acl on audio and video devices

This is probably just my own ignorance, but I do not understand why seatd allows me to control the video display and access input devices, so that I can use a Wayland compositor without being member of video or input groups, but I cannot play sound or use webcam without being member of video or audio.

Is this out of scope for seatd, or is there something I'm missing? Naively, I would think that being seated should let me play audio and webcam.


Nicolo Piazzalunga
Assigned to
7 months ago
4 months ago
No labels applied.

~osvein 4 months ago

I think the reason these are not covered by seatd is partly that there is no way to revoke access to ALSA and V4L2 devices. IIRC logind doesn't have a solution to this problem either.

Ideally there would be a generic kernel facility to revoke any type of file descriptor, but this was attempted multiple times before and has turned out to be very difficult to get right.

One option for ALSA and V4L2 is to run a system-wide pipewire instance, along with its alsa-lib module and v4l2loopback.

~kennylevinsen REPORTED BY_DESIGN 4 months ago

The explanation is correct. In logind this is handled by an entirely separate mechanism tied to udev and generally unrelated to seat management as the clients involved are not seat aware.

pam_uaccess is an implementation that handles this without a server, although with a few limitations listed in the readme. Someone could write a uaccessd or a udev hook script to fix some of those limitations if they are important.

Nicolo Piazzalunga 4 months ago · edit

I see. Thanks for the clarifications.

Register here or Log in to comment, or comment via email.