refpolicy-targeted: Add SELinux policy for pipewire_stack

[rchiluka29]

Introduce a new SELinux policy module 'pipewire_stack' to confine the
PipeWire multimedia daemon and its associated runtime under a dedicated
least-privilege domain.

Changes include:

• pipewire_stack.fc: File context definitions for PipeWire executables,
  configuration, shared data, runtime sockets, and persistent state
  under /usr/bin, /etc/pipewire, /usr/share/pipewire, /run/pipewire,
  and /var/lib/pipewire respectively.

• pipewire_stack.if: Interface file stub for the pipewire_stack policy
  module, reserved for future cross-module interface definitions.

• pipewire_stack.te: Type enforcement policy for the pipewire_t domain
  covering:

  • Process control: fork, signal handling, and scheduling (sys_nice)
    for low-latency audio operation
  • Runtime socket and directory management under /run/pipewire
  • ALSA sound device access (sound_device_t)
  • DMA device access (dma_device_t) for hardware audio offload
  • Shared memory (tmpfs/memfd) for zero-copy audio buffer handling
  • PulseAudio runtime compatibility (/run/pulse probing and PID file
    management)
  • sysfs and procfs read access for hardware discovery
  • System logging via syslog and systemd journal
  • Suppressed audit noise for expected /proc scan denials via
    dontaudit rules

[anujm1]

Why/How is it Inappropriate and Qualcomm specific?

[ricardosalveti]

This looks quite generic to me.

[rchiluka29]

Updated the commit message and patch.

pipewire_stack.fc contains two Qualcomm-specific device node labels (/dev/aud_pasthru.* and /dev/msm_audio_mem.*) which are AudioReach ADSP communication devices present only on Qualcomm platforms

[lumag]

Please split this into logical changes. AudioReach-specific changes should go to meta-audioreach.

[rchiluka29]

I did split the changes. This pr contains the generic changes. shall I raise for audioreach-specific changes in other PR ?

[lumag]

The audtioreach-specific changes should go to meta-audioreach.

[rchiluka29]

But, in meta-audioreach (https://github.com/Audioreach/meta-audioreach), we don't have selinux related things right ?

[lumag]

Right. But nothing stops you from adding the dynamic layer there.

[lumag]

Nothing up to this line is Qualcomm-specific. Should those definitions go to the main repo instead?

[rchiluka29]

Raised PR on main repo: SELinuxProject/refpolicy#1109

[lumag]

No stray merges,

[lumag]

Please come back when it's at least Submitted (or better, Backport).

[rchiluka29]

Hi @lumag, the upstream refpolicy PR has been submitted and is actively under review here:
SELinuxProject/refpolicy#1109

A note on the evolution of that PR: the initial version was written as a system service using init_daemon_domain, since that matched our deployment model on the Qualcomm platform. The upstream maintainer (pebenito) pointed out that the common case for PipeWire is as a user service, not a system service. I reworked the policy accordingly and the module was moved from policy/modules/services/ to policy/modules/apps/, init_daemon_domain was replaced with userdom_user_application_domain, and all other review feedback has been addressed. Please let me know if you'd like any further changes here.

[lumag]

Please use tunable to support both modes (in the upstream commit). We definitely don't want a separate implementation inside our layer.

[rchiluka29]

Understood. I'll add a pipewire_system_service tunable to the upstream PR so both modes are covered in a single implementation. The tunable will default to false (user service, as requested by pebenito) and when set to true will switch to init_daemon_domain, system runtime paths (/run/pipewire), and system state paths (/var/lib/pipewire). Once that's merged upstream, the Upstream-Status here can be updated to Backport.

Please confirm on this once.

[lumag]

SGTM