policy-dsp: add ability to hide parent nodes

some hardware devices are never supposed to be accessed directly by clients, and are designed under the assumption that they will be front-loaded by some sort of DSP. add a hide_parent property to policy-dsp and revoke all permissions to the bound node of a DSP graph where this is set to prevent hardware misuse or damage by poorly behaved/configured clients. Signed-off-by: James Calligeros <jcalligeros99@gmail.com>
2026-01-06 12:40:10 +01:00 · 2023-10-29 11:03:36 +10:00 · 2023-10-29 11:03:36 +10:00 · 7a65d76a57
commit 7a65d76a57
parent 98f622f718
1 changed files with 25 additions and 0 deletions
--- a/src/scripts/policy-dsp.lua
+++ b/src/scripts/policy-dsp.lua
@ -28,7 +28,12 @@ nodes_om = ObjectManager {
  Interest { type = "node" },
 }

+clients_om = ObjectManager {
+  Interest { type = "client" }
+}
+
 filter_chains = {}
+hidden_nodes = {}

 nodes_om:connect("object-added", function (om, node)
  for _, r in ipairs(config.rules or {}) do
@ -43,6 +48,17 @@ nodes_om:connect("object-added", function (om, node)
            filter_chains[id] = LocalModule("libpipewire-module-filter-chain", r.filter_chain, {}, true)
          end
        end
+
+        if r.hide_parent then
+          Log.debug("Hiding node " .. node["bound-id"] .. " from clients")
+          for client in clients_om:iterate { type = "client" } do
+            if not client["properties"]["wireplumber.daemon"] then
+              client:update_permissions { [node["bound-id"]] = "-" }
+            end
+          end
+          hidden_nodes[node["bound-id"]] = id
+        end
+
      end
    end
  end
@ -58,4 +74,13 @@ nodes_om:connect("object-removed", function (om, node)
  end
 end)

+clients_om:connect("object-added", function (om, client)
+  for id, _ in pairs(hidden_nodes) do
+    if not client["properties"]["wireplumber.daemon"] then
+      client:update_permissions { [id] = "-" }
+    end
+  end
+end)
+
 nodes_om:activate()
+clients_om:activate()