touch-packages team mailing list archive

[Neil McPhail <neil@xxxxxxxxxxxxxx>]

Public bug reported:

I have been building some apps for the phone which use OpenAL. They will
play audio if running under the "audio" policy group. However, the
volume of audio is not controlled by the volume slider or "Silent mode"
switch and audio can continue to play if the app is backgrounded or
phone screen is switched off. After discussion on #ubuntu-touch it was
suggested this may imply the apps have direct hardware access, despite
apparmor constraints.

I do not know if this is a security vulnerability, so I will report it
as such to be safe.

Attached is a .click package build for Ubuntu phones (armhf). It
contains a small OpenAL example app borrowed from a blog site (source
code included in click) and bundles the current OpenAL lib from the
14.10 distribution. It runs under apparmor constraints, and is only
granted access to the "audio" group. The app would be automatically
accepted to the Ubuntu Store.

The audio will continue to play until the app is killed by the user. It
will play in silent mode, when in the background or when the screen is
off. The app has been tested on BQ and meizu devices running RTM and
vivid.

** Affects: apparmor (Ubuntu)
     Importance: Undecided
         Status: Confirmed

** Attachment added: "Sample application to demonstrate problem"
   https://bugs.launchpad.net/bugs/1459259/+attachment/4405479/+files/altest.njmcphail_0.1_armhf.click

** Information type changed from Private Security to Public

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1459259

Title:
  Apps using OpenAL on the Ubuntu Phone appear to have direct hardware
  access despite apparmor constraints

Status in apparmor package in Ubuntu:
  Confirmed

Bug description:
  I have been building some apps for the phone which use OpenAL. They
  will play audio if running under the "audio" policy group. However,
  the volume of audio is not controlled by the volume slider or "Silent
  mode" switch and audio can continue to play if the app is backgrounded
  or phone screen is switched off. After discussion on #ubuntu-touch it
  was suggested this may imply the apps have direct hardware access,
  despite apparmor constraints.

  I do not know if this is a security vulnerability, so I will report it
  as such to be safe.

  Attached is a .click package build for Ubuntu phones (armhf). It
  contains a small OpenAL example app borrowed from a blog site (source
  code included in click) and bundles the current OpenAL lib from the
  14.10 distribution. It runs under apparmor constraints, and is only
  granted access to the "audio" group. The app would be automatically
  accepted to the Ubuntu Store.

  The audio will continue to play until the app is killed by the user.
  It will play in silent mode, when in the background or when the screen
  is off. The app has been tested on BQ and meizu devices running RTM
  and vivid.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1459259/+subscriptions