Audio/microphone security, group level restriction

I just realized that the mixer can be adjusted by any user and any user can listen to the microphone on my system. Even a sandbox user, unless chrooted or jailed, could spy on me.

Is there a way to adjust /dev/dsp permissions so access requires an audio group? Would I use /etc/devfs.conf for that? I haven't used devfs before.

Just surprised I haven't found any kind of a writeup on this yet. I'm not sure if it's the best default behavior from a security standpoint.

Thank you!
I never tried it. You could try in devs.conf
own /dev/dspX root:audio
perm /dev/dspX 0660

Or in devs.rules
add path 'dspX' mode 0660 group audio
Thank you!

I love FreeBSD. That was so simple. First time tinkering with devfs.

I decided to allow everyone to play audio but only a microphone group to listen. Ideally, would have a sound group and a sound+microphone group but not immediately certain how I would do that. I also have mixer access restricted to root and wheel.

I used devfs.rules since audio devices will come and go for me.

Create microphone group:
pw group add microphone


add path 'dsp*' mode 0662 group microphone
add path 'mixer*' mode 0660


service restart devfs