Cache the rules in a global variable in each script, as JSON,
and use JsonUtils directly to evaluate them. This will allow us to
close the WpConf in the future after loading the scripts.
Also change the order of the return values of the match_rules_apply_properties
function to be able to easily ignore the number of changed values,
which is useless in most cases.
In some cases we need to get a section as JSON, so that we can pass it
down to the rules parser, while in other cases we neeed to get it as a
table to use it natively, and in that case we even need to differentiate
between it being an object, an array or an object with WpProperties.
Make it also possible to optionally pass tables with default values to
the functions so that we can get rid of cutils.get_config_section()
as well.
This patch adds to wireplumber code to manage the Snap audio
permissions.
SNAP containers have two main "audio" rules:
* audio-playback: the applications inside the container can
send audio samples into a sink
* audio-record: the applications inside the container can
get audio samples from a source
Also, old SNAP containers had the "pulseaudio" rule, which just
exposed the pulseaudio socket directly, without limits. This
is similar to the current Flatpak audio permissions.
In the pulseaudio days, an specific pulseaudio module was used
that checked the permissions given to the application and
allowed or forbide access to the pulseaudio operations.
With the change to pipewire, this functionality must be
implemented in pipewire-pulse and wireplumber to guarantee
the sandbox security.
The current code checks for the presence of the pipewire.snap.id
property in a client, in which case it will read the
pipewire.snap.audio.playback and pipewire.snap.audio.record
properties, and allow or deny access to that client to
the nodes with Audio/Sink or Audio/Source media.class
property.
See !567 and pipewire!1779
Note: this requires all existing config files to be modified to follow
pipewire's rules syntax, with an "actions" object wrapping the
"update-props" object.
Handle client-requested and flatpak access on the session manager side.
Pipewire daemon doesn't know about the intended permission hierarchy, so
it is better done on the session manager side, where all the rules are.
The "default" access is used for normal clients, in the use case where
Pipewire server will not assign permissions itself but leaves it to the
session manager. In this use case only session manager has
"unrestricted".
Make "default" equal to "unrestricted" in the default access
configuration.
This patch also moves nested configuration objects that are not considered
settings from the wireplumber.settings section to its own configuration
section (eg the rules array, the spa plugin properties, etc...). This allows
those objects to be merged with other same sections defined in other files.
* client: Logic that deals with configuring clients (basically, permissions)
* device: Anyhing that that deals with configuring devices (profiles, routes, ...)
* node: Anything that deals with node objects: configuring nodes, changing
their state, their properties and also creating new nodes (but NOT linking them)
* linking: All the logic for creating links between nodes (and obviously,
deciding which links to create)
* monitors: Scripts that deal with hardware subsystems, mainly monitoring
hardware changes and reflecting them on pipewire
* default-nodes: All the logic for selecting the default sinks and sources
