PipeWire Module: Access

The access module performs access checks on clients.

The access check is only performed once per client, subsequent checks return the same resolution.

Permissions assigned to a client are configured as arguments to this module, see the example configuration below. A special use-case is Flatpak where the permission management is delegated.

This module sets the PW_KEY_ACCESS property to one of

• allowed: the client is explicitly allowed to access all resources
• rejected: the client does not have access to any resources and a resource error is generated
• restricted: the client is restricted, see note below
• flatpak: restricted, special case for clients running inside flatpak, see note below
• $access.force: the value of the access.force argument given in the module configuration.
• unrestricted: the client is allowed to access all resources. This is the default for clients not listed in any of the access.* options unless the client requested reduced permissions in PW_KEY_CLIENT_ACCESS.

Note

Clients with a resolution other than allowed or rejected rely on an external actor to update that property once permission is granted or rejected.

For connections from applications running inside Flatpak not mediated by a portal, the access module itself sets the pipewire.access.portal.app_id property to the Flatpak application ID.

Module Options

Options specific to the behavior of this module

• access.allowed = []: an array of paths of allowed applications
• access.rejected = []: an array of paths of rejected applications
• access.restricted = []: an array of paths of restricted applications
• access.force = <str>: forces an external permissions check (e.g. a flatpak portal)

General options

Options with well-known behavior:

• PW_KEY_ACCESS
• PW_KEY_CLIENT_ACCESS

Example configuration

 context.modules = [
  {   name = libpipewire-module-access
      args = {
          access.allowed = [
              /usr/bin/pipewire-media-session
              /usr/bin/important-thing
          ]
 
          access.rejected = [
              /usr/bin/microphone-snooper
          ]
 
          #access.restricted = [ ]
 
          # Anything not in the above lists gets assigned the
          # access.force permission.
          #access.force = flatpak
      }
  }
]

See also

pw_resource_error

pw_impl_client_update_permissions