group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1583057] Re: Deny audio recording for all snap applications

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Jamie Strandboge <jamie@xxxxxxxxxx>
Date: Thu, 03 Aug 2017 14:16:55 -0000
Reply-to: Bug 1583057 <1583057@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Changed in: pulseaudio (Ubuntu Xenial)
Status: In Progress => Won't Fix

--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1583057

Title:
Deny audio recording for all snap applications

Status in pulseaudio package in Ubuntu:
Fix Released
Status in pulseaudio source package in Xenial:
Won't Fix
Status in pulseaudio source package in Yakkety:
Fix Released

Bug description:
[Impact]
Currently snaps on Ubuntu Classic may declare in their snap.yaml that they want access to pulseaudio. When installed, snapd will auto-connect the pulseaudio interface giving the snap access to the pulseaudio server for playback and recording. Because recording is allowed, snaps are allowed to eavesdrop on users without the user knowing. Phase 1 of the pulseaudio interface should block recording for snaps while the details of phase 2 (which combines pulseaudio/snappy interfaces and trust-store) are worked out.

[Test Case]
First, install pulseaudio then reboot (alternatively can 'killall pulseaudio' from within your session or logout then killall pulseaudio from a vt and then log back in). pulseaudio needs to be restarted for the changes to be in effect and a reboot is the easiest way to achieve that.

1. unconfined can play audio
2. unconfined can record audio
3. non-snap confined can play audio
4. non-snap confined can record audio
5. snap confined can play audio
6. snap confined cannot record audio
7. snap confined devmode can record audio
8. indicator-sound and 'Sound Settings... works'
9. click can record audio if trust-store allows (eg, 'SnapRecorder' from the store)
10. click can play audio (eg, playback of recording from 'SnapRecorder' from the store)

Currently '6' is not implemented and all snaps may record audio. When
this bug is fixed, no snaps should be able to record audio (until
phase 2 is implemented which will be in a different bug).

The attached script tests 1-7. 9 and 10 require testing on a device
and using

[Regression Potential]
The patch is quite small and easy to understand and is implemented to only affect processes that want to record and are running with a security label that starts with 'snap.' Unconfined processes and process running under other security labels should not be affected.

Original description:
Until we have a proper trust-store implementation with snappy and on the desktop/ubuntu core we want pulseaudio to simply deny any audio recording request coming from an app shipped as part of a snap.

The implementation adds a module-snappy-policy module to pulseaudio
which adds a hook for audio recording requests and checks on
connection if the apparmor security label of the connecting peer
starts with "snap." which will identify it as a snap application.

Pulseaudio with the patch is available as part of the landing request
at https://requests.ci-train.ubuntu.com/#/ticket/1428

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1583057/+subscriptions