group.of.nepali.translators team mailing list archive
-
group.of.nepali.translators team
-
Mailing list archive
-
Message #32561
[Bug 1781428] Re: please enable snap mediation support
** Description changed:
+ [Impact]
+ Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected.
- # Original summary: pulseaudio built with --enable-snappy but 'Enable
- Snappy support: no'
+ To correct this situation but not regress existing behavior, Ubuntu
+ 19.04's pulseaudio was updated patch to allow playback to all connected
+ clients (snaps or not), record by classic snaps (see bug 1787324) and
+ record by strict mode snaps if either the pulseaudio or new-in-
+ snapd-2.41 audio-record interfaces were connected. With this change,
+ snapd is in a position to migrate snaps to the new audio-playback and
+ audio-record interfaces and properly mediate audio recording (see
+ https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-
+ deprecation/13418).
+
+ The patch to pulseaudio consists of adding a module, enabling it in
+ default.pa and then when it is enabled, pulseaudio when faced with a
+ record operation will, when the connecting process is a snap (ie, its
+ security label (ie, apparmor label) starts with 'snap.'), query snapd
+ via its control socket to ask if the snap is classic and if not, whether
+ the pulseaudio or audio-record interfaces are connected. Adjusting
+ pulseaudio in the manner does not require coordination with any release
+ of snapd. It does need a newer version of snapd-glib, which was recently
+ updated to 1.49 in the last SRU.
+
+ [Test Case]
+
+ Since the pulseaudio mediation behavior triggers when the security label
+ starts with 'snap.' it is su
+
+ For unconfined applications:
+ $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes"
+ yes
+
+ $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording
+ ^Cyes
+
+ $ paplay /tmp/out.wav && echo "yes"
+ yes
+
+ For confined, non-snap applications:
+ $ sudo apt-get install evince
+
+ $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav
+ && echo yes
+
+ $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording
+ ^Cyes
+
+ $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes"
+ yes
+
+
+ For classic snaps:
+ $ sudo snap install test-snapd-classic-confinement --classic
+
+ $ snap run --shell test-snapd-classic-confinement
+
+ $ cat /proc/self/attr/current # verify we are classic confined
+ snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain)
+
+ $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes"
+ yes
+
+ $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording
+ ^Cyes
+
+ $ paplay /tmp/out.wav && echo "yes"
+ yes
+
+ For strict snaps with pulseaudio:
+ $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap
+
+ $ snap connections test-snapd-pulseaudio
+ Interface Plug Slot Notes
+ pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio -
+
+ $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created
+ ...
+
+ $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-
+ pulseaudio/common/
+
+ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes
+ xcb_connection_has_error() returned true
+ yes
+
+ (note, the xcb_connection_has_error() message is due to the x11
+ interface not being connecting which is unrelated to mediation. x11 is
+ left out to ensure that just audio-playback/audio-record are tested)
+
+ $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass
+ ...
+ ^Cyes
+
+ $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes
+ ...
+ yes
+
+
+ For strict snaps with audio-playback/audio-record:
+ $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap
+
+ $ snap connections test-snapd-audio-record # record not connected
+ Interface Plug Slot Notes
+ audio-playback test-snapd-audio-record:audio-playback :audio-playback -
+ audio-record test-snapd-audio-record:audio-record - -
+
+ $ test-snapd-audio-record.play --help # ensure SNAP dirs are created
+ ...
+
+ $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-
+ record/common/
+
+ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes
+ xcb_connection_has_error() returned true
+ yes
+
+ (note, the xcb_connection_has_error() message is due to the x11
+ interface not being connecting which is unrelated to mediation. x11 is
+ left out to ensure that just audio-playback/audio-record are tested)
+
+ $ test-snapd-audio-record.record /tmp/out.wav # should fail
+ ...
+ Stream error: Access denied
+
+ $ sudo snap connect test-snapd-audio-record:audio-record
+
+ $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass
+ ...
+ ^Cyes
+
+ $ test-snapd-audio-record.play /tmp/out.wav && echo yes
+ ...
+ yes
+
+
+ [Regression Potential]
+
+ The regression potential consists of pulseaudio playback and record
+ functionality no longer working for snaps and non-snaps. This is easily
+ tested via the test cases. Furthermore, the patches have seen 5 months
+ real world testing since Ubuntu 19.04's release. Note that the patches
+ for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and
+ the above test cases verify the correct behavior).
+
+
+ # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no'
# Original description
From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-
amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz:
...
dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf
./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf
...
Enable Ubuntu trust store: no
Enable Snappy support: no
Enable Apparmor: yes
At this point, the patch should probably be dropped, otherwise
applications like chromium, etc will no longer be able to record.
** Also affects: pulseaudio (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: pulseaudio (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: pulseaudio (Ubuntu Xenial)
Status: New => In Progress
** Changed in: pulseaudio (Ubuntu Bionic)
Status: New => In Progress
** Attachment added: "test-snapd-pulseaudio_1_amd64.snap"
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+attachment/5292538/+files/test-snapd-pulseaudio_1_amd64.snap
--
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1781428
Title:
please enable snap mediation support
Status in pulseaudio package in Ubuntu:
Fix Released
Status in pulseaudio source package in Xenial:
In Progress
Status in pulseaudio source package in Bionic:
In Progress
Bug description:
[Impact]
Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected.
To correct this situation but not regress existing behavior, Ubuntu
19.04's pulseaudio was updated patch to allow playback to all
connected clients (snaps or not), record by classic snaps (see bug
1787324) and record by strict mode snaps if either the pulseaudio or
new-in-snapd-2.41 audio-record interfaces were connected. With this
change, snapd is in a position to migrate snaps to the new audio-
playback and audio-record interfaces and properly mediate audio
recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-
interface-deprecation/13418).
The patch to pulseaudio consists of adding a module, enabling it in
default.pa and then when it is enabled, pulseaudio when faced with a
record operation will, when the connecting process is a snap (ie, its
security label (ie, apparmor label) starts with 'snap.'), query snapd
via its control socket to ask if the snap is classic and if not,
whether the pulseaudio or audio-record interfaces are connected.
Adjusting pulseaudio in the manner does not require coordination with
any release of snapd. It does need a newer version of snapd-glib,
which was recently updated to 1.49 in the last SRU.
[Test Case]
Since the pulseaudio mediation behavior triggers when the security
label starts with 'snap.' it is su
For unconfined applications:
$ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes"
yes
$ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording
^Cyes
$ paplay /tmp/out.wav && echo "yes"
yes
For confined, non-snap applications:
$ sudo apt-get install evince
$ aa-exec -p /usr/bin/evince -- paplay
/usr/share/sounds/alsa/Noise.wav && echo yes
$ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording
^Cyes
$ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes"
yes
For classic snaps:
$ sudo snap install test-snapd-classic-confinement --classic
$ snap run --shell test-snapd-classic-confinement
$ cat /proc/self/attr/current # verify we are classic confined
snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain)
$ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes"
yes
$ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording
^Cyes
$ paplay /tmp/out.wav && echo "yes"
yes
For strict snaps with pulseaudio:
$ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap
$ snap connections test-snapd-pulseaudio
Interface Plug Slot Notes
pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio -
$ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created
...
$ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-
pulseaudio/common/
$ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes
xcb_connection_has_error() returned true
yes
(note, the xcb_connection_has_error() message is due to the x11
interface not being connecting which is unrelated to mediation. x11 is
left out to ensure that just audio-playback/audio-record are tested)
$ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass
...
^Cyes
$ test-snapd-pulseaudio.play /tmp/out.wav && echo yes
...
yes
For strict snaps with audio-playback/audio-record:
$ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap
$ snap connections test-snapd-audio-record # record not connected
Interface Plug Slot Notes
audio-playback test-snapd-audio-record:audio-playback :audio-playback -
audio-record test-snapd-audio-record:audio-record - -
$ test-snapd-audio-record.play --help # ensure SNAP dirs are created
...
$ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-
record/common/
$ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes
xcb_connection_has_error() returned true
yes
(note, the xcb_connection_has_error() message is due to the x11
interface not being connecting which is unrelated to mediation. x11 is
left out to ensure that just audio-playback/audio-record are tested)
$ test-snapd-audio-record.record /tmp/out.wav # should fail
...
Stream error: Access denied
$ sudo snap connect test-snapd-audio-record:audio-record
$ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass
...
^Cyes
$ test-snapd-audio-record.play /tmp/out.wav && echo yes
...
yes
[Regression Potential]
The regression potential consists of pulseaudio playback and record
functionality no longer working for snaps and non-snaps. This is
easily tested via the test cases. Furthermore, the patches have seen 5
months real world testing since Ubuntu 19.04's release. Note that the
patches for 18.04 and 16.04 include the fixes to 19.04 for classic
snaps (and the above test cases verify the correct behavior).
# Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no'
# Original description
From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-
amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz:
...
dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf
./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf
...
Enable Ubuntu trust store: no
Enable Snappy support: no
Enable Apparmor: yes
At this point, the patch should probably be dropped, otherwise
applications like chromium, etc will no longer be able to record.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+subscriptions
