This bug was fixed in the package apparmor - 2.8.0-0ubuntu30
---------------
apparmor (2.8.0-0ubuntu30) saucy; urgency=low
[ Tyler Hicks ]
* debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an
abstraction for the accessibility bus. It is currently very permissive,
like the dbus and dbus-session abstractions, and grants all permissions on
the accessibility bus. (LP: #1226141)
* debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount
rules. Both rule classes suffered from unexpected auditing behavior when
using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier
resulting in accesses being audited and the 'audit deny' modifier
resulting in accesses not being audited. (LP: #1226356)
* debian/patches/0072-lp1229393.patch: Fix cache location for .features
file, which was not being written to the proper location if the parameter
--cache-loc= is passed to apparmor_parser. This bug resulted in using the
.features file from /etc/apparmor.d/cache or always recompiling policy.
Patch thanks to John Johansen. (LP: #1229393)
* debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX
domain sockets to include read and write permissions. Both permissions are
required when a process connects to a UNIX domain socket. Also include new
tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for
helping with the policy updates and testing. (LP: #1208988)
* debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only
grant access to specific pulseaudio files in the pulse runtime directory
to remove access to potentially dangerous files (LP: #1211380)
[ Jamie Strandboge ]
* debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia
(LP: #1228882)
* 0076_sanitized_helper_dbus_access.patch: allow applications run under
sanitized_helper to connect to DBus
-- Tyler Hicks <[email protected]> Fri, 04 Oct 2013 17:29:52 -0700
** Changed in: apparmor (Ubuntu Saucy)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1211380
Title:
pulseaudio socket needs confined app restrictions
Status in PulseAudio sound server:
New
Status in “apparmor” package in Ubuntu:
Fix Released
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
Fix Released
Status in “pulseaudio” package in Ubuntu:
Confirmed
Status in “apparmor” source package in Saucy:
Fix Released
Status in “apparmor-easyprof-ubuntu” source package in Saucy:
Fix Released
Status in “pulseaudio” source package in Saucy:
Won't Fix
Status in “apparmor” source package in t-series:
Confirmed
Status in “apparmor-easyprof-ubuntu” source package in t-series:
Confirmed
Status in “pulseaudio” source package in t-series:
Confirmed
Bug description:
Confined applications need access to the pulseaudio socket.
Unfortunately, this allows them to perform dangerous operations, such as load
a module from an arbitrary path.
It also allows them to enumerate installed applications by listing clients.
The Pulseaudio daemon should verify if an application is confined, and
if so, restrict access to certain commands.
If module loading cannot be disabled for confined applications,
perhaps it could be modified to only load modules from trusted system
locations.
To manage notifications about this bug go to:
https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
