Alyssa and I discussed several designs for camera support in Spectrum. These included: - USB passthrough - virtio-media - v4l2loopback and a guest agent A custom PipeWire plugin in the guest is also an option. USB passthrough has serious security problems: the guest can perform actions like updating device firmware, and the guest also fully trusts the device. This means that it is only suitable for trusted guests operating on trusted devices, which is less than great. v4l2loopback is an ugly hack and neither Alyssa or I like it, so I don’t think it is going to be the approach taken. It has the advantage of being fairly easy to implement and not requiring any device emulation, which is why Qubes OS went this route, but Spectrum has infrastructure for implementing complex virtio devices in a reasonably secure way, thanks to using Rust rather than C for this. This leaves virtio-media and a fully custom solution based on PipeWire. During the discussion, the possibility of hardening virtio-media against a malicious device was considered. After the call, however, I found out that while hardening the kernel side is definitely possible, it is also insufficient. The reason is that virtio-media, as currently implemented, appears to be effectively V4L2 API passthrough, which would mean that the device can respond to V4L2 IOCTLs however it wants. Guest userspace will almost certainly treat V4L2 IOCTL outputs as trusted, so hardening the guest kernel would be of only limited value. Adding validation in the guest kernel driver would be an option, but it would add substantial complexity. Instead, I think it is necessary to add a media server. This server would expose a virtio-media output device to the VM with the camera, and would expose a virtio-media capture device to all VMs on the system, not just those authorized to receive video. This is because camera hotplug is not properly handled by at least Google Chrome, so I expect other applications to also mishandle it. Instead, a VM that does not have camera permission can be given a camera that always records black, as if the user had covered the camera. PipeWire is the only existing implementation of a media server I know of that allows custom media devices to be implemented out-of-process, so it is the best choice I know of. PipeWire is also considered the future by the entire Linux desktop community. One other factor that I did not consider at all during the discussion is the need to implement the XDG microphone and camera portals. These portals are based on PipeWire, and PipeWire cannot be directly used across VMs. This is partially because of security, but it is also because PipeWire relies on SCM_RIGHTS file descriptor passing, eventfds, and other Linux kernel APIs that do not work across the VM boundary. Therefore, it is necessary to either run PipeWire in the guest, or run a daemon in the guest that exposes the same interface PipeWire does. All portals supported in Spectrum that prompt the user require a Spectrum-specific implementation so that the prompt happens on the host. Are there any better options? This is *an* approach, which does not mean it is *the best* approach. -- Sincerely, Demi Marie Obenour (she/her/hers)