From 60231bd3ca5169d34813f073e9afb652253fa4e3 Mon Sep 17 00:00:00 2001
From: netblue <netblue@debian>
Date: Sun, 16 Jan 2022 11:43:21 -0500
Subject: disable pipewire with --nosound

---
 src/firejail/pulseaudio.c | 54 +++++++++++++++++++++++++++++++++++++++++++++++
 src/firejail/sandbox.c    |  3 +++
 2 files changed, 57 insertions(+)

(limited to 'src')

diff --git a/src/firejail/pulseaudio.c b/src/firejail/pulseaudio.c
index 2af00e37b..1e2361f70 100644
--- a/src/firejail/pulseaudio.c
+++ b/src/firejail/pulseaudio.c
@@ -25,6 +25,7 @@
 #include <dirent.h>
 #include <errno.h>
 #include <sys/wait.h>
+#include <glob.h>
 
 #include <fcntl.h>
 #ifndef O_PATH
@@ -33,6 +34,59 @@
 
 #define PULSE_CLIENT_SYSCONF "/etc/pulse/client.conf"
 
+
+
+static void disable_rundir_pipewire(const char *path) {
+	assert(path);
+
+	// globbing for path/pipewire-*
+	char *pattern;
+	if (asprintf(&pattern, "%s/pipewire-*", path) == -1)
+		errExit("asprintf");
+
+	glob_t globbuf;
+	int globerr = glob(pattern, GLOB_NOCHECK | GLOB_NOSORT, NULL, &globbuf);
+	if (globerr) {
+		fprintf(stderr, "Error: failed to glob pattern %s\n", pattern);
+		exit(1);
+	}
+
+	int i;
+	for (i = 0; i < globbuf.gl_pathc; i++) {
+		char *dir = globbuf.gl_pathv[i];
+		assert(dir);
+
+		// don't disable symlinks - disable_file_or_dir will bind-mount an empty directory on top of it!
+		if (is_link(dir))
+			continue;
+		disable_file_or_dir(dir);
+	}
+	globfree(&globbuf);
+	free(pattern);
+}
+
+
+
+// disable pipewire socket
+void pipewire_disable(void) {
+	if (arg_debug)
+		printf("disable pipewire\n");
+	// blacklist user config directory
+	disable_file_path(cfg.homedir, ".config/pipewire");
+
+	// blacklist pipewire in XDG_RUNTIME_DIR
+	const char *name = env_get("XDG_RUNTIME_DIR");
+	if (name)
+		disable_rundir_pipewire(name);
+
+	// try the default location anyway
+	char *path;
+	if (asprintf(&path, "/run/user/%d", getuid()) == -1)
+		errExit("asprintf");
+	disable_rundir_pipewire(path);
+	free(path);
+}
+
 // disable pulseaudio socket
 void pulseaudio_disable(void) {
 	if (arg_debug)
diff --git a/src/firejail/sandbox.c b/src/firejail/sandbox.c
index 0e4e1a36e..c351b8e94 100644
--- a/src/firejail/sandbox.c
+++ b/src/firejail/sandbox.c
@@ -1051,6 +1051,9 @@ int sandbox(void* sandbox_arg) {
 		// disable pulseaudio
 		pulseaudio_disable();
 
+		// disable pipewire
+		pipewire_disable();
+
 		// disable /dev/snd
 		fs_dev_disable_sound();
 	}
-- 
cgit v1.2.3-70-g09d2