pipewire-pulse grants microphone access to snaps without audio-record plugged

This seems like something that deserves a CVE, but I'm not sure what component exactly it would be against.

I wrote a quick patch for this. It is available in my PPA: https://launchpad.net/~rastersoft-gmail/+archive/ubuntu/pipewire

Thanks Sergio - from a quick look at the debdiff (I have attached it for easier review by others) my initial feedback would be to use the aa_gettaskcon() function from libapparmor to get the label of the client rather than manually parsing /proc/PID/attr/apparmor/current. But otherwise this looks pretty good I think.

Ah actually I think we also should mediate the "audio-playback" and "pulseaudio" plugs as well - and we need to handle the case of a snap with classic confinement - this should always be granted full access too.

Good points!

About "audio-playback"... is the pipewire socket exported inside the sandbox if it isn't specified?

Ok, changes done. Also, you can find the patch here: https://salsa.debian.org/Sergio.Costas/pipewire/-/merge_requests/1

BTW: I'm returning ENOTSUP instead of EPERM to ensure that the functions return a "known" value, instead of a "new" one, to avoid compatibility problems. What do you think about that?

I get a 404 when accessing that MR on salsa.debian.org (I'm https://salsa.debian.org/amurray-guest if you can add access for me?)

Done.

I uploaded a change that basically adds a little layer in-between to allow other sandbox technologies (i.e. Flatpak) to also add their own permissions scheme. This is the code that we would send to merge into upstream. Can you review it when you have some spare time?

(it's at https://salsa.debian.org/Sergio.Costas/pipewire/-/merge_requests/1 )

The PPA has now packages for Jammy, Kinetik and Lunar.

The final solution are two MR, one for pipewire and another for wireplumber. Both have been already merged in upstream. Also, they are safe when applied alone, so there is no problem in doing so.

https://gitlab.freedesktop.org/pipewire/pipewire/-/merge_requests/1779

https://gitlab.freedesktop.org/pipewire/wireplumber/-/merge_requests/567

Thanks for following up on these with upstream Sergio - I think perhaps we should treat these as a security issue and do the updates via -security in Ubuntu.

This bug was fixed in the package pipewire - 1.0.1-1ubuntu2

---------------
pipewire (1.0.1-1ubuntu2) noble; urgency=medium

  * Drop Build-Depends: libroc-dev

pipewire (1.0.1-1ubuntu1) noble; urgency=medium

  * Merge with Debian. Remaining change:
    - Disable roc support since roc-toolkit is in universe
  * Cherry-pick patches from Sergio Costas for snap permissions support
    (LP: #1995707)
  * Add apparmor and snapd-glib to Build-Depends for snap feature
  * debian/control: Bump minimum libcamera to 0.2
  * Cherry-pick patches to switch to libcamera 0.2

pipewire (1.0.1-1) unstable; urgency=medium

  * New upstream release
  * Add lintian overrides for groff-message in manpages
  * Update upstream branch in debian/gbp.conf

pipewire (1.0.0-3) unstable; urgency=medium

  * libpipewire-0.3-modules-x11: depend on libcanberra-pulse (Closes: #1059544)
      module-x11-bell requires the libcanberra PulseAudio backend.

pipewire (1.0.0-2) experimental; urgency=medium

  * Install udev rules in /usr/lib/udev/rules.d (Closes: #1057233)
    Thanks to Chris Hofstaedtler.
  * Extend hurd-i386 restrictions to hurd-any
  * Build-Depend on the fixed version of libroc-dev: remove the now
    useless build-deps on libuv1-dev and libspeexdsp-dev.

 -- Jeremy Bícha <email address hidden> Wed, 17 Jan 2024 17:46:45 -0500

Please refer to this issue, in Ubuntu snaps, as CVE-2022-4964.

Could the wireplumber fix be released?

Thank you for the report @jamesh \o/

Mark, I've uploaded the wireplumber fix to Noble now. Please let us know if you need any other help here.

https://launchpad.net/ubuntu/+source/wireplumber/0.4.17-1ubuntu1

This bug was fixed in the package wireplumber - 0.4.17-1ubuntu1

---------------
wireplumber (0.4.17-1ubuntu1) noble; urgency=medium

  * Add patch to add support for snap permissions (LP: #1995707)

 -- Sergio Costas <email address hidden> Wed, 24 Jan 2024 12:54:23 -0500

0.4.17-1ubuntu1 removes all output and input sinks in the gnome settings sound panel for me, to the extent that the volume level indicator that usually shows in the top right corner is just removed.

Playing audio through celluloid (mpv) still works with the default sink, while Firefox Nightly refuses to play anything.

This is on X11, without snapd installed.

Reverting to 0.4.17-1 works fine, and gnome settings lists all 5 output sinks again like normal.

Vidar, please report a new bug. You can run

ubuntu-bug

and then choose the Sound/Audio option. You can then report the bug number here.

Thank you Jeremy, I filed https://bugs.launchpad.net/ubuntu/+source/wireplumber/+bug/2051504 now.

I prepared a patch for https://bugs.launchpad.net/ubuntu/+source/wireplumber/+bug/2051504 , but the bug is in pipewire, not in wireplumber.