Ubuntu
pulseaudio package

pulseaudio should use app-specific directory for shm files

Bug #1224751 reported by Jamie Strandboge
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
pulseaudio (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

Currently we have apparmor rules for pulseaudio like this:
owner /{run,dev}/shm/pulse-shm* rk,
deny /{run,dev}/shm/pulse-shm* w, # deny unless we have to have it

The rules are this way because the shared memory files are not app specific and is possible for one app to access another app's shared memory file. It would be better if the files were app-specific to better isolation the apps (this is something we are doing
elsewhere). A short-term option would be to put this shm file in an app-specific directory such as one of these:
 $XDG_RUNTIME_DIR/confined/$app_pkgname/
 $XDG_RUNTIME_DIR/pulse/$appid/

A longer-term alternative would be to integrate this more directly within AppArmor and its policy language. I'm currently marking this bug as 'Medium' right now-- the policy currently doesn't allow write to these SHM files and audio works ok.

Revision history for this message
Sylvain Becker (sylvain-becker) wrote :

When I run my click package on an UbuntuTouch tablet (image version 44), this is no audio because pulseaudio is not allowed :

in the application log :

libust[5076/5079]: Error: Error opening shm /lttng-ust-wait-5-32011 (in get_wait_shm() at lttng-ust-comm.c:886)
libust[5076/5079]: Error: Error opening shm /lttng-ust-wait-5-32011 (in get_wait_shm() at lttng-ust-comm.c:886)
shm_open() failed: Permission denied
Failed to create secure directory (/run/user/32011/pulse): Permission denied

In syslog :
ubuntu-phablet kernel: type=1400 audit(1400948116.479:557): apparmor="DENIED" operation="open" parent=994 profile="com.ubuntu.developer.name.appname_appname_1.00" name="/run/user/32011/pulse/" pid=5248 comm="main.out" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011

Revision history for this message
Sylvain Becker (sylvain-becker) wrote :

Adding "audio" in the security manifest of my click package solved my issue.
Thanks!

Revision history for this message
David Henningsson (diwic) wrote :

 > The rules are this way because the shared memory files are not app specific and is possible for one app to access
 > another app's shared memory file.

The pulseaudio server actually uses the same shm file for all outgoing memory blocks (i e, the common case is recording). So for best app isolation you also need to change this into one shm file per client connection.

In addition, every pulseaudio client has one shm file for all outgoing memory blocks (i e, the common case is playback).

Revision history for this message
David Henningsson (diwic) wrote :

Oh, and btw, you can also "spy" on some other app's playback using the pa_stream_set_monitor_stream command.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.