diff --git a/default.pa-for-gdm b/default.pa-for-gdm index 62d820b..43dc7ed 100644 --- a/default.pa-for-gdm +++ b/default.pa-for-gdm @@ -10,3 +10,17 @@ load-module module-suspend-on-idle load-module module-console-kit load-module module-position-event-sounds +### unload driver modules for Bluetooth hardware +### this ensure Bluetooth headset are not stolen by gdm pulseaudio instance +.nofail + +.ifexists module-bluetooth-policy.so +unload-module module-bluetooth-policy +.endif + +.ifexists module-bluetooth-discover.so +unload-module module-bluetooth-discover +.endif + +.fail + diff --git a/pulseaudio-gdm-hooks.tmpfiles b/pulseaudio-gdm-hooks.tmpfiles index 3a9be6b..66cd32b 100644 --- a/pulseaudio-gdm-hooks.tmpfiles +++ b/pulseaudio-gdm-hooks.tmpfiles @@ -1,2 +1,2 @@ -d /var/lib/gdm/.pulse 0755 - - - -C /var/lib/gdm/.pulse/default.pa 0644 - - - /usr/share/factory/var/lib/gdm/.pulse/default.pa +d /var/lib/gdm/.pulse 0700 gdm gdm - +C /var/lib/gdm/.pulse/default.pa 0600 gdm gdm - /usr/share/factory/var/lib/gdm/.pulse/default.pa diff --git a/pulseaudio-old-systemd-workaround.patch b/pulseaudio-old-systemd-workaround.patch index 4ab5b9d..110a3db 100644 --- a/pulseaudio-old-systemd-workaround.patch +++ b/pulseaudio-old-systemd-workaround.patch @@ -2,9 +2,18 @@ src/daemon/systemd/user/pulseaudio.service.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) ---- a/src/daemon/systemd/user/pulseaudio.service.in -+++ b/src/daemon/systemd/user/pulseaudio.service.in -@@ -24,7 +24,7 @@ NoNewPrivileges=yes +Index: pulseaudio-13.0/src/daemon/systemd/user/pulseaudio.service.in +=================================================================== +--- pulseaudio-13.0.orig/src/daemon/systemd/user/pulseaudio.service.in 2019-09-13 15:10:23.000000000 +0200 ++++ pulseaudio-13.0/src/daemon/systemd/user/pulseaudio.service.in 2019-10-07 17:43:52.208067968 +0200 +@@ -18,13 +18,13 @@ + + [Service] + ExecStart=@PA_BINARY@ --daemonize=no +-LockPersonality=yes ++#LockPersonality=yes + MemoryDenyWriteExecute=yes + NoNewPrivileges=yes Restart=on-failure RestrictNamespaces=yes SystemCallArchitectures=native diff --git a/pulseaudio-rpmlintrc b/pulseaudio-rpmlintrc new file mode 100644 index 0000000..3876101 --- /dev/null +++ b/pulseaudio-rpmlintrc @@ -0,0 +1,3 @@ +# Filter out warnings about hidden files in pulseaudio-gdm-hooks -- they are ok/expected +addFilter("hidden-file-or-dir .*/usr/share/factory/var/lib/gdm/.pulse") +addFilter("hidden-file-or-dir .*/var/lib/gdm/.pulse") diff --git a/pulseaudio.changes b/pulseaudio.changes index a7aa25c..b6e4339 100644 --- a/pulseaudio.changes +++ b/pulseaudio.changes @@ -1,3 +1,22 @@ +------------------------------------------------------------------- +Mon Oct 7 15:25:25 UTC 2019 - Frederic Crozat + +- Update pulseaudio-gdm-hooks.tmpfiles to use the same ownership + and permissions as in specfile for pulseaudio files. +- Update default.pa-for-gdm to not load bluetooth support in + pulseaudio gdm instance. This ensure headset are not stolen by + gdm instance instead of user instance. Idea from ArchLinux. +- Update pulseaudio-old-systemd-workaround.patch to disable + LockPersonality also on Leap 15.x. + +------------------------------------------------------------------- +Sun Sep 22 19:40:15 UTC 2019 - Bjørn Lie + +- Pass --disable-running-from-build-tree to configure for improving + build reproducibility. +- Add pulseaudio-rpmlintrc: Filter out false positive warnings + about hidden files in pulseaudio-gdm-hooks. + ------------------------------------------------------------------- Mon Sep 16 08:42:14 UTC 2019 - Bjørn Lie diff --git a/pulseaudio.spec b/pulseaudio.spec index 7179646..957c9fd 100644 --- a/pulseaudio.spec +++ b/pulseaudio.spec @@ -41,6 +41,7 @@ Source6: disable_flat_volumes.conf Source7: pulseaudio.tmpfiles Source8: pulseaudio-gdm-hooks.tmpfiles Source9: client-system.conf +Source98: pulseaudio-rpmlintrc Source99: baselibs.conf Patch0: disabled-start.diff Patch1: suppress-socket-error-msg.diff @@ -355,6 +356,7 @@ export CFLAGS="%{optflags} -fPIE" %configure \ --disable-static \ --disable-rpath \ + --disable-running-from-build-tree \ %ifarch armv5tel armv6hl --disable-neon-opt \ %endif