** Description changed: - Until we have a proper trust-store implementation with snappy and on the - desktop/ubuntu core we want pulseaudio to simply deny any audio - recording request coming from an app shipped as part of a snap. + [Impact] + Currently snaps on Ubuntu Classic may declare in their snap.yaml that they want access to pulseaudio. When installed, snapd will auto-connect the pulseaudio interface giving the snap access to the pulseaudio server for playback and recording. Because recording is allowed, snaps are allowed to eavesdrop on users without the user knowing. Phase 1 of the pulseaudio interface should block recording for snaps while the details of phase 2 (which combines pulseaudio/snappy interfaces and trust-store) are worked out. + + [Test Case] + 1. unconfined can play audio + 2. unconfined can record audio + 3. non-snap confined can play audio + 4. non-snap confined can record audio + 5. snap confined can play audio + 6. snap confined cannot record audio + 7. snap confined devmode can record audio + 8. indicator-sound and 'Sound Settings... works' + 9. click can play audio (eg, SnapRecorder) + 10. click can record audio if trust-store allows + + Currently '6' is not implemented and all snaps may record audio. When + this bug is fixed, no snaps should be able to record audio (until phase + 2 is implemented). + + The attached script tests 1-7. 9 and 10 require testing on a device and + using + + [Regression Potential] + The patch is quite small and easy to understand and is implemented to only affect processes that want to record and are running with a security label that starts with 'snap.' Unconfined processes and process running under other security labels should not be affected. + + + Original description: + Until we have a proper trust-store implementation with snappy and on the desktop/ubuntu core we want pulseaudio to simply deny any audio recording request coming from an app shipped as part of a snap. The implementation adds a module-snappy-policy module to pulseaudio which adds a hook for audio recording requests and checks on connection if the apparmor security label of the connecting peer starts with "snap." which will identify it as a snap application. Pulseaudio with the patch is available as part of the landing request at https://requests.ci-train.ubuntu.com/#/ticket/1428
** Attachment removed: "1583057-test.sh" https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1583057/+attachment/4696048/+files/1583057-test.sh ** Attachment added: "1583057-test.sh" https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1583057/+attachment/4696049/+files/1583057-test.sh -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1583057 Title: Deny audio recording for all snap applications Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: In Progress Status in pulseaudio source package in Yakkety: Fix Released Bug description: [Impact] Currently snaps on Ubuntu Classic may declare in their snap.yaml that they want access to pulseaudio. When installed, snapd will auto-connect the pulseaudio interface giving the snap access to the pulseaudio server for playback and recording. Because recording is allowed, snaps are allowed to eavesdrop on users without the user knowing. Phase 1 of the pulseaudio interface should block recording for snaps while the details of phase 2 (which combines pulseaudio/snappy interfaces and trust-store) are worked out. [Test Case] 1. unconfined can play audio 2. unconfined can record audio 3. non-snap confined can play audio 4. non-snap confined can record audio 5. snap confined can play audio 6. snap confined cannot record audio 7. snap confined devmode can record audio 8. indicator-sound and 'Sound Settings... works' 9. click can play audio (eg, SnapRecorder) 10. click can record audio if trust-store allows Currently '6' is not implemented and all snaps may record audio. When this bug is fixed, no snaps should be able to record audio (until phase 2 is implemented). The attached script tests 1-7. 9 and 10 require testing on a device and using [Regression Potential] The patch is quite small and easy to understand and is implemented to only affect processes that want to record and are running with a security label that starts with 'snap.' Unconfined processes and process running under other security labels should not be affected. Original description: Until we have a proper trust-store implementation with snappy and on the desktop/ubuntu core we want pulseaudio to simply deny any audio recording request coming from an app shipped as part of a snap. The implementation adds a module-snappy-policy module to pulseaudio which adds a hook for audio recording requests and checks on connection if the apparmor security label of the connecting peer starts with "snap." which will identify it as a snap application. Pulseaudio with the patch is available as part of the landing request at https://requests.ci-train.ubuntu.com/#/ticket/1428 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1583057/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
