desktop-packages team mailing list archive
-
desktop-packages team
-
Mailing list archive
-
Message #123095
[Bug 1224756] Re: Pulseaudio should integrate with trust-store
This has clearly been around a while. Some way up, a '10-liner' was
suggested as an option. Two questions:
- is there a good example of this somewhere else to look at (ie, how-to use lp:trust-store)?
- is the 10 liner (check if record is permitted) still an incremental improvement?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756
Title:
Pulseaudio should integrate with trust-store
Status in the base for Ubuntu mobile products:
Confirmed
Status in pulseaudio package in Ubuntu:
Triaged
Bug description:
Currently the 'audio' policy group allows access to pulseaudio which
allows apps to use the microphone and eavesdrop on the user.
Pulseaudio needs to be modified to use trust-store, like location-
service does. Integrating with trust-store means that when an app
tries use the microphone via pulseaudio, pulseaudio will contact
trust-store, the trust-store will prompt the user ("Foo wants to use
the microphone. Is this ok? Yes|No"), optionally cache the result and
return the result to pulseaudio. In this manner the user is given a
contextual prompt at the time of access by the app. Using caching this
decision can be remembered the next time. If caching is used, there
should be a method to change the decision in settings.
Targeting to T-Series for now, since the trust-store is not in a
reusable form yet.
Original description:
David and the security team (inspired by an observation from Rick) discussed that when recording, pulseaudio should somehow unobtrusively show the user that it is recording. The easiest thing to do would be for pulseaudio to alert indicator-sound which would then turn its icon red (similar to indicator-message turning blue with new messages). Marking 'high' because apps with access to pulseaudio can currently eavedrop on users. If the app is allowed to do networking (the default for apps), then it can ship that information off to a server somewhere.
Note 1, the alert to indicator-sound must happen via the out of
process pulseaudio server and not the confined app itself to be
effective.
Note 2, we should consider how to enforce this for foreground apps
only. Application lifecycle should probably handle this for 13.10
(apps are suspended if not in foreground or if the screensaver is on),
but we don't want an app on the converged device to record in the
background when the user isn't paying attention. Example eavesdropping
attack: start recording only when the screensaver is on (perhaps
inhibiting the screensaver during recording would be enough).
To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions