gnu: speakersafetyd: Run as unprivileged user.

* gnu/services/sound.scm (speakersafetyd): Run as unprivileged user. (speakersafetyd-accounts): New procedure. (speakersafetyd-activation): Likewise. (speakersafetyd-shepherd-service): Specify the #:group, #:user and #:supplementary-groups arguments. (speakersafetyd-service-type): Extend activation-service-type. Change-Id: I870bc7bfd69249da3a9c981f627e751395386bd2
2026-04-06 13:10:33 +02:00 · 2025-04-09 19:26:10 +02:00
parent f4681dce23
commit 01a66639ef
2 changed files with 53 additions and 4 deletions
--- a/doc/guix.texi
+++ b/doc/guix.texi
@@ -27267,12 +27267,18 @@ reporting bugs.
 The base directory as a G-expression (@pxref{G-Expressions}) that
 contains the configuration files of the speaker models.

+@item @code{group} (default: @code{"speakersafetyd"}) (type: string)
+The group to run the Speaker Safety Daemon as.
+
@item @code{maximum-gain-reduction} (default: @code{7}) (type: integer)
 Maximum gain reduction before panicking, useful for debugging.

@item @code{speakersafetyd} (default: @code{speakersafetyd}) (type: file-like)
 The Speaker Safety Daemon package to use.

+@item @code{user} (default: @code{"speakersafetyd"}) (type: string)
+The user to run the Speaker Safety Daemon as.
+
@end table
@end deftp
@c %end of fragment
--- a/gnu/services/sound.scm
+++ b/gnu/services/sound.scm
@@ -29,10 +29,12 @@
  #:use-module (gnu system shadow)
  #:use-module (guix diagnostics)
  #:use-module (guix gexp)
+  #:use-module (guix modules)
  #:use-module (guix packages)
  #:use-module (guix records)
  #:use-module (guix store)
  #:use-module (guix ui)
+  #:use-module (gnu packages admin)
  #:use-module (gnu packages audio)
  #:use-module (gnu packages linux)
  #:use-module (gnu packages pulseaudio)
@@ -288,16 +290,50 @@ the developers of @code{speakersafetyd} might ask for when reporting bugs.")
   (file-like (file-append speakersafetyd "/share/speakersafetyd"))
   "The base directory as a G-expression (@pxref{G-Expressions}) that contains
 the configuration files of the speaker models.")
+  (group
+   (string "speakersafetyd")
+   "The group to run the Speaker Safety Daemon as.")
  (maximum-gain-reduction
   (integer 7)
   "Maximum gain reduction before panicking, useful for debugging.")
  (speakersafetyd
   (file-like speakersafetyd)
-   "The Speaker Safety Daemon package to use."))
+   "The Speaker Safety Daemon package to use.")
+  (user
+   (string "speakersafetyd")
+   "The user to run the Speaker Safety Daemon as."))
+
+(define speakersafetyd-accounts
+  (match-record-lambda <speakersafetyd-configuration>
+      (group user)
+    (list (user-group
+           (name group)
+           (system? #t))
+          (user-account
+           (name user)
+           (group group)
+           (system? #t)
+           (home-directory "/var/empty")
+           (shell (file-append shadow "/sbin/nologin"))
+           (supplementary-groups '("audio"))))))
+
+(define speakersafetyd-activation
+  (match-record-lambda <speakersafetyd-configuration>
+      (blackbox-directory group user)
+    (with-imported-modules (source-module-closure '((gnu build activation)))
+      #~(begin
+          (use-modules (gnu build activation))
+          (let ((user (getpwnam #$user)))
+            (mkdir-p/perms "/run/speakersafetyd" user #o755)
+            (mkdir-p/perms "/var/lib/speakersafetyd" user #o755)
+            ;; Blackbox files contain audio recordings and might be sensitive
+            ;; information
+            (mkdir-p/perms #$blackbox-directory user #o700))))))

 (define speakersafetyd-shepherd-service
  (match-record-lambda <speakersafetyd-configuration>
-      (blackbox-directory configuration-directory maximum-gain-reduction speakersafetyd)
+      ( blackbox-directory configuration-directory group
+        maximum-gain-reduction speakersafetyd user)
    (shepherd-service
     (documentation "Run the speaker safety daemon")
     (provision '(speakersafetyd))
@@ -306,7 +342,10 @@ the configuration files of the speaker models.")
               (list #$(file-append speakersafetyd "/bin/speakersafetyd")
                     "--config-path" #$configuration-directory
                     "--blackbox-path" #$blackbox-directory
-                     "--max-reduction" (number->string #$maximum-gain-reduction))))
+                     "--max-reduction" (number->string #$maximum-gain-reduction))
+               #:group #$group
+               #:supplementary-groups '("audio")
+               #:user #$user))
     (stop #~(make-kill-destructor)))))

 (define speakersafetyd-service-type
@@ -324,7 +363,11 @@ model.  It can be used to protect the speakers on Apple Silicon devices.")
           (compose list speakersafetyd-configuration-speakersafetyd))
          (service-extension
           profile-service-type
-           (compose list speakersafetyd-configuration-speakersafetyd))))
+           (compose list speakersafetyd-configuration-speakersafetyd))
+          (service-extension account-service-type
+                             speakersafetyd-accounts)
+          (service-extension activation-service-type
+                             speakersafetyd-activation)))
   (default-value (speakersafetyd-configuration))))

 ;;; sound.scm ends here