qubes-issues icon indicating copy to clipboard operation
qubes-issues copied to clipboard

Published 20 hours ago verified publisher icon QubesOS

Provide an easy way for users to have an audio qube (for wired USB audio devices)

Open DemiMarie opened this issue 1 year ago • 3 comments

How to file a helpful issue

The problem you're addressing (if any)

Users like @rapenne-s want to use USB audio devices. Using wireless audio is very risky, but using wired USB audio is quite safe if other devices passed to sys-usb are trusted. However, right now, making sys-usb an AudioVM requires either:

  1. Patching some Salt states.
  2. Making magic changes to system configuration.

The solution you'd like

Make it easy to enable and disable using sys-usb as an AudioVM.

The value to a user, and who that user might be

@rapenne-s (and others) won’t have to ask the Qubes developers why using USB passthrough for sound devices doesn’t work (#8495) because using sys-usb as AudioVM will work.

DemiMarie avatar Sep 09 '23 18:09 DemiMarie

Possible duplicate of #1590.

andrewdavidwong avatar Feb 22 '24 02:02 andrewdavidwong

Make it easy to enable and disable using sys-usb as an AudioVM.

  • Tag sys-usb with audiovm (for Qrexec policy)
  • Enable sys-usb service audiovm
  • Install necessary packages in sys-usb template
  • Autostart in sys-usb the volumeicon and qvm-start-daemon programs, it may be needed to place it in disposable template if the qube is disposable
  • Change the audio client preference audiovm to sys-usb
  • Add dom0 qrexec policy that can have sys-usb as source of call or target with @tag:audiovm-sys-usb

I am doing this with Salt, not yet finished, what I am not doing is automatically switching the client audiovm preference, this still requires user intervention. I see the biggest problem is with the policy:

## Soundcard audio
admin.vm.List * sys-audio @tag:audiovm-sys-audio allow target=dom0
## USB audio
admin.vm.List * sys-usb @tag:audiovm-sys-usb allow target=dom0
## All types of audio
admin.vm.List * @tag:audiovm @adminvm allow target=dom0

Notice that for every new AudioVM, the same rules with different values have to be added to avoid an audiovm being able to now information about audio clients from other AudioVMs. It would be nice if Qrexec supported something like @self replacing it by the calling qube name:

admin.Events * @tag:audiovm @self allow target=dom0
admin.Events * @tag:audiovm @adminvm allow target=dom0
admin.Events * @tag:audiovm @tag:audiovm-@self allow target=dom0

I know the @self tag is a change to the Qrexec policy, but it is a change that would make the policy easier to manage for the audio use case, especially useful when the user has multiple USBVMs, they will have different names.

ben-grande avatar Feb 28 '24 14:02 ben-grande

@ben-grande I suggest filing a feature request for that.

DemiMarie avatar Feb 28 '24 20:02 DemiMarie