Skip to content

RestrictNamespaces in wireplumber systemd service breaks libcamera SPA module

  • Wireplumber version: master (6dc5ac08)
  • Distribution and distribution version (PRETTY_NAME from /etc/os-release): Debian GNU/Linux 12 (bookworm) (actually Raspberry Pi OS)
  • Desktop Environment: Wayfire
  • Kernel version (uname -r): 6.1.31-v8+

Description of Problem:

libcamera is unable to load IPA (Image Processing Algorithm) modules when loaded by the libcamera SPA module from wireplumber.

  • The wireplumber systemd service (wireplumber.service.in) sets RestrictNamespaces=yes which prevents wireplumber (or any subprocesses) from using any namespace syscalls
  • libcamera uses namespaces to isolate the IPA modules because they are sometimes proprietary binary blobs (in libcamera: src/libcamera/process.cpp Process::isolate())
  • So, when wireplumber loads the libcamera SPA module and libcamera tries to load an IPA, its call to unshare(CLONE_NEWUSER | CLONE_NEWNET); fails and it crashes.

How Reproducible:

100% (on my system)

Steps to Reproduce:

  1. You need a system with a camera for which libcamera has an IPA process. I'm testing on a Raspberry Pi 4 with a CSI Raspberry Pi camera (with legacy camera interface mode disabled)
  2. Build and install libcamera from git (I'm using 06bbff9c from the Raspberry Pi fork of libcamera, but this issue isn't specific to the fork)
  3. Build and install pipewire from git master (7fb7c679), ensuring it includes the libcamera SPA plugin and wireplumber
  4. systemctl --user daemon-reload
  5. systemctl --user restart pipewire
  6. View wireplumber's output: journalctl -u wireplumber -a --user

Actual Results:

 WARN IPAManager ipa_manager.cpp:114 Public key not valid
 INFO Camera camera_manager.cpp:299 libcamera v0.0.4+23-06bbff9c-dirty (2023-06-06T14:53:38+01:00)
ERROR Process process.cpp:319 Failed to unshare execution context: Operation not permitted
ERROR IPCPipe ipc_pipe_unixsocket.cpp:134 Call timeout!
ERROR IPCPipe ipc_pipe_unixsocket.cpp:66 Failed to call sync
ERROR IPAProxy raspberrypi_ipa_proxy.cpp:190 Failed to call init
ERROR RPI raspberrypi.cpp:1362 Failed to load a suitable IPA library
ERROR IPCUnixSocket ipc_unixsocket.cpp:191 Failed to send: Connection refused
ERROR IPCPipe ipc_pipe_unixsocket.cpp:66 Failed to call sync
ERROR IPAProxy raspberrypi_ipa_proxy.cpp:476 Failed to call unmapBuffers
ERROR IPCUnixSocket ipc_unixsocket.cpp:191 Failed to send: Transport endpoint is not connected
ERROR IPCPipe ipc_pipe_unixsocket.cpp:80 Failed to call async
ERROR RPI raspberrypi.cpp:1287 Failed to register camera imx477 10-001a: -22

The important line is the third one where unshare fails to isolate the IPA process using namespaces.

Expected Results:

If I remove the RestrictNamespaces line from the wireplumber systemd service and restart everything then the output looks like:

 WARN IPAManager ipa_manager.cpp:114 Public key not valid
 INFO Camera camera_manager.cpp:299 libcamera v0.0.4+23-06bbff9c-dirty (2023-06-06T14:53:38+01:00)
 INFO RPI raspberrypi.cpp:1486 Registered camera /base/soc/i2c0mux/i2c@1/imx477@1a to Unicam device /dev/media2 and ISP device /d>

and my camera works with pipewire.

As a fix I propose to remove RestrictNamespaces from wireplumber.service.in. Alternatively we could narrow it down to restrict all namespaces except for net and user, which are the ones libcamera isolates. Please let me know if either of these would be acceptable and I'll raise a merge request.