From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from atuin.qyliss.net (localhost [IPv6:::1]) by atuin.qyliss.net (Postfix) with ESMTP id DCDAD24065; Thu, 05 Jun 2025 13:10:41 +0000 (UTC) Received: by atuin.qyliss.net (Postfix, from userid 993) id 9D5C624085; Thu, 05 Jun 2025 13:10:39 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 4.0.1 (2024-03-26) on atuin.qyliss.net X-Spam-Level: X-Spam-Status: No, score=-0.8 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,DMARC_MISSING,RCVD_IN_DNSWL_LOW,SPF_HELO_PASS autolearn=unavailable autolearn_force=no version=4.0.1 Received: from fout-a3-smtp.messagingengine.com (fout-a3-smtp.messagingengine.com [103.168.172.146]) by atuin.qyliss.net (Postfix) with ESMTPS id 872F024082 for ; Thu, 05 Jun 2025 13:10:37 +0000 (UTC) Received: from phl-compute-12.internal (phl-compute-12.phl.internal [10.202.2.52]) by mailfout.phl.internal (Postfix) with ESMTP id 4C9B61380319; Thu, 5 Jun 2025 09:10:36 -0400 (EDT) Received: from phl-mailfrontend-01 ([10.202.2.162]) by phl-compute-12.internal (MEProxy); Thu, 05 Jun 2025 09:10:36 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alyssa.is; h=cc :content-type:content-type:date:date:from:from:in-reply-to :in-reply-to:message-id:mime-version:references:reply-to:subject :subject:to:to; s=fm3; t=1749129036; x=1749215436; bh=4yio0diRJA fVFrak/VLyX4otXRsLfVl2axxgDfJnL6I=; b=im8Phan4NYesZqfHZTe9uzERyQ UxCC7PVV9/YVv7eytnIZa+1sMEAJOytUmspdlOupvJa4Ile2LXNgbocolKTdvEba yZLz4dSGb4xpYMSuEdU1emlzRJugdF+qt14EVXS7GjzCrekuCEUK6F/ChzSSEloQ yRJDgZ4qIl+vRRtY6Vlyxn84rEuRdu8dScaVnvnwDp79GEywi5S+DjL3Sxweovug alFGlTgkCg4f7B0UCDud2TqCRdr2d+O3SP3EmCfx7vESn+p0IFERc3pxp/RxIHMQ 9ONWYrLCsGMyFHSjul4RzSUp5o2PPvV0yMw3a3RQ1WGV5ISVWBYrDtWVxZyw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-type:content-type:date:date :feedback-id:feedback-id:from:from:in-reply-to:in-reply-to :message-id:mime-version:references:reply-to:subject:subject:to :to:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; t= 1749129036; x=1749215436; bh=4yio0diRJAfVFrak/VLyX4otXRsLfVl2axx gDfJnL6I=; b=qumKipMjPzNFFXCegjPIz+CU99ckr71EvggRT5mAhnnW0REr6VV N3L7vYCuUtyyr1MApT7sIdNH6ma02nTvMPNK6oURiXZ9D6wTq0qFuU4fUUQqPBgC bqic86BRyNPBfrNmdFrmb9n3ihRKJDWP+hMWpPGKnoRBATOKei3/WGvVjIpDmP+C cONWT++oHRiXkKrWNSrVeSYSGzqSynOv5FgrCNcP14YpQdxSlmqsMGx7Uzc30x7X Os509ua0wRBCLrrKxEGyDDgqBpUlAGGXVtjMCFn2TWy1Oze/a7zDcvpT5qVa2MaF 5ispQmmifhDnRh9ocSuoE06sz2iUsMa5f4w== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeeffedrtddugdefieejucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdggtfgfnhhsuhgsshgtrhhisggvpdfu rfetoffkrfgpnffqhgenuceurghilhhouhhtmecufedttdenucesvcftvggtihhpihgvnh htshculddquddttddmnecujfgurhephffvufgjfhffkfggtgesghdtreertddtjeenucfh rhhomheptehlhihsshgrucftohhsshcuoehhihesrghlhihsshgrrdhisheqnecuggftrf grthhtvghrnhepffduudffueffgeehieegjedtkefhudehheefudehlefftedtkeeitdeg fefgleehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomh ephhhisegrlhihshhsrgdrihhspdhnsggprhgtphhtthhopedvpdhmohguvgepshhmthhp ohhuthdprhgtphhtthhopeguvghmihhosggvnhhouhhrsehgmhgrihhlrdgtohhmpdhrtg hpthhtohepuggvvhgvlhesshhpvggtthhruhhmqdhoshdrohhrgh X-ME-Proxy: Feedback-ID: i12284293:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA; Thu, 5 Jun 2025 09:10:35 -0400 (EDT) Received: by sf.qyliss.net (Postfix, from userid 1000) id 414322381088F; Thu, 05 Jun 2025 15:10:34 +0200 (CEST) From: Alyssa Ross To: Demi Marie Obenour , devel@spectrum-os.org Subject: Re: Camera virtualization in Spectrum In-Reply-To: References: Date: Thu, 05 Jun 2025 15:10:23 +0200 Message-ID: <87bjr2cp1c.fsf@alyssa.is> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" Message-ID-Hash: 3KZWY2YO5PNW6MDIR3H4CPXSD47OGOKI X-Message-ID-Hash: 3KZWY2YO5PNW6MDIR3H4CPXSD47OGOKI X-MailFrom: hi@alyssa.is X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-devel.spectrum-os.org-0; header-match-devel.spectrum-os.org-1; header-match-devel.spectrum-os.org-2; header-match-devel.spectrum-os.org-3; header-match-devel.spectrum-os.org-4; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.9 Precedence: list List-Id: Patches and low-level development discussion Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Demi Marie Obenour writes: > Instead, I think it is necessary to add a media server. This server > would expose a virtio-media output device to the VM with the camera, > and would expose a virtio-media capture device to all VMs on the system, > not just those authorized to receive video. This is because camera > hotplug is not properly handled by at least Google Chrome, so I expect > other applications to also mishandle it. Instead, a VM that does not > have camera permission can be given a camera that always records black, > as if the user had covered the camera. PipeWire is the only existing > implementation of a media server I know of that allows custom media > devices to be implemented out-of-process, so it is the best choice I > know of. PipeWire is also considered the future by the entire Linux > desktop community. I'm surprised that camera hotplug isn't handled properly, given things like laptop camera switches and USB webcams. How does it go wrong? So you're proposing passing the camera through to a VM that runs a PipeWire media server, and then exposes virtio-media outputs from that media server to other VMs? > One other factor that I did not consider at all during the discussion is > the need to implement the XDG microphone and camera portals. These > portals are based on PipeWire, and PipeWire cannot be directly used > across VMs. This is partially because of security, but it is also > because PipeWire relies on SCM_RIGHTS file descriptor passing, eventfds, > and other Linux kernel APIs that do not work across the VM boundary. > Therefore, it is necessary to either run PipeWire in the guest, or run > a daemon in the guest that exposes the same interface PipeWire does. > All portals supported in Spectrum that prompt the user require a > Spectrum-specific implementation so that the prompt happens on the host. It doesn't look like the Camera portal is something that xdg-desktop-portal delegates to a backend either, so we don't have a hook to do Spectrum-specific stuff like granting camera access in the media server, unless we provide our own x-d-p implementation (not just a backend)=E2=80=A6 Would it be possible to hook into PipeWire in the guest instead, perhaps, to do that? --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQRV/neXydHjZma5XLJbRZGEIw/wogUCaEGXPwAKCRBbRZGEIw/w ou7XAP9EeYZCxLZIrhHBXOe8L09o796XEYy6VKJyaYjphwQyHQD9HDjR9sqDDfBa VRjjQ4kPHr4cUYkDpu3E69aYix77Kgo= =bAWh -----END PGP SIGNATURE----- --=-=-=--