mon, 07 Apr 2025 19:13:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744078403; x=1744683203; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=CmQVNGuuDMJO/TeKtH95Zqr/PPNryckDutjYfdD44/Y=; b=QaFQtDg2sR9qNVLXxmNgRCacfo6p/zSZlvR/mdyl2cCtss3JnkFcolQ9ZMVFPvaRyH otJEJO8bfNm8Rrow640Q77xna3naIL2qFr7N++ypi9MQ2tUZqA0TQfYGgVHUWQFKM5aM b28a21aocXamkLiI+BlXc8FDSlUyjgFP73Ib5/zukwNeMaYx1YHlAYdBEgeqKNVhOhJj TAl4YD44vHgJt0Usw5/AEv4HO0KpBKeyQGPIZiQWgpy7rzi2w6tmvnLz+gRHF/GQGmtw oanqnZ3DA5sooAodozqeYYrGKp9bbYf+DH995thhXspt+9WaglI+3T/aXdcIFEf+qvdn qjpw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744078403; x=1744683203; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=CmQVNGuuDMJO/TeKtH95Zqr/PPNryckDutjYfdD44/Y=; b=VGHes62e2t397VqNeilfzK27+hTQi8IVV4wNwhohZeqtqukx+tNogU+QrWAB0DWuaH hc7LVXburxC5E7PuhSehjNidU42A09QkYfPQ//O6Gvaizk/7inywlZhyGYKPc+WkO1JP FlyIwsaPHLwfpK/P5Gbhc7XrFOE20jBQ2ytZ4ul1Ax3Yznj4lfLLKTBhgOORoNX6QSNy oSf+s5DL/JYRRcBNYy7yO2CUEyyTeOWBUZyXQHqxWWDcqOkjS/Uu27F6RNxJj6NgP91D Y7wTV/xUrqCLDvb72iMf3JKgrmsLjTitJGQlZpyFfvDbII1Et2W7w/VN8flJzE2Rq1C6 9kFA== X-Gm-Message-State: AOJu0YxI3yFQGHp4z48D3d5i/xiEXSmaS9+woc1FimGo/IvSQrC00P3b /N4mALFVPyLKQk7RA5K/hChseKyzBnQgbd5eJ25Jn+bDyRf/x3BYw9hlCpVp X-Gm-Gg: ASbGnctG6LgfttEyIy3wJYSTgj7y9+qCH6ecW7fvtzPmlyQ1iY6lNUIv56Dv9b6KstI 1aCxMrZiF2LqEw9Cw16NL7fAXBl2a28pkLtAk7zA5WHOneu3C2YCl4xt/Mlvt0diWrTNDMqM/Ms Sw6ghOLpw8T9Ea+FPrK4IaFfKKJxwsnjyjr2/jt/uihxVlUmFU7dfKz020Oqo70Thep71Leaj9c wY200iJccEJmRgbIxkEZ8TRnxHYlNWT3u42LSgrD8FYtl9kJrE4tfFPucl3PBM+l74yKZ6gH8PK aBuHI67BtiP4hsrKweu6URQoqvua1pdiCbhqLmKCnWE3ilUKyuh0R4hcNX3w+NzKOpu+vmJTZ8g t X-Google-Smtp-Source: AGHT+IF/r4vhX0Nswi1IX9A1Ypp/TB78NL9Mh/l2LA02qEepuNt+PZ3rQOQrtq5ldmlMDxZjEdL5/Q== X-Received: by 2002:ac8:5f14:0:b0:476:8ee8:d8a0 with SMTP id d75a77b69052e-4792592503cmr245005381cf.2.1744078402988; Mon, 07 Apr 2025 19:13:22 -0700 (PDT) Received: from terra (vps-6234970c.vps.ovh.ca. [51.222.13.224]) by smtp.gmail.com with ESMTPSA id d75a77b69052e-4791b059870sm68834041cf.14.2025.04.07.19.13.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Apr 2025 19:13:22 -0700 (PDT) From: Maxim Cournoyer To: Roman Scherer Subject: Re: [bug#77383] [PATCH v2 2/3] gnu: speakersafetyd: Run as unprivileged user. In-Reply-To: <2788a4ea937715053ca7210a52ed0be3976fd0b6.1743695029.git.roman@burningswell.com> (Roman Scherer's message of "Thu, 3 Apr 2025 17:44:32 +0200") References: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> <2788a4ea937715053ca7210a52ed0be3976fd0b6.1743695029.git.roman@burningswell.com> Date: Tue, 08 Apr 2025 11:13:03 +0900 Message-ID: <87h62zz9hs.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: 77383@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, Roman Scherer writes: > * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. > * doc/guix.texi: Document user and group fields. > > Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2 [...] > +(define speakersafetyd-accounts > + (match-record-lambda > + ( blackbox-directory configuration-directory group > + maximum-gain-reduction speakersafetyd user) You don't need to list all the fields when using match-record, and I assume match-record-lambda as well. Here only `group' and `user' appears useful. > + (list (user-group > + (name group) > + (system? #t)) > + (user-account > + (name user) > + (group group) > + (system? #t) > + (home-directory "/var/empty") > + (shell (file-append shadow "/sbin/nologin")) > + (supplementary-groups '("audio")))))) > + > +(define speakersafetyd-activation > + (match-record-lambda > + ( blackbox-directory configuration-directory group > + maximum-gain-reduction speakersafetyd user) Likewise. > + (with-imported-modules (source-module-closure '((gnu build activation))) > + #~(begin > + (use-modules (gnu build activation)) > + (let ((user (getpwnam #$user))) > + (mkdir-p/perms "/run/speakersafetyd" user #o755) > + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755) > + ;; Blackbox files contain audio recordings and might be sensitive > + ;; information > + (mkdir-p/perms #$blackbox-directory user #o700)))))) > > (define speakersafetyd-shepherd-service > (match-record-lambda > - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd) > + ( blackbox-directory configuration-directory group > + maximum-gain-reduction speakersafetyd user) > (shepherd-service > (documentation "Run the speaker safety daemon") > (provision '(speakersafetyd)) > @@ -306,7 +344,10 @@ (define speakersafetyd-shepherd-service > (list #$(file-append speakersafetyd "/bin/speakersafetyd") > "--config-path" #$configuration-directory > "--blackbox-path" #$blackbox-directory > - "--max-reduction" (number->string #$maximum-gain-reduction)))) > + "--max-reduction" (number->string #$maximum-gain-reduction)) > + #:group #$group > + #:supplementary-groups '("audio") > + #:user #$user)) > (stop #~(make-kill-destructor))))) Not for a future improvement: we also have a least-authority-wrapper defined in (guix least-authority) that can wrap a binary to have it run in a Linux container, to further sandbox the process. -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 07 22:15:48 2025 Received: (at 77383) by debbugs.gnu.org; 8 Apr 2025 02:15:48 +0000 Received: from localhost ([127.0.0.1]:57812 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u1yV9-0001NN-NN for submit@debbugs.gnu.org; Mon, 07 Apr 2025 22:15:48 -0400 Received: from mail-qv1-xf31.google.com ([2607:f8b0:4864:20::f31]:56734) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u1yUy-0001MQ-Mn for 77383@debbugs.gnu.org; Mon, 07 Apr 2025 22:15:43 -0400 Received: by mail-qv1-xf31.google.com with SMTP id 6a1803df08f44-6e8f4c50a8fso47146596d6.1 for <77383@debbugs.gnu.org>; Mon, 07 Apr 2025 19:15:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744078531; x=1744683331; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=cSwvsWmdC3dehzlT4LGVyI56YvvX6cPJJsCclSxEeUk=; b=XfwnjczgEOWEe0PrNSBHgbCh7pedbCSGxxg62+Ea84heia9uNiuboLBE5/OgOcXt0N fx83PWUNhFaJmxDs51lS+Rei3VqNxFNe/s9Bb5PxLMUg3Lr+xADlZCqYOa7TZuIdOpdc p3ZUWUTeXb5iKkEt/6mdtDm97TXPpLlOV1crQots7v8Go/c2s7ExDs60Un+hIU5YpoFh nKNQ4TMCtGpIv+5AF1AyeWGHwEUI3kn7OUdul8gMT3cj959xls4oMj9KoKHuMXMCiTkn +3ChAsfIhgREApK2n9+nu0hC/wUt1Gs1cDo/74o6wOdFb0qaMttEoikmKjf1E62zhuSk NOSQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744078531; x=1744683331; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=cSwvsWmdC3dehzlT4LGVyI56YvvX6cPJJsCclSxEeUk=; b=LiMVHzIDfoZqfVNZfEncTJA6jCq7QO2hNMeWxHCo7QFzff4D63kClJ4DcOiuPNDIzb ODZa7PrPFggidgd/Gc8KFtStAb83o/adNjy+TTk/9piJEHQMjU04iDqgLSNrdi/W8TPA t5lX1S9f++yS49RigMfJ53zuzuadJo6zzshBTz+3ugLRExLM3NnSIzIqBq9XertkTlEW pfBXA0TJ2Ab1yG24j+QCna1TjJLxfvwGw8ssTkRHl90x5Eduf9UkhqYnHdJlDXW4RVSS YCaE7WqFh2s5ss+2RqrAREAFrrkdI8RNaqwjJmD8XeOfYNqb52731vpq9AbthwGYjXqS 8VOg== X-Gm-Message-State: AOJu0YzobG+A8EXk2rMQOXuIq+LcIWdYjgiHTx+On+s/cdCRBGnBUOsP luJjEgPDrlW1ZK27pEtdvhhZ1UIU1hisMiT7/mAGe1yVx94dtGHp X-Gm-Gg: ASbGnctP96CskdbtCEIoZYHVqrwzVtlyNnA8pTL+yJstgptuymesfR5lbQCfnaeZw6Q kqu9DP7eBOqzVIcYckWjwfZQZ0qfg+0Gf+gosPQWcD0jTnp1omdJjf5Q3n8cFbFX+EaH1Ywsdgd z0ybe6XGqp+bUJGA/voWAzb/SyoKWfP5kzrkI7q9uGzoxMFE0pnT8/Qq9v2hqnQKo809UZ2yVdp T3Sw+KjSL7TurkG+vS9zO4YKt+YSIcdM9bsHjYsA+obQWDV5F4QXSzun0on37oTIPaFOUfwf6OC ZhcaIxzZg6A859Btx9iNIxDWEclczQ7ZzACswLNfxquF8B4/lviEx9FjFdgQ7+FoMNJ+fG2UG8b + X-Google-Smtp-Source: AGHT+IEa3kxgjmD5h/ezn9vQ4ryDWhp1UAfsitfvCRC/cckmJbTjyU547FNBtbOYvRB5WQAkzlfKWg== X-Received: by 2002:a05:6214:27e4:b0:6e8:9a2a:145b with SMTP id 6a1803df08f44-6f058489cb0mr221981066d6.23.1744078530715; Mon, 07 Apr 2025 19:15:30 -0700 (PDT) Received: from terra (vps-6234970c.vps.ovh.ca. [51.222.13.224]) by smtp.gmail.com with ESMTPSA id 6a1803df08f44-6ef0f150213sm66716196d6.116.2025.04.07.19.15.28 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 07 Apr 2025 19:15:30 -0700 (PDT) From: Maxim Cournoyer To: Roman Scherer Subject: Re: [bug#77383] [PATCH v2 3/3] gnu: speakersafetyd: Add log file. In-Reply-To: <5ba23c403131cee486e54fd2c8dfcd21d2bf3b6f.1743695029.git.roman@burningswell.com> (Roman Scherer's message of "Thu, 3 Apr 2025 17:44:33 +0200") References: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> <5ba23c403131cee486e54fd2c8dfcd21d2bf3b6f.1743695029.git.roman@burningswell.com> Date: Tue, 08 Apr 2025 11:15:11 +0900 Message-ID: <87cydnz9e8.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: 77383@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi, Roman Scherer writes: > * gnu/services/sound.scm (speakersafetyd): Add log file. > * doc/guix.texi: Document log-file field. > > Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2 > --- > doc/guix.texi | 3 +++ > gnu/services/sound.scm | 10 +++++++--- > 2 files changed, 10 insertions(+), 3 deletions(-) > > diff --git a/doc/guix.texi b/doc/guix.texi > index a0f2a83c36..9a6084e994 100644 > --- a/doc/guix.texi > +++ b/doc/guix.texi > @@ -27271,6 +27271,9 @@ Sound Services > @item @code{group} (default: @code{"speakersafetyd"}) (type: string) > The group to run the Speaker Safety Daemon as. > > +@item @code{log-file} (default: @code{"/var/log/speakersafetyd.log"}) (type: string) > +The path to the Speaker Safety Daemon log file. > + > @item @code{maximum-gain-reduction} (default: @code{7}) (type: integer) > Maximum gain reduction before panicking, useful for debugging. > > diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm > index e5c26e2495..39b5d043a3 100644 > --- a/gnu/services/sound.scm > +++ b/gnu/services/sound.scm > @@ -293,6 +293,9 @@ (define-configuration/no-serialization speakersafetyd-configuration > (group > (string "speakersafetyd") > "The group to run the Speaker Safety Daemon as.") > + (log-file > + (string "/var/log/speakersafetyd.log") > + "The path to the Speaker Safety Daemon log file.") The convention in GNU is to use 'path' only for search paths; the preferred term for file names is 'file name'. > (maximum-gain-reduction > (integer 7) > "Maximum gain reduction before panicking, useful for debugging.") > @@ -305,7 +308,7 @@ (define-configuration/no-serialization speakersafetyd-configuration > > (define speakersafetyd-accounts > (match-record-lambda > - ( blackbox-directory configuration-directory group > + ( blackbox-directory configuration-directory group log-file > maximum-gain-reduction speakersafetyd user) > (list (user-group > (name group) > @@ -320,7 +323,7 @@ (define speakersafetyd-accounts > > (define speakersafetyd-activation > (match-record-lambda > - ( blackbox-directory configuration-directory group > + ( blackbox-directory configuration-directory group log-file > maximum-gain-reduction speakersafetyd user) > (with-imported-modules (source-module-closure '((gnu build activation))) > #~(begin > @@ -334,7 +337,7 @@ (define speakersafetyd-activation > > (define speakersafetyd-shepherd-service > (match-record-lambda > - ( blackbox-directory configuration-directory group > + ( blackbox-directory configuration-directory group log-file > maximum-gain-reduction speakersafetyd user) As mentioned earlier, make sure to expose only the fields needed in the above match-record-lambda forms. > (shepherd-service > (documentation "Run the speaker safety daemon") > @@ -346,6 +349,7 @@ (define speakersafetyd-shepherd-service > "--blackbox-path" #$blackbox-directory > "--max-reduction" (number->string #$maximum-gain-reduction)) > #:group #$group > + #:log-file #$log-file > #:supplementary-groups '("audio") > #:user #$user)) > (stop #~(make-kill-destructor))))) Otherwise, LGTM! Could you send a hopefully final v3? -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 09 13:26:27 2025 Received: (at 77383) by debbugs.gnu.org; 9 Apr 2025 17:26:27 +0000 Received: from localhost ([127.0.0.1]:41501 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u2ZBy-0004qm-Kf for submit@debbugs.gnu.org; Wed, 09 Apr 2025 13:26:26 -0400 Received: from mail-wm1-x32e.google.com ([2a00:1450:4864:20::32e]:45368) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u2ZBv-0004qI-DI for 77383@debbugs.gnu.org; Wed, 09 Apr 2025 13:26:23 -0400 Received: by mail-wm1-x32e.google.com with SMTP id 5b1f17b1804b1-43ed8d32a95so45032915e9.3 for <77383@debbugs.gnu.org>; Wed, 09 Apr 2025 10:26:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1744219576; x=1744824376; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=jPlN7262b9QpjfkksjlYlbVDhYX0/8bNmV5i4MZ4Jd8=; b=gYZEWHu563rIyJPW7RkmqLuo7QzjqEHwGwfrju2ZJ77itC/S86z6r3GLIn/aeZRwJP iJ7WXWXqFxhLmjEkBZZSCHtXXZ3hiw+5HjH2mWqfp1gzjcP2NT9VDp/kcEOQFXFGXQ1R FAATcnKa63L1WFiAtoeBzdkxksjJbwsnbPkgjdE6HZSsrAalSz59naC9TvhRKaI3F4x8 UfBzcx7FDCNuXvbUioQlHi9MKuoI5302x9yPQZAP56KEDDadSFPGlHzG4/p3kgteg5iZ /0KvXEypR8R8MoqPB8LDkjzL6xOHM+UunCWRIlhMVDjCiH+zCb4albReMupKQntAuBv3 wfqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744219576; x=1744824376; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=jPlN7262b9QpjfkksjlYlbVDhYX0/8bNmV5i4MZ4Jd8=; b=Bt+Kas+Dr3dnPKvXbsUYQ2/txEigv/Uqf0w94TjteKkp5C5cH26MZ18SUxEUcp24li 9yGYZn2vBvlf2Ibavo72ExuMVhwvVBBSZ7FLo53mn30oxnwyTNfpkAdqNnZLYcGAwacU lKh+WAyTcqr0aItZcFo4a2Mjjih5Q3g1Abk2inhIam4TqzsTh9Ab/ILQEvil1iGE0Hii zHqm0TF7Rv8UC+/s86mTuWg65EpWLGFd09XuIrMq6ezOlCSPVBfhxikd5HKHKPrcKhLN IPLBHh/4MOSuvsehz9G7A0ISEMyICY+8TRiYQUsUr6JUCyHcAj5QEMSE8P+Ipk/mnxnF sieg== X-Gm-Message-State: AOJu0YxgJmNqO56REitxXr5r5Q5jZ7LKMqz4zzDp81iapgJsXUhmadZe lzEF1TT9qxHIYt6z47+KVMwBxUQYis4HxF4k9jr802ngy3HpM5Z5xhsOLKri9udH7CLkAdpkZ82 0huXJQw== X-Gm-Gg: ASbGncuLADN/587me/hm9QLPqJtJ0Okz/CeQWXE6SrTNliSQEDss6ilnxikW9m8SckD KYVxF25luW9uULi/FvafVK6wapFFn46qcIt5YZr/M8B8kAo62ulXIcy1h9s8sg0AZ0u+PW/Gpjc y+HM6qCoIKkTutp27/+Lm8CVzf+8aaBsYeGzkJp/EDbS43Ip7v6tse6ggyqcNIOgfxEV22EtcJH cKS4fgjndQPO7jgScMsTgQwjtZL+23/s6TiOKRDZetr0IxatCf+cEIEmvsrfINicNlW1bqPOckG JuPgMXKKPAOqbXiKj54ViR+3oNlzRcKKAsjDOEH9i7V254fZ+GNVxrGbsCU= X-Google-Smtp-Source: AGHT+IHII3fwLy0QjFySKkTnIyJAAMndJXF1WVRo5TiY4K6JGKG7obeA0O+5Y27gWciZo1j6BDdaZQ== X-Received: by 2002:a5d:59a8:0:b0:391:31f2:b99a with SMTP id ffacd0b85a97d-39d87aa8ae0mr3927386f8f.5.1744219576369; Wed, 09 Apr 2025 10:26:16 -0700 (PDT) Received: from localhost.localdomain ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-39d8938b5f7sm2208918f8f.57.2025.04.09.10.26.15 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Apr 2025 10:26:15 -0700 (PDT) From: Roman Scherer To: 77383@debbugs.gnu.org Subject: [PATCH v3 1/3] gnu: speakersafetyd: Update to 1.1.2. Date: Wed, 9 Apr 2025 19:26:09 +0200 Message-ID: <58e6296eb44b3e82e5d6367ae85b681463a38613.1744217514.git.roman@burningswell.com> X-Mailer: git-send-email 2.49.0 MIME-Version: 1.0 X-Debbugs-Cc: Divya Ranjan Pattanaik , Efraim Flashner , Hilton Chain , Steve George Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: Roman Scherer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/packages/rust-apps.scm (speakersafetyd): Update to 1.1.2. Change-Id: I1c6d7b6080b18bd8228e8b39d1a0b42267e2b7e1 --- gnu/packages/rust-apps.scm | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/gnu/packages/rust-apps.scm b/gnu/packages/rust-apps.scm index 2f933d836c..4d9430e5da 100644 --- a/gnu/packages/rust-apps.scm +++ b/gnu/packages/rust-apps.scm @@ -3211,14 +3211,14 @@ (define-public sniffglue (define-public speakersafetyd (package (name "speakersafetyd") - (version "1.0.2") + (version "1.1.2") (source (origin (method url-fetch) (uri (crate-uri "speakersafetyd" version)) (file-name (string-append name "-" version ".tar.gz")) (sha256 - (base32 "104xgyqhsg2rxa3ndkizrpndibmcbr25h63phcjswadbm8i790bz")))) + (base32 "1c4yk8mq8nazshdcasimlgnyhx27wzkad4wzicy5x43grq26b966")))) (build-system cargo-build-system) (arguments (list @@ -3243,15 +3243,13 @@ (define-public speakersafetyd (lambda _ (substitute* "95-speakersafetyd.rules" ((".*SYSTEMD_WANTS.*") "")))) - (add-after 'install 'install-data + (add-before 'install 'prepare-to-install (lambda _ - (setenv "BINDIR" (string-append #$output "/bin")) - (setenv "UNITDIR" (string-append #$output "/lib/systemd/system")) - (setenv "UDEVDIR" (string-append #$output "/lib/udev/rules.d")) - (setenv "TMPFILESDIR" (string-append #$output "/usr/lib/tmpfiles.d")) - (setenv "SHAREDIR" (string-append #$output "/share")) - (setenv "VARDIR" (string-append #$output "/var")) - (invoke "make" "install-data")))))) + (setenv "DESTDIR" #$output) + (setenv "SHAREDIR" "/share") + (setenv "SPEAKERSAFETYD_GROUP" "nixbld") + (setenv "SPEAKERSAFETYD_USER" "nixbld") + (invoke "make" "install")))))) (inputs (list alsa-lib)) (native-inputs (list pkg-config)) (home-page "https://github.com/AsahiLinux/speakersafetyd/") base-commit: f0c0769189d11debf7b237a02695c44c9773d52a -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 09 13:26:27 2025 Received: (at 77383) by debbugs.gnu.org; 9 Apr 2025 17:26:27 +0000 Received: from localhost ([127.0.0.1]:41503 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u2ZBz-0004qp-0I for submit@debbugs.gnu.org; Wed, 09 Apr 2025 13:26:27 -0400 Received: from mail-wr1-x435.google.com ([2a00:1450:4864:20::435]:51326) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u2ZBw-0004qK-3L for 77383@debbugs.gnu.org; Wed, 09 Apr 2025 13:26:24 -0400 Received: by mail-wr1-x435.google.com with SMTP id ffacd0b85a97d-3913b539aabso4393667f8f.2 for <77383@debbugs.gnu.org>; Wed, 09 Apr 2025 10:26:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1744219578; x=1744824378; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=T0RTWC32aPTxZ72IdASJX40IWx8tXoDAno/OPyl839Q=; b=P+7fGmILONTfBGcZELo/QiS4Ycy7wHoXmpl5uko7Ori4q/qOI0XwmmiAInr7TXLd0Y yEKdSUM1ma6TI9BPxay0UWXLs+/s3QU1q1TPj2yO+MUUsj3qOANVmh4m50FJ9EUU1YZL xTBMIhNXCgRvW2/qJgwVtBPV4/CgY4cyXIWx1sWsdyXQ/QxvTemLfsiWFp95dPUCo+H/ cdH99aY9ZTSdJ355ROPFCAge0be+4j9c+kjRG2EMzx6+LZ0GHs9vwO8jTum0atnbWtK4 /ixVqq9//lvL/0nPBP66ITOMsaXX23Z/dM3/kIXMThfQSha6G9G9xp/QVnicVHjG3TEI kstw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744219578; x=1744824378; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=T0RTWC32aPTxZ72IdASJX40IWx8tXoDAno/OPyl839Q=; b=hSOuYqjPIDEdjYBvkSxI8gIsDS6DG3cUC7xGnNp2DF2x8CSOkYLD+GMK6gPMRjhuzI tf8NCWaCKG8rOk7AuMHmOf33A79RxK875MV983tf6S3foJhukWWvrGnhacmjnzK2FSrZ h203+NDJFm94bIuQhx7A2KeL80JvSAN0/yBOC9C0zKYrBH5xvvpGq+tT3vbjlNkMMNPZ jL5d64x9312P8poqVxI7gH0A/5kFpfgCie+m7U3ywKo7ZNuA0kNVx16mMfPM9EfWpQDI l2yrunAgEjotIel1aa91Lkk4wsu+EOdJGtQNKMVEqMwW28ZsgCH3RcATKi731ifNnMZs 6PQw== X-Gm-Message-State: AOJu0YwtU6bgDWcqIjYcB9rfhmbrYlDaMQwSVzK4ZKENPG+7PygAAdfu mpfoToQs9hxbdBoxA07wIxkLyeCBcYoKFiv43S2h+q3TbU5Ni9NibeWrsV8zxQ7DOK0PTiQlyy3 6AewuPA== X-Gm-Gg: ASbGncuJwX2erPuTUzkrfy8JQF1Wrgs7PwxiDPXHdSIMYe0yyKRmBYq0yiBLa2C3E/M MRJLVPvTPkcLYxpCrX98gR3xINWe8pG4GOTevgc5HQJPmk1RUjPt72xp3JprMYwtOm+TF/0Cr3r 2ZJn2UUvz5Xt08FnEGyVoFVVM3GPdU/TpHyOgbXDDtD74RKmkqNXlkmxi27+S1N832Caf44VhSC l45AfcHlJtkGk8kW5iv+KUNUwP+4qBveCC5ZeZrCp+VTtvnBBQqTSdM4cdQsXd7Wv1IZhP2Sm+q wddFJSObmWGWrxYK6PVeTF6va1MQv1zBhBj21jCEcKbxRwh45ukaERkB8U8= X-Google-Smtp-Source: AGHT+IE9eoh6sDyt1vcxzRcVw7QgQYNr9UxsuNV0QmaLA6R0B5cgPDaPpQ/K47nKxYVs1Xpi6RJLVA== X-Received: by 2002:a05:6000:4308:b0:39d:6f2b:e74d with SMTP id ffacd0b85a97d-39d88564b64mr3156323f8f.39.1744219577662; Wed, 09 Apr 2025 10:26:17 -0700 (PDT) Received: from localhost.localdomain ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-39d8938b5f7sm2208918f8f.57.2025.04.09.10.26.16 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Apr 2025 10:26:17 -0700 (PDT) From: Roman Scherer To: 77383@debbugs.gnu.org Subject: [PATCH v3 2/3] gnu: speakersafetyd: Run as unprivileged user. Date: Wed, 9 Apr 2025 19:26:10 +0200 Message-ID: <140f135aa4f94ad69765f7c2a7b38684342ca382.1744217514.git.roman@burningswell.com> X-Mailer: git-send-email 2.49.0 In-Reply-To: <58e6296eb44b3e82e5d6367ae85b681463a38613.1744217514.git.roman@burningswell.com> References: <58e6296eb44b3e82e5d6367ae85b681463a38613.1744217514.git.roman@burningswell.com> MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: Roman Scherer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2 --- doc/guix.texi | 6 +++++ gnu/services/sound.scm | 51 ++++++++++++++++++++++++++++++++++++++---- 2 files changed, 53 insertions(+), 4 deletions(-) diff --git a/doc/guix.texi b/doc/guix.texi index bee80cd4e2..6acbf1ba55 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27267,12 +27267,18 @@ Sound Services The base directory as a G-expression (@pxref{G-Expressions}) that contains the configuration files of the speaker models. +@item @code{group} (default: @code{"speakersafetyd"}) (type: string) +The group to run the Speaker Safety Daemon as. + @item @code{maximum-gain-reduction} (default: @code{7}) (type: integer) Maximum gain reduction before panicking, useful for debugging. @item @code{speakersafetyd} (default: @code{speakersafetyd}) (type: file-like) The Speaker Safety Daemon package to use. +@item @code{user} (default: @code{"speakersafetyd"}) (type: string) +The user to run the Speaker Safety Daemon as. + @end table @end deftp @c %end of fragment diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm index fbaa55c553..0558d4fce8 100644 --- a/gnu/services/sound.scm +++ b/gnu/services/sound.scm @@ -29,10 +29,12 @@ (define-module (gnu services sound) #:use-module (gnu system shadow) #:use-module (guix diagnostics) #:use-module (guix gexp) + #:use-module (guix modules) #:use-module (guix packages) #:use-module (guix records) #:use-module (guix store) #:use-module (guix ui) + #:use-module (gnu packages admin) #:use-module (gnu packages audio) #:use-module (gnu packages linux) #:use-module (gnu packages pulseaudio) @@ -288,16 +290,50 @@ (define-configuration/no-serialization speakersafetyd-configuration (file-like (file-append speakersafetyd "/share/speakersafetyd")) "The base directory as a G-expression (@pxref{G-Expressions}) that contains the configuration files of the speaker models.") + (group + (string "speakersafetyd") + "The group to run the Speaker Safety Daemon as.") (maximum-gain-reduction (integer 7) "Maximum gain reduction before panicking, useful for debugging.") (speakersafetyd (file-like speakersafetyd) - "The Speaker Safety Daemon package to use.")) + "The Speaker Safety Daemon package to use.") + (user + (string "speakersafetyd") + "The user to run the Speaker Safety Daemon as.")) + +(define speakersafetyd-accounts + (match-record-lambda + (group user) + (list (user-group + (name group) + (system? #t)) + (user-account + (name user) + (group group) + (system? #t) + (home-directory "/var/empty") + (shell (file-append shadow "/sbin/nologin")) + (supplementary-groups '("audio")))))) + +(define speakersafetyd-activation + (match-record-lambda + (blackbox-directory group user) + (with-imported-modules (source-module-closure '((gnu build activation))) + #~(begin + (use-modules (gnu build activation)) + (let ((user (getpwnam #$user))) + (mkdir-p/perms "/run/speakersafetyd" user #o755) + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755) + ;; Blackbox files contain audio recordings and might be sensitive + ;; information + (mkdir-p/perms #$blackbox-directory user #o700)))))) (define speakersafetyd-shepherd-service (match-record-lambda - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd) + ( blackbox-directory configuration-directory group + maximum-gain-reduction speakersafetyd user) (shepherd-service (documentation "Run the speaker safety daemon") (provision '(speakersafetyd)) @@ -306,7 +342,10 @@ (define speakersafetyd-shepherd-service (list #$(file-append speakersafetyd "/bin/speakersafetyd") "--config-path" #$configuration-directory "--blackbox-path" #$blackbox-directory - "--max-reduction" (number->string #$maximum-gain-reduction)))) + "--max-reduction" (number->string #$maximum-gain-reduction)) + #:group #$group + #:supplementary-groups '("audio") + #:user #$user)) (stop #~(make-kill-destructor))))) (define speakersafetyd-service-type @@ -324,7 +363,11 @@ (define speakersafetyd-service-type (compose list speakersafetyd-configuration-speakersafetyd)) (service-extension profile-service-type - (compose list speakersafetyd-configuration-speakersafetyd)))) + (compose list speakersafetyd-configuration-speakersafetyd)) + (service-extension account-service-type + speakersafetyd-accounts) + (service-extension activation-service-type + speakersafetyd-activation))) (default-value (speakersafetyd-configuration)))) ;;; sound.scm ends here -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 09 13:26:32 2025 Received: (at 77383) by debbugs.gnu.org; 9 Apr 2025 17:26:32 +0000 Received: from localhost ([127.0.0.1]:41505 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u2ZC3-0004r9-R0 for submit@debbugs.gnu.org; Wed, 09 Apr 2025 13:26:32 -0400 Received: from mail-wr1-x431.google.com ([2a00:1450:4864:20::431]:54537) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u2ZBw-0004qM-V3 for 77383@debbugs.gnu.org; Wed, 09 Apr 2025 13:26:25 -0400 Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-3914a5def6bso4259985f8f.1 for <77383@debbugs.gnu.org>; Wed, 09 Apr 2025 10:26:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1744219579; x=1744824379; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=gpDlCB1a117k6mGr6Ebn+z6ay+P5wNyHIiwpHQ+pSV8=; b=AUTZLunL4w/z2IVUm5YP0Zl2be1/LNazxYn5sKKXa3kdQyr4qTfkNGlJQO4EGO6D4D CL4DHRLIoW2SUEO1U8FzKCXZBOueLL/xWfIOqRjZVLHxSEpLrR1F3VzB3ut8qGmbSJWf VjBjNvbhPP7dcfRStDdgn+C0Y3Qg7srksB5giJUjTmop6P3vCGeGMEr1ar1u9vqMSPpR IrmQZlTJ96kK4PkXS5G5bK/g5tOTtKSUuomIVNkUgSEbohlKx7IBd3pPOFPp8TI/ICKb vZaP8sBCyN0DSr8MonIhdm6If0UmXvc/G6B69IjEn8mJMmT18EJMTvNO3OsNPlNK6w7u UGpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744219579; x=1744824379; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=gpDlCB1a117k6mGr6Ebn+z6ay+P5wNyHIiwpHQ+pSV8=; b=oK15AMfaQo0r5FQR/QqOfCjeWdM4db9JpuYJuiLGYgE5FvYxRCE+5r3EafZ60IAxGC kYHrGLHSxGdnUjMmv9d3yAi0n4j85PcBXW5M2UlndUC+QZCXuKxkjJ+3q4gmcAB6Z38k Wz/O6cem8Uxb5VHbtlihmCt7GxA9eUQU2L5noAOusruE1Dax3gbaPenuCta99JH14VwV 5WUDHFpTdBaJhff/Ru1KSdZEle4uGxoAgoGbJEBXhCvmvKPfl6XHcPKQbY5GRcKbc9+V qslqXVrwlkN+9nxEN/E3QDNMQoPFN7HkOYq+5AMkH953nNe/qkdjg6+4Ec2PncWFI+rj Hi3g== X-Gm-Message-State: AOJu0YxDlpiWtEaQ3ob/OZ9RH5q8qXTrH42dWzQXyo+8aevjL1e9o2Fo O6P19mTomr2Kh3/kz8sdb6r7fxnt0ZNu7Cj0T72bh1SlverkRMRpgJitSn9qefB/ciAegvoVk55 RhxHSdQ== X-Gm-Gg: ASbGncsEpHw6ujL/YmEFemxPLesrGUGG+M1FylzHOD+q//HZ1wg0CP7ussv954BKhLJ F0jBqZpuBzkshgFsZlFqBgoRq2n9z/H490nDmFmKiiASuSt7HWtYLXdeWnYJZhEmDlS6cWTr8bd zklQDxCmUeUfaMUYs9BpvpdchJGg+xnfcOmQfO/Wco9JUh+F6GUwNMYTksyA11gl7jOd7twyGYk fH4zaP3f4Id5xFVwN5mZd2MpKPOz489D4QNGGguCqqwSm8SQoWoVxIiE1UHpsTKYjrQnczL9Iaj GCw85dF13WwK2EGZZFR3fNS7u/SbKuNFm7iMjXeJ0LgNJE8mM9uJ9hzz78A= X-Google-Smtp-Source: AGHT+IFXQegVvPpTgSxaED50x08Prs+Z0TVugOxdJj7IG+TLE4Ykn4rjsrta+461PPqM60U3VRfqNA== X-Received: by 2002:a05:6000:2c6:b0:38d:dd52:1b5d with SMTP id ffacd0b85a97d-39d8852380fmr3092307f8f.4.1744219578686; Wed, 09 Apr 2025 10:26:18 -0700 (PDT) Received: from localhost.localdomain ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-39d8938b5f7sm2208918f8f.57.2025.04.09.10.26.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Apr 2025 10:26:18 -0700 (PDT) From: Roman Scherer To: 77383@debbugs.gnu.org Subject: [PATCH v3 3/3] gnu: speakersafetyd: Add log file. Date: Wed, 9 Apr 2025 19:26:11 +0200 Message-ID: X-Mailer: git-send-email 2.49.0 In-Reply-To: <58e6296eb44b3e82e5d6367ae85b681463a38613.1744217514.git.roman@burningswell.com> References: <58e6296eb44b3e82e5d6367ae85b681463a38613.1744217514.git.roman@burningswell.com> MIME-Version: 1.0 X-Debbugs-Cc: Ludovic Courtès , Maxim Cournoyer Content-Transfer-Encoding: 8bit X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: Roman Scherer X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) * gnu/services/sound.scm (speakersafetyd): Add log file. Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2 --- doc/guix.texi | 3 +++ gnu/services/sound.scm | 6 +++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/guix.texi b/doc/guix.texi index 6acbf1ba55..60a82081d4 100644 --- a/doc/guix.texi +++ b/doc/guix.texi @@ -27270,6 +27270,9 @@ Sound Services @item @code{group} (default: @code{"speakersafetyd"}) (type: string) The group to run the Speaker Safety Daemon as. +@item @code{log-file} (default: @code{"/var/log/speakersafetyd.log"}) (type: string) +The file name to the Speaker Safety Daemon log file. + @item @code{maximum-gain-reduction} (default: @code{7}) (type: integer) Maximum gain reduction before panicking, useful for debugging. diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm index 0558d4fce8..23f92f6bee 100644 --- a/gnu/services/sound.scm +++ b/gnu/services/sound.scm @@ -293,6 +293,9 @@ (define-configuration/no-serialization speakersafetyd-configuration (group (string "speakersafetyd") "The group to run the Speaker Safety Daemon as.") + (log-file + (string "/var/log/speakersafetyd.log") + "The file name to the Speaker Safety Daemon log file.") (maximum-gain-reduction (integer 7) "Maximum gain reduction before panicking, useful for debugging.") @@ -332,7 +335,7 @@ (define speakersafetyd-activation (define speakersafetyd-shepherd-service (match-record-lambda - ( blackbox-directory configuration-directory group + ( blackbox-directory configuration-directory group log-file maximum-gain-reduction speakersafetyd user) (shepherd-service (documentation "Run the speaker safety daemon") @@ -344,6 +347,7 @@ (define speakersafetyd-shepherd-service "--blackbox-path" #$blackbox-directory "--max-reduction" (number->string #$maximum-gain-reduction)) #:group #$group + #:log-file #$log-file #:supplementary-groups '("audio") #:user #$user)) (stop #~(make-kill-destructor))))) -- 2.49.0 From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 09 13:30:15 2025 Received: (at 77383) by debbugs.gnu.org; 9 Apr 2025 17:30:15 +0000 Received: from localhost ([127.0.0.1]:41518 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u2ZFe-00052a-Qh for submit@debbugs.gnu.org; Wed, 09 Apr 2025 13:30:15 -0400 Received: from mail-wm1-x32f.google.com ([2a00:1450:4864:20::32f]:51227) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u2ZFb-0004yp-Nz for 77383@debbugs.gnu.org; Wed, 09 Apr 2025 13:30:12 -0400 Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-43d0618746bso52398395e9.2 for <77383@debbugs.gnu.org>; Wed, 09 Apr 2025 10:30:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1744219805; x=1744824605; darn=debbugs.gnu.org; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=0GQvenJaCiWShkG49s45eq7x9nowovY9HKYNx2mWHOI=; b=LPYinGddK4go9wGOyos6yvr+QiV8M4/gqiOhvXi0Ujypwy6TDMlOm6Im31MxxA4dz3 ghOcolCFnXgmCuwhIFKQ51/kndlpbYpHqXTe4p52hRqJPRAc8yPQc1ZOqlJxw+40NH7W 6qTea8AT82tZyOnX/jFpylwuzn0iWc8afg5/wlCjMuG9mmDUub1XvqXQzsU71UPHhhpy yN3FQhaGUJuoGKsD89JcUqHAmOIn/+ScLW6XZQ2Lovu2yKLSm9lvXh1LkWPPAkhDF03u kNUnyusidL+OldpaMW7XX17zmTyGSQOPlxXmuvZP9j/Vfz0HZ4MwdhmcPFF0hi1RKifx NK6A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744219805; x=1744824605; h=mime-version:message-id:date:user-agent:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=0GQvenJaCiWShkG49s45eq7x9nowovY9HKYNx2mWHOI=; b=r91ObFpLLivAH9JY9xjvyKMcra4VO/mS8t2dBOH8nV4lQebzeXkHkfQsuwfgjvisNi UiYp3KNf5N+q3xYMaig+rYWxHckY2wIIxKLkLWvMNrLyuf60kkS5KaSnfMDQoa1X4DO/ LMwdatObmjcQJofw3CvzEfnKN/RXM0vsLOfSp7/w+3sHxqwW3BEjyXtw3jPrR8uIB0HW 4k5EBE2YElErsnlZzne6nJrH+hSd7kOihTG4COTJjMcqe3aCFv1I60iLA+SaNhFIRhU8 eFbDwlx2/1/sNca2GXt+kTOQlF3fSwrFL4+J2OmNd2pH3goe1660Jv3WtlQKR7HIuZFb Rf7w== X-Forwarded-Encrypted: i=1; AJvYcCUA58ZKu2e9c9R6YRdpdR8gsSOc52Iz1B0BQn0V3ZxU3AkFSVyJAoSuA6ABZtnx/8WdHksocw==@debbugs.gnu.org X-Gm-Message-State: AOJu0YxUo4ZIfAvo/WBUNWu6DipiQceAAHKcHm9/f6ALyqgxRu4IWXaZ J3bxPAamA13hfILVqaCTrBwk9xpiA/33Fqj2ejPsdBvYcjJJl8wb4TKvRVf4dvc= X-Gm-Gg: ASbGncuZua3GSzCvBezV2StCvSdhkd9Tuw8qWaakTSOiSSwo8Nxtj7/fjsIvUq6DZW1 SJLk+NqreVKQBhguMLQYaNy/2cUn/LqtQ9dxSRXjRfVKRRTz1p/LBfD3L2WLJVUUZFS2rsTJ8js UAfrQ/RlSJqpamxNDPXm4iC4/v6qGEPX6dYBkKl3fkY5VyczlFp/M3vcGmZl7Jq+ijQOgMoNXAC MytGesELvufJCoJpQ6b273iJcmSviHXVps5oNNTXbNb7yGxTzQjFlZRBsDBcQvAU/bq6rX034Vh N98Fb+XM+OukwbRy3ML+n3gaQMQuwSlo7A== X-Google-Smtp-Source: AGHT+IEYerhsbC0jYHS9PuxogjZvvtYXM/lnpMRPXCZKgYdJY3Dhg5H/+9ShcYju2R7xZCdufkKBDw== X-Received: by 2002:a5d:64aa:0:b0:39c:27cc:7ba3 with SMTP id ffacd0b85a97d-39d88541852mr3353544f8f.33.1744219805406; Wed, 09 Apr 2025 10:30:05 -0700 (PDT) Received: from m1 ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-39d893f0d0asm2207323f8f.74.2025.04.09.10.30.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Apr 2025 10:30:04 -0700 (PDT) From: Roman Scherer To: Maxim Cournoyer Subject: Re: [bug#77383] [PATCH v2 3/3] gnu: speakersafetyd: Add log file. In-Reply-To: <87cydnz9e8.fsf@gmail.com> (Maxim Cournoyer's message of "Tue, 08 Apr 2025 11:15:11 +0900") References: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> <5ba23c403131cee486e54fd2c8dfcd21d2bf3b6f.1743695029.git.roman@burningswell.com> <87cydnz9e8.fsf@gmail.com> User-Agent: mu4e 1.12.9; emacs 29.4 Date: Wed, 09 Apr 2025 19:30:02 +0200 Message-ID: <86plhldyzp.fsf@burningswell.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: 77383@debbugs.gnu.org, Roman Scherer , Ludovic =?utf-8?Q?Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain Hi Maxim, I just sent a v3 of the patch series. Maxim Cournoyer writes: > Hi, > > Roman Scherer writes: > >> * gnu/services/sound.scm (speakersafetyd): Add log file. >> * doc/guix.texi: Document log-file field. >> >> Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2 >> --- >> doc/guix.texi | 3 +++ >> gnu/services/sound.scm | 10 +++++++--- >> 2 files changed, 10 insertions(+), 3 deletions(-) >> >> diff --git a/doc/guix.texi b/doc/guix.texi >> index a0f2a83c36..9a6084e994 100644 >> --- a/doc/guix.texi >> +++ b/doc/guix.texi >> @@ -27271,6 +27271,9 @@ Sound Services >> @item @code{group} (default: @code{"speakersafetyd"}) (type: string) >> The group to run the Speaker Safety Daemon as. >> >> +@item @code{log-file} (default: @code{"/var/log/speakersafetyd.log"}) (type: string) >> +The path to the Speaker Safety Daemon log file. >> + >> @item @code{maximum-gain-reduction} (default: @code{7}) (type: integer) >> Maximum gain reduction before panicking, useful for debugging. >> >> diff --git a/gnu/services/sound.scm b/gnu/services/sound.scm >> index e5c26e2495..39b5d043a3 100644 >> --- a/gnu/services/sound.scm >> +++ b/gnu/services/sound.scm >> @@ -293,6 +293,9 @@ (define-configuration/no-serialization speakersafetyd-configuration >> (group >> (string "speakersafetyd") >> "The group to run the Speaker Safety Daemon as.") >> + (log-file >> + (string "/var/log/speakersafetyd.log") >> + "The path to the Speaker Safety Daemon log file.") > > The convention in GNU is to use 'path' only for search paths; the > preferred term for file names is 'file name'. > I changed it. >> (maximum-gain-reduction >> (integer 7) >> "Maximum gain reduction before panicking, useful for debugging.") >> @@ -305,7 +308,7 @@ (define-configuration/no-serialization speakersafetyd-configuration >> >> (define speakersafetyd-accounts >> (match-record-lambda >> - ( blackbox-directory configuration-directory group >> + ( blackbox-directory configuration-directory group log-file >> maximum-gain-reduction speakersafetyd user) >> (list (user-group >> (name group) >> @@ -320,7 +323,7 @@ (define speakersafetyd-accounts >> >> (define speakersafetyd-activation >> (match-record-lambda >> - ( blackbox-directory configuration-directory group >> + ( blackbox-directory configuration-directory group log-file >> maximum-gain-reduction speakersafetyd user) >> (with-imported-modules (source-module-closure '((gnu build activation))) >> #~(begin >> @@ -334,7 +337,7 @@ (define speakersafetyd-activation >> >> (define speakersafetyd-shepherd-service >> (match-record-lambda >> - ( blackbox-directory configuration-directory group >> + ( blackbox-directory configuration-directory group log-file >> maximum-gain-reduction speakersafetyd user) > > As mentioned earlier, make sure to expose only the fields needed in the > above match-record-lambda forms. > Nice! I somehow thought I had to list all of them, and even in the right order :) >> (shepherd-service >> (documentation "Run the speaker safety daemon") >> @@ -346,6 +349,7 @@ (define speakersafetyd-shepherd-service >> "--blackbox-path" #$blackbox-directory >> "--max-reduction" (number->string #$maximum-gain-reduction)) >> #:group #$group >> + #:log-file #$log-file >> #:supplementary-groups '("audio") >> #:user #$user)) >> (stop #~(make-kill-destructor))))) > > Otherwise, LGTM! > > Could you send a hopefully final v3? Thanks for your review. Could you have another look? Roman. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEE0iajOdjfRIFd3gygPdpSUn0qwZkFAmf2rpoXHHJvbWFuQGJ1 cm5pbmdzd2VsbC5jb20ACgkQPdpSUn0qwZkNmQgAwcTJnZ+hwGsbN+vjLBZL+PpC Fna72eSHfLHmBevcnMtIntlqoundo0aO3Up0cepmdSjvXM7DocUcz2Jz1yjHXxyN t5oQlGvVSUXknuxwtw8fgH+8MJUhh+U378gD8/gd15mxbbjBJz3e4zmKxFdCi0u9 wNydGqy+9TZIe6nSz/CR+Qcx5gw/HBcjXwofYMKTT3S23IqBfdZrhyQjlWJhZG6D ZPCKi2068ubgi8bAEompgZSEjsAsRCWswMVSl3+QL00ctPcOIIo7ABa1VXlfhWJt WpvUIqGMA06CeiigqCtY4tt0c7Xg2VkgYCedPLAVpFmtP+9CIPe4ScMURjlZag== =mAuA -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Wed Apr 09 13:31:17 2025 Received: (at 77383) by debbugs.gnu.org; 9 Apr 2025 17:31:17 +0000 Received: from localhost ([127.0.0.1]:41538 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u2ZGe-00058f-NU for submit@debbugs.gnu.org; Wed, 09 Apr 2025 13:31:17 -0400 Received: from mail-wm1-x332.google.com ([2a00:1450:4864:20::332]:55736) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u2ZGc-00058O-Ir for 77383@debbugs.gnu.org; Wed, 09 Apr 2025 13:31:15 -0400 Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-43cebe06e9eso48910685e9.3 for <77383@debbugs.gnu.org>; Wed, 09 Apr 2025 10:31:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1744219868; x=1744824668; darn=debbugs.gnu.org; h=mime-version:message-id:date:in-reply-to:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=jpWYwRFGRW4FHEhC7r/Dn7DkmNHi0+aOd4SK/7lrQdw=; b=qrfW9rIzQRyC9CU/PRTGDQaR43fRGIcMvYMJCsLujAaEub4i+lA+JT3JxUs54Ix/Qe gMh+Q9Ftq9qpcn1VouTNhBq4T0Wr0Wu85k47zwVE6RTzNKMRucnJsq5+IDLrPR+FveAU 7+sdSG2GqNdZpmUjXlYvH8Q/p+IxRjXSRYH/eU4uPxowB2dSmKssJ1hLcHNUR9GUF9Rc /TSCPJTAXz53V/lPQ9tWZfJe7Jynh45Su0fCISLkw7xmUTVLrd9st8apGhSNjkoG20CR cZq0jkT3TmLHVH5vhfFl0R0wHaMqaKBQWzxgBTvTOfP8g9dQdlqS5t2iV0+UKowqW0wl 2PaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744219868; x=1744824668; h=mime-version:message-id:date:in-reply-to:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=jpWYwRFGRW4FHEhC7r/Dn7DkmNHi0+aOd4SK/7lrQdw=; b=C2UyTUmzmP4OmXUUhE7QgOVHJT/16vFgrfHwesthycqIBRyrDIxoQ+fYRE6nn+XgyI ulM+bo0FIZCynoxxql3ukr2VvnnxhE0rYd97lHYS5s3p23/vi+WHxko2IiIC918IzRfK QH8BDfGZYCSOTJ3ilTom4k/xL/uyFT5da/t4Rplasj3ry5Hxc/DUqM257qG4PtsnePdj 7chjiFanbNJC5t8oOOtr6ZW8hcEbKccWiJCpc9bjQ/89rIcmZC77ssZBZ9VwDmbqR+lJ MB+IQ4eQ/n+Q9zqwqAQA6ueNJS1vGlLDW99IVFwET+bs0n4dmjjhlo3oEvkIwQlkEm6n OzbQ== X-Forwarded-Encrypted: i=1; AJvYcCVhIWylVpzEIA6iRQMZXFVw4U9U+IsHWUom56wHEbJJr/+r8ikECoxXtHu+1dShDz+SVLmu7w==@debbugs.gnu.org X-Gm-Message-State: AOJu0Yy+XG2jGp6g0ITetvE8B2tUXeiYCMPBepiGQhR80HdXLcSDYA+O 0bG3W+FQC51/LCidZ9YcXM0oBjJlJXNM4XNAfofV3KZMWmKayaIfAXxTQwSQgd1dtKj9WSelBti DSQg5yA== X-Gm-Gg: ASbGncuBc09tbLdscF4qmQIG3ECRFY+zA9TtPKMtc6cjBx6rV4r4RoC37LrrQgFBZnv P8XeUXYiwbZu0pfCf1aOkv/zsqPE4GS5jtruXUTxcOAT3Zc4CEhB37SJOjQN/b7q/icNnoZrJPb Su/l4+o1p+k9dn5Tf1HOrZK/kHUP3TCUi/kE1/aQMyS3D2+H7rq5V/MzRR1tUfRtOS3379jRLO7 KwHP0A9YH/ESYme2y33YZP4VrPxI0dtoKzNgZknC0UBXAjKJFhMltnnTZbZkOrWwprK9/oiki3c y7kYu4HjvrccNVgParXq52Iisoj2MSxSFg== X-Google-Smtp-Source: AGHT+IHMtKp7yCbF8TLQ2PkEEcw9oHFtcW0+sqGdDu00TnV5fFcG3CAu0NydHWKoKd65cbLpe6MNJg== X-Received: by 2002:a05:600c:8714:b0:43b:cf12:2ca5 with SMTP id 5b1f17b1804b1-43f1fdef42dmr34618575e9.8.1744219868285; Wed, 09 Apr 2025 10:31:08 -0700 (PDT) Received: from m1 ([2a01:599:107:ea74:97c3:d481:d15d:ea6d]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-39d89377785sm2152382f8f.28.2025.04.09.10.31.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 09 Apr 2025 10:31:07 -0700 (PDT) From: Roman Scherer To: Maxim Cournoyer Subject: Re: [bug#77383] [PATCH v2 2/3] gnu: speakersafetyd: Run as unprivileged user. In-Reply-To: <87h62zz9hs.fsf@gmail.com> (Maxim Cournoyer's message of "Tue, 08 Apr 2025 11:13:03 +0900") Date: Wed, 09 Apr 2025 19:31:06 +0200 Message-ID: <86jz7tdyxx.fsf@burningswell.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383 Cc: 77383@debbugs.gnu.org, Roman Scherer , Ludovic =?utf-8?Q?Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain References: <92c75e4d057966fdf586b34e34d8b43a7361e006.1743695029.git.roman@burningswell.com> <2788a4ea937715053ca7210a52ed0be3976fd0b6.1743695029.git.roman@burningswell.com> <87h62zz9hs.fsf@gmail.com> User-Agent: mu4e 1.12.9; emacs 29.4 Hi Maxim, Date: Wed, 09 Apr 2025 19:31:06 +0200 Maxim Cournoyer writes: > Hi, > > Roman Scherer writes: > >> * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. >> * doc/guix.texi: Document user and group fields. >> >> Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2 > > [...] > >> +(define speakersafetyd-accounts >> + (match-record-lambda >> + ( blackbox-directory configuration-directory group >> + maximum-gain-reduction speakersafetyd user) > > You don't need to list all the fields when using match-record, and I > assume match-record-lambda as well. Here only `group' and `user' > appears useful. > >> + (list (user-group >> + (name group) >> + (system? #t)) >> + (user-account >> + (name user) >> + (group group) >> + (system? #t) >> + (home-directory "/var/empty") >> + (shell (file-append shadow "/sbin/nologin")) >> + (supplementary-groups '("audio")))))) >> + >> +(define speakersafetyd-activation >> + (match-record-lambda >> + ( blackbox-directory configuration-directory group >> + maximum-gain-reduction speakersafetyd user) > > Likewise. > >> + (with-imported-modules (source-module-closure '((gnu build activation))) >> + #~(begin >> + (use-modules (gnu build activation)) >> + (let ((user (getpwnam #$user))) >> + (mkdir-p/perms "/run/speakersafetyd" user #o755) >> + (mkdir-p/perms "/var/lib/speakersafetyd" user #o755) >> + ;; Blackbox files contain audio recordings and might be sensitive >> + ;; information >> + (mkdir-p/perms #$blackbox-directory user #o700)))))) >> >> (define speakersafetyd-shepherd-service >> (match-record-lambda >> - (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd) >> + ( blackbox-directory configuration-directory group >> + maximum-gain-reduction speakersafetyd user) >> (shepherd-service >> (documentation "Run the speaker safety daemon") >> (provision '(speakersafetyd)) >> @@ -306,7 +344,10 @@ (define speakersafetyd-shepherd-service >> (list #$(file-append speakersafetyd "/bin/speakersafetyd") >> "--config-path" #$configuration-directory >> "--blackbox-path" #$blackbox-directory >> - "--max-reduction" (number->string #$maximum-gain-reduction)))) >> + "--max-reduction" (number->string #$maximum-gain-reduction)) >> + #:group #$group >> + #:supplementary-groups '("audio") >> + #:user #$user)) >> (stop #~(make-kill-destructor))))) > > Not for a future improvement: we also have a least-authority-wrapper > defined in (guix least-authority) that can wrap a binary to have it run > in a Linux container, to further sandbox the process. Interesting. Didn't know that module. I will take a look. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEE0iajOdjfRIFd3gygPdpSUn0qwZkFAmf2rtoXHHJvbWFuQGJ1 cm5pbmdzd2VsbC5jb20ACgkQPdpSUn0qwZln+gf+Ohnvv3tlufLuIJSG8UTcxTSF maGrQyU/ijXx8QrKk0FQPR5lQKQzkIszD7D3LJoe3PaY3165tG4aQRXEXwT0fbfU AavCGIJX3VKftvArxOgcj+zHiAgizw9gYUKTY1e7bsMLqH3Smmjha++0JA0Vv03e KJwRBFiEjgKwrAg71zTBn+iOKrB7c7MMovvrDTwfo5Sk8twLtb4xMlbDwvu2Ev2B i/db3EWmR9MpsfmZHCgBdGaRO9LMYdiXanvUX18my5OaGnbXaQ7b509K/YxnlbAX qH+LT1leLXbd+1NHPtRTF0yoHMeF8D9MeUWKSOR0km/EQjm2swW9cwWm2RtXUg== =9ziG -----END PGP SIGNATURE----- --=-=-=-- From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 14 02:47:41 2025 Received: (at 77383-done) by debbugs.gnu.org; 14 Apr 2025 06:47:41 +0000 Received: from localhost ([127.0.0.1]:45459 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u4DbZ-0006Ue-9h for submit@debbugs.gnu.org; Mon, 14 Apr 2025 02:47:41 -0400 Received: from mail-pl1-x62c.google.com ([2607:f8b0:4864:20::62c]:53455) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u4DbX-0006UK-70 for 77383-done@debbugs.gnu.org; Mon, 14 Apr 2025 02:47:40 -0400 Received: by mail-pl1-x62c.google.com with SMTP id d9443c01a7336-2295d78b433so39419045ad.2 for <77383-done@debbugs.gnu.org>; Sun, 13 Apr 2025 23:47:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1744613253; x=1745218053; darn=debbugs.gnu.org; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:from:to:cc:subject:date:message-id:reply-to; bh=YUSYO6J3WhrI/vgJxwwTlQDeYvxAxg4GLYlNpzdCOxY=; b=Du8pD/wnroBtIwYlcWIgmUsdsN9JX/Jxqjy8uZ1Y+q7bfBizO981kGN459Szv52tcf wVAdT2Rsjo+P5OJxc74UHCQfG2qHSQRDCiGtkvUIFyajCX0PK25EDt29MMSfHbKh7mVc fVr5bkVd5WLg68V4azioMLFWYPkwR6A31A8NstrkH52qPmGlOAr7M4YZdDJySXAgNZO/ vnuvtxBQd3+yYztw4tiSQ0E6dnM6pC7q2+ThlR31AEgve0hxnpvWt2xPpMGoCVwbhDhp EUt2LLu7mx0ZGj7g+aY+K5m1GnJnfuECvhIlmffv7nqrmymaYyzvoFBQSfc0aiu+9Vah w7ig== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744613253; x=1745218053; h=mime-version:user-agent:message-id:date:references:in-reply-to :subject:cc:to:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=YUSYO6J3WhrI/vgJxwwTlQDeYvxAxg4GLYlNpzdCOxY=; b=eij86pICYaP0cxMdj1Rzo0aMoy0LzHGBBvhOxZAp/arOG+hODIDf1cinurusDrvYeg xiEEI0el8hnxppdrmaAhBu08zrwjFsaDi03kn0MY3TadEOqEUK5OjYwsdbcDycJ153Cp Ey0gpGfNd86jjPsQA2AM56qSB8N53ErgZqXxhYTBZ7L/3o6sGdpc4czQiuLdiMH1PIq0 TpbddCQupX1lJ6dlKYBsaY6bSDBIYC72HXAS3iV70t179tWhgT6mK8phsy+F5h5fozSc 04MgV70rhQAFRNEcR/Us6uhcriTi3PR4O+m8pYRDGEpR75onoMnGCasjMvTwUpIqha83 xMqA== X-Gm-Message-State: AOJu0YwqAhfGSlI0V766QGLW9EbRwns1/Iha0meCQ02Rtjw94WSrJJGV o8DVp+CmTsjduxAiUuuvZnVm6JmUe4v01Om4MEOOB3bikhyupPnrZ/jblFbf X-Gm-Gg: ASbGncsL6SX02mb2hyI80tCfC9dZUcEFLFx3mrHQ2YiCGNeAuxCtm40dOtt/VWwIrMj sLjV8AeNHjHHv2itWKPmHg0nfgDEqUextpTD0bSN9ySj2R4i/CgVN5utf1hngchV2D23lnw3be3 NqDrcgaUGNxk62FMKTbSk1GqOtSgn1IqucO4Kb9AFmdc5ojtmCzPWByVIUT3I2ATnOxMTuSy7Ex qMaHvFfiPazz8FGsi0ASf34/6qnSYZpw7P1XrZbbgvNd4NunDCzeReVC4PNvPK9XaXMCuxdFu9/ Pqr2ZhX3NyVBS4ZZ2EWgIQzIgWbc567Q7jm0+78= X-Google-Smtp-Source: AGHT+IF/bRWrQLeAYSkAt1I7I56yXuZZz64pDT3nMB3Lcgjx+kY51gtBgPqMN2u/c4+3zJnLOJpYXw== X-Received: by 2002:a17:902:db0b:b0:224:10a2:cae7 with SMTP id d9443c01a7336-22bea4f666emr186299035ad.40.1744613252981; Sun, 13 Apr 2025 23:47:32 -0700 (PDT) Received: from terra ([2405:6586:be0:0:83c8:d31d:2cec:f542]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-306df401ac8sm10272936a91.45.2025.04.13.23.47.31 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 13 Apr 2025 23:47:32 -0700 (PDT) From: Maxim Cournoyer To: Roman Scherer Subject: Re: [bug#77383] [PATCH v3 2/3] gnu: speakersafetyd: Run as unprivileged user. In-Reply-To: <140f135aa4f94ad69765f7c2a7b38684342ca382.1744217514.git.roman@burningswell.com> (Roman Scherer's message of "Wed, 9 Apr 2025 19:26:10 +0200") References: <58e6296eb44b3e82e5d6367ae85b681463a38613.1744217514.git.roman@burningswell.com> <140f135aa4f94ad69765f7c2a7b38684342ca382.1744217514.git.roman@burningswell.com> Date: Mon, 14 Apr 2025 15:47:12 +0900 Message-ID: <87cydfutn3.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) MIME-Version: 1.0 Content-Type: text/plain X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383-done Cc: Ludovic =?utf-8?Q?Court=C3=A8s?= , 77383-done@debbugs.gnu.org X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) Hi Roman, Roman Scherer writes: > * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. I've pushed this series, expounding the GNU ChangeLog commit messages for completeness. See 01a66639efe and the subsequent commit for the commit message additions. In Magit (emacs-magit), pressing 'C' in each hunk symbol/thing to document helps automate some of it. -- Thanks, Maxim From debbugs-submit-bounces@debbugs.gnu.org Mon Apr 14 03:31:13 2025 Received: (at 77383-done) by debbugs.gnu.org; 14 Apr 2025 07:31:13 +0000 Received: from localhost ([127.0.0.1]:45549 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1u4EHg-0000KM-Kr for submit@debbugs.gnu.org; Mon, 14 Apr 2025 03:31:12 -0400 Received: from mail-ej1-x62a.google.com ([2a00:1450:4864:20::62a]:56456) by debbugs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.84_2) (envelope-from ) id 1u4EHc-0000Jz-Ll for 77383-done@debbugs.gnu.org; Mon, 14 Apr 2025 03:31:10 -0400 Received: by mail-ej1-x62a.google.com with SMTP id a640c23a62f3a-ac2bdea5a38so669509366b.0 for <77383-done@debbugs.gnu.org>; Mon, 14 Apr 2025 00:31:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=burningswell-com.20230601.gappssmtp.com; s=20230601; t=1744615862; x=1745220662; darn=debbugs.gnu.org; h=mime-version:message-id:date:in-reply-to:subject:cc:to:from:from:to :cc:subject:date:message-id:reply-to; bh=RHlLlq1Use+hpxEIH98L76Aly19Q3OurtrvUIVeJOAY=; b=hYLlojWSz8YczSumyeMNo5p8SQ3gBIf3JOK88MwI8MOwEiR6zyRJxWk2iqfbeIkZyY R9IfZiE9Cy1QkG3Lbk9fQJkvR+ARMD/Kq2GSGJn1+PRPTEEIpYoO1U28L3drMGv+y8Xg hm+ncedHoiamOT4/LWg2o1ivCJtaT+G6Qq4JarEsrWFblkT6apm4jVSp/xBvl5jX5Efk 4m+GRsIEwN2PmgEUUx0769Fu0GwXYiPZXaN+B38bmq+b0Kyq05CoMc2wSF7kQ4fTpAIR JfYsPGk2mldi7IhHvx27KIahJEhwQ/fNLDB91ja2m69WOzHe0iUNfa9C47z8RH6MoZbH TrJA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1744615862; x=1745220662; h=mime-version:message-id:date:in-reply-to:subject:cc:to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=RHlLlq1Use+hpxEIH98L76Aly19Q3OurtrvUIVeJOAY=; b=IqCEBTe8rL3XhwMdXaiZTGumxZCabLKc9/wFd76JXwhQin/xJgiRKOTZXE6ylradCi cu+WAH3fd+RVVTsYc6nmDeeV2qoTb1Og/Wm2lmqOHorAT5dTtEgct1Hpb4fXMT8wKQJP +WfV4LLWBbxeyGh6eYEkpgdr3LMThYl/feBnLr/52WPyI7cIz4epJd9r4PLuFgd6YnyR LXDkbH1ipvFmAny4lx61do/Zp/XEJmauglSMRctgdBVjVRGvlHC7uCKN5pzAPF6Rx+AM a8hJqpqlrNZBcFVuvYwJ/b1MOIwgK9ezxulynwIegnSvEb7bxMJGlmy3lzQ6L+MyOao6 odaw== X-Forwarded-Encrypted: i=1; AJvYcCV9zZNBMfhvefJ7rMd8GcL+u166WpfeM1ffmWDVig9yG55YNC+V97Jh43dSdvrRSKSvBciU+OZS4n+s@debbugs.gnu.org X-Gm-Message-State: AOJu0Yy1kBgL8sv/BN6HGT5xf+motXaQFjsTUa/MUDwAIPGOtuznqwR0 viKGZCIMjD9C42ZOkKWRyQ/qJU/SmD23qvV2ITLLpiZZRZKjch+s8ioh7NdVDzchDyFu0MQ8AIq lTvpykg== X-Gm-Gg: ASbGnctNETFyrO8aM0wwVcTw4Q9T3MS73UINPr/YjMwqnTmrhpUVTblDO0tYg/MM8nl NSAbGAuayMPpUoLdasJwHRrVh7ood7pabR6Lz/pcE5PKwgtS5qeCZZ3yhT/EuRudXQ42BBg48Mw LnQTYKW6pdNdnc2nXOHdZzAEAmbcuNBm/UpL+kW8SX+Dr6A1wU/48fjiFzvSEtpsNCWcy9jVcvR xvFttC8ilvQqUMuzM2+uoh86pa0JNC4zgu+Rer/YGbyRQzA767DIaj+LHiJ2Otr1eYTf20rJx48 rbd3YnMYUx48IX8nTZjLGqZiyoPMioe/cy+wL+OFtfM= X-Google-Smtp-Source: AGHT+IFn0KYO8mherGUypWOrylgJR8GoE8fT0jSW2fnVd9lpN7+EYmMjhLpFZSNwQjUR2jntUhkYxw== X-Received: by 2002:a17:907:3f1d:b0:aca:b45a:7c86 with SMTP id a640c23a62f3a-acad344567amr1080080166b.1.1744615862247; Mon, 14 Apr 2025 00:31:02 -0700 (PDT) Received: from precision ([2a01:599:107:ea74:558a:8b98:34f8:c7c6]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-acaa1bb3d9csm856194366b.25.2025.04.14.00.31.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 14 Apr 2025 00:31:01 -0700 (PDT) From: Roman Scherer To: Maxim Cournoyer Subject: Re: [bug#77383] [PATCH v3 2/3] gnu: speakersafetyd: Run as unprivileged user. In-Reply-To: <87cydfutn3.fsf@gmail.com> (Maxim Cournoyer's message of "Mon, 14 Apr 2025 15:47:12 +0900") Date: Mon, 14 Apr 2025 09:30:54 +0200 Message-ID: <878qo3ci8h.fsf@burningswell.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Spam-Score: 0.0 (/) X-Debbugs-Envelope-To: 77383-done Cc: Roman Scherer , 77383-done@debbugs.gnu.org, Ludovic =?utf-8?Q?Court=C3=A8s?= X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.0 (-) --=-=-= Content-Type: text/plain References: <58e6296eb44b3e82e5d6367ae85b681463a38613.1744217514.git.roman@burningswell.com> <140f135aa4f94ad69765f7c2a7b38684342ca382.1744217514.git.roman@burningswell.com> <87cydfutn3.fsf@gmail.com> User-Agent: mu4e 1.12.9; emacs 29.4 Hi Maxim, thanks for your help on this. I will give your magit suggestion a try next time. I didn't know about that trick. Thanks Roman. Date: Mon, 14 Apr 2025 09:30:54 +0200 Maxim Cournoyer writes: > Hi Roman, > > Roman Scherer writes: > >> * gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. > > I've pushed this series, expounding the GNU ChangeLog commit messages > for completeness. See 01a66639efe and the subsequent commit for the > commit message additions. In Magit (emacs-magit), pressing 'C' in each > hunk symbol/thing to document helps automate some of it. --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQFLBAEBCAA1FiEE0iajOdjfRIFd3gygPdpSUn0qwZkFAmf8ua4XHHJvbWFuQGJ1 cm5pbmdzd2VsbC5jb20ACgkQPdpSUn0qwZkL5wgAoOJAj89oEtCSL8S/Nku3hTwc cdbYwCoEtnCRWYAKErb+3mNtMzQMUlDxmnN+W6tzKY3CIq0gnDx3fHayJDo/U7MF FJHoQz8By15GbHxccMryvtTV2b7EYORo2dH8hpq3DdGu3CfwLiZZvWcPF95p0QeB wS6TVNkzeUlZH57N55bLfh7oNLVn1JOtXCaBbryPmDTOBuTPKzrM1XjY8lIUC1CS rPq9juF3oWARLUg8w+d8IMHDdSypib9XZLlv9kuady8cdtnhs1zbdFZ+o26lRq0Y /vHeUUOuyRh0UWaNw+uJvdfvdlPQVehkQ9DXIty+HR4HF6KJzggXcFdgm/VRBQ== =kwRd -----END PGP SIGNATURE----- --=-=-=-- From unknown Wed Jun 18 23:04:50 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Mon, 12 May 2025 11:24:16 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator