PipeWire  0.3.36
Portal Access Control

This document explains how clients from the portal are handled.

The portal is a DBus service that exposes interfaces to request access to the PipeWire daemon to perform a certain set of functions. The PipeWire daemon runs outside the sandbox, the portal is a way for clients inside the sandbox to connect to and use PipeWire.

The PipeWire socket is not exposed in the sandbox. Instead, The portal connects to PipeWire on behalf of the client, informing PipeWire that this client is a portal-managed client. PipeWire can detect and enforce extra permission checks on the portal managed clients.

Once such portal is the Camera portal that provides a PipeWire session to stream video from a camera.

Use cases

new portal managed clients need device permissions configured

When a new client is detected, the available objects need to be scanned and permissions configured for each of them.

Only the devices belonging to the media_roles given by the portal are considered.

new devices need to be made visible to portal managed clients

Newly created objects are made visible to a client when the client is allowed to interact with it.

Only the devices belonging to the media_roles given by the portal are considered.

permissions for a device need to be revoked

The session manager listens to changes in the permissions of devices and will remove the client permissions accordingly.

Usually this is implemented by listening to the permission store DBus object. The desktop environment might provide a configuration panel where these permissions can be managed.

Design

The portal

A sandboxed client cannot connect to PipeWire directly. Instead, it connects to the sandbox side of the portal which then connects the PipeWire daemon to configure the session. The portal then hands the file descriptor of the PipeWire connection to the client and the client can use this file descriptor to interface with the PipeWire session directly.

When the portal connects, it will set the following properties on the client object:

  • "pipewire.access.portal.is_portal" = true for the connection of the portal itself (as opposed to a client managed by the portal).
  • "pipewire.access.portal.app_id" the application id of the client.
  • "pipewire.access.portal.media_roles" media roles of the client. Currently only "Camera" is defined.

Before returning the connection to a client, the portal configures minimal permissions on the client. No objects are initially visible. It is the task of the PipeWire Session Manager to make the objects in the graph visible, depending on the client's media_roles (see also PW_KEY_MEDIA_ROLE).

The PipeWire portal module

The pipewire daemon uses the PipeWire Module: Portal to find the PID of the processes that owns the DBus name org.freedesktop.portal.Desktop (see the XDG Desktop Portal).

Client connections from this PID are tagged as PW_KEY_ACCESS "portal" (see PipeWire Module: Access). It will also set ALL permissions for this client so that it can resume.

dot_inline_dotgraph_1.png

The client

A client can ask the portal for a connection to the PipeWire daemon.

dot_inline_dotgraph_2.png

The portal maintains an (unrestricted) connection to the PipeWire daemon with "pipewire.access.portal.is_portal" = true to identify the nodes the client needs access to. It then creates a new restricted connection for the client, tagged with additional information.

dot_inline_dotgraph_3.png

The file descriptor for this restricted connection is passed back to the client which can now make use of the resources it has been permitted to access.

dot_inline_dotgraph_4.png

The session manager

The session manager listens for new clients to appear. It will use the PW_KEY_ACCESS property to find portal connections. For client connections from the portal the session manager checks the requested media_roles and enables or disables access to the respective PipeWire objects. It might have to consult a database to decide what is allowed, for example the org.freedesktop.impl.portal.PermissionStore.

dot_inline_dotgraph_5.png

In the case of the XDG Desktop Portal, the portal itself queries the PermissionStore directly.