Set user for systemd services during configuration

arkq · Jul 14, 2022 · 853db0d · 853db0d
1 parent ed63ab0
commit 853db0d
Show file tree

Hide file tree

Showing 7 changed files with 45 additions and 6 deletions.
diff --git a/README.md b/README.md
@@ -205,9 +205,8 @@ wiki page.
 
    Additionally, the cause of the "PCM not found" error might be an incorrect ALSA PCM name. Run
    `bluealsa-aplay --list-pcms` for the list of currently available ALSA PCM names - it might give
-   you a hint what is wrong with your `.asoundrc` entry. Also, take a look at the "[Using the
-   bluealsa ALSA pcm plugin](https://github.com/Arkq/bluez-alsa/wiki/Using-the-bluealsa-ALSA-pcm-plugin)"
-   bluez-alsa wiki page.
+   you a hint what is wrong with your `.asoundrc` entry. Also, take a look at the
+   [bluealsa-plugins man page](./doc/bluealsa-plugins.7.rst).
 
 ## Resources
 

diff --git a/configure.ac b/configure.ac
@@ -229,7 +229,8 @@ AM_COND_IF([ENABLE_UPOWER], [
 ])
 
 AC_ARG_ENABLE([payloadcheck],
-	[AS_HELP_STRING([--disable-payloadcheck], [disable RTP payload type check (workaround for a PulseAudio bug)])])
+	[AS_HELP_STRING([--disable-payloadcheck], [disable RTP payload type check (workaround
+		for PulseAudio < 13.0 bug)])])
 AM_CONDITIONAL([ENABLE_PAYLOADCHECK], [test "x$enable_payloadcheck" != "xno"])
 AM_COND_IF([ENABLE_PAYLOADCHECK], [
 	AC_DEFINE([ENABLE_PAYLOADCHECK], [1], [Define to 1 if PAYLOADCHECK is enabled.])
@@ -340,6 +341,22 @@ AC_ARG_WITH([systemdbluealsaaplayargs],
 	[systemdbluealsaaplayargs=""])
 AC_SUBST([SYSTEMD_BLUEALSA_APLAY_ARGS], [$systemdbluealsaaplayargs])
 
+AC_ARG_WITH([bluealsauser],
+	AS_HELP_STRING([--with-bluealsauser=USER], [set up installation to run bluealsa as user
+		USER, defaults to root if not specified. When used with bluez <= 5.50, USER must be a
+		member of the "bluetooth" group.]),
+	[bluealsauser="${withval}"],
+	[bluealsauser="root"])
+AC_SUBST([BLUEALSA_USER], [$bluealsauser])
+
+AC_ARG_WITH([bluealsaaplayuser],
+	AS_HELP_STRING([--with-bluealsaaplayuser=USER], [set up installation to run bluealsa-aplay
+		as user USER, defaults to root if not specified. USER must be a member of the "audio"
+		group.]),
+	[bluealsaaplayuser="${withval}"],
+	[bluealsaaplayuser="root"])
+AC_SUBST([BLUEALSA_APLAY_USER], [$bluealsaaplayuser])
+
 AC_CONFIG_FILES([
 	Makefile
 	doc/Makefile

diff --git a/misc/systemd/Makefile.am b/misc/systemd/Makefile.am
@@ -3,6 +3,8 @@
 
 systemdbluealsaargs = $(SYSTEMD_BLUEALSA_ARGS)
 systemdbluealsaaplayargs = $(SYSTEMD_BLUEALSA_APLAY_ARGS)
+bluealsauser = $(BLUEALSA_USER)
+bluealsaaplayuser = $(BLUEALSA_APLAY_USER)
 
 systemdsystemunitdir = $(SYSTEMD_SYSTEM_UNIT_DIR)
 
@@ -16,7 +18,9 @@ MOSTLYCLEANFILES = $(dist_systemdsystemunit_DATA)
 SYSTEMD_SERVICE_SUBS = \
 	s,[@]bindir[@],$(bindir),g; \
 	s,[@]systemdbluealsaargs[@],$(systemdbluealsaargs),g; \
-	s,[@]systemdbluealsaaplayargs[@],$(systemdbluealsaaplayargs),g;
+	s,[@]systemdbluealsaaplayargs[@],$(systemdbluealsaaplayargs),g; \
+	s,[@]bluealsauser[@],$(bluealsauser),g; \
+	s,[@]bluealsaaplayuser[@],$(bluealsaaplayuser),g;
 
 .in:
 	$(SED) -e '$(SYSTEMD_SERVICE_SUBS)' < $< > $@
diff --git a/misc/systemd/bluealsa-aplay.service.in b/misc/systemd/bluealsa-aplay.service.in
@@ -15,6 +15,8 @@ Requisite=dbus.service
 
 [Service]
 Type=simple
+User=@bluealsaaplayuser@
+Group=audio
 ExecStart=@bindir@/bluealsa-aplay @systemdbluealsaaplayargs@
 Restart=on-failure
 
@@ -28,13 +30,16 @@ MemoryDenyWriteExecute=true
 NoNewPrivileges=true
 PrivateTmp=true
 PrivateUsers=true
+ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
+ProtectProc=invisible
 ProtectSystem=strict
+RemoveIPC=true
 RestrictAddressFamilies=AF_UNIX
 RestrictNamespaces=true
 RestrictRealtime=true

diff --git a/misc/systemd/bluealsa.service.in b/misc/systemd/bluealsa.service.in
@@ -17,6 +17,7 @@ After=bluetooth.service
 [Service]
 Type=dbus
 BusName=org.bluealsa
+User=@bluealsauser@
 ExecStart=@bindir@/bluealsa @systemdbluealsaargs@
 Restart=on-failure
 
@@ -29,13 +30,16 @@ NoNewPrivileges=true
 PrivateDevices=true
 PrivateTmp=true
 PrivateUsers=true
+ProtectClock=true
 ProtectControlGroups=true
 ProtectHome=true
 ProtectHostname=true
 ProtectKernelLogs=true
 ProtectKernelModules=true
 ProtectKernelTunables=true
+ProtectProc=invisible
 ProtectSystem=strict
+RemoveIPC=true
 RestrictAddressFamilies=AF_UNIX AF_BLUETOOTH
 RestrictNamespaces=true
 RestrictRealtime=true

diff --git a/src/Makefile.am b/src/Makefile.am
@@ -5,6 +5,7 @@ bin_PROGRAMS = bluealsa
 SUBDIRS = asound
 
 dbusconfdir = @DBUS_CONF_DIR@
+dbusbluealsauser = @BLUEALSA_USER@
 dist_dbusconf_DATA = bluealsa.conf
 
 bluealsa_SOURCES = \
@@ -127,3 +128,12 @@ LDADD = \
 	@MPG123_LIBS@ \
 	@SBC_LIBS@ \
 	@SPANDSP_LIBS@
+
+SUFFIXES = .conf.in .conf
+MOSTLYCLEANFILES = $(dist_dbusconf_DATA)
+
+DBUSCONF_SUBS = \
+	s,[@]bluealsauser[@],$(dbusbluealsauser),g;
+
+.conf.in.conf:
+	$(SED) -e '$(DBUSCONF_SUBS)' < $< > $@
diff --git a/src/bluealsa.conf → src/bluealsa.conf.in b/src/bluealsa.conf → src/bluealsa.conf.in
@@ -7,7 +7,7 @@
 
   <!-- ../system.conf have denied everything, so we just punch some holes -->
 
-  <policy user="root">
+  <policy user="@bluealsauser@">
     <allow own_prefix="org.bluealsa"/>
     <allow send_destination="org.bluealsa"/>
   </policy>