This is probably just my own ignorance, but I do not understand why seatd allows me to control the video display and access input devices, so that I can use a Wayland compositor without being member of video or input groups, but I cannot play sound or use webcam without being member of video or audio.
Is this out of scope for seatd, or is there something I'm missing? Naively, I would think that being seated should let me play audio and webcam.
Thanks.
I think the reason these are not covered by seatd is partly that there is no way to revoke access to ALSA and V4L2 devices. IIRC logind doesn't have a solution to this problem either.
Ideally there would be a generic kernel facility to revoke any type of file descriptor, but this was attempted multiple times before and has turned out to be very difficult to get right.
One option for ALSA and V4L2 is to run a system-wide pipewire instance, along with its alsa-lib module and v4l2loopback.
The explanation is correct. In logind this is handled by an entirely separate mechanism tied to udev and generally unrelated to seat management as the clients involved are not seat aware.
pam_uaccess is an implementation that handles this without a server, although with a few limitations listed in the readme. Someone could write a uaccessd or a udev hook script to fix some of those limitations if they are important.
I see. Thanks for the clarifications.
Are the recently (6.13) added syscalls setxattrat(), getxattrat(), listxattrat() and removexattrat() relevant to this?