pulseaudio socket needs confined app restrictions

Bug #1211380 reported by Marc Deslauriers on 2013-08-12
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
PulseAudio
New
Undecided
Unassigned
apparmor (Ubuntu)
Medium
Tyler Hicks
Saucy
Medium
Tyler Hicks
Trusty
Medium
Unassigned
apparmor-easyprof-ubuntu (Ubuntu)
Critical
Jamie Strandboge
Saucy
Critical
Jamie Strandboge
Trusty
Undecided
Unassigned
pulseaudio (Ubuntu)
Medium
Unassigned
Saucy
Undecided
Unassigned
Trusty
Medium
Unassigned

Bug Description

Confined applications need access to the pulseaudio socket. Currently several sockets are available to apps, and some allow performing dangerous operations, such as loading a module from an arbitrary path.

It also allows them to enumerate installed applications by listing clients.

The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands.

If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations.

Changed in pulseaudio (Ubuntu Saucy):
importance: Undecided → Critical
status: New → Confirmed
milestone: none → ubuntu-13.10
David Henningsson (diwic) wrote :

Okay, how does PulseAudio determine if a client is confined or not?

Jamie Strandboge (jdstrand) wrote :

I just noticed your question. David, there is both a libapparmor API and a DBus API. See man aa_getcon for details.

Jamie Strandboge (jdstrand) wrote :

In email correspondence, David said that we should disable access to the cli and dbus-sockets and only allow access to native. This has been added to policy. With a pending kernel patch, those avenues will be fixed. David also said that with the native socket apps can load pulse system modules. That is sufficient for 13.10, but will likely want to add security hooks to pulse going forward. I'll mark the saucy task as "Won't Fix" for now. We can define work items for mediating module load down the line.

Jamie Strandboge (jdstrand) wrote :

apparmor-easyprof-ubuntu has the correct pulse socket accesses in 1.0.32.

Changed in apparmor-easyprof-ubuntu (Ubuntu Saucy):
assignee: nobody → Jamie Strandboge (jdstrand)
importance: Undecided → Critical
status: New → Fix Released
Changed in pulseaudio (Ubuntu Saucy):
status: Confirmed → Won't Fix
milestone: ubuntu-13.10 → none
Changed in pulseaudio (Ubuntu Saucy):
importance: Critical → Undecided
Changed in pulseaudio (Ubuntu):
importance: Critical → Medium
milestone: ubuntu-13.10 → none
Tyler Hicks (tyhicks) wrote :

Adding a task for AppArmor, as the generic audio abstraction grants access to the cli socket and should be locked down to only grant access to the pid and native files.

Changed in apparmor (Ubuntu Saucy):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → Medium
status: New → Confirmed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package apparmor - 2.8.0-0ubuntu30

---------------
apparmor (2.8.0-0ubuntu30) saucy; urgency=low

  [ Tyler Hicks ]
  * debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an
    abstraction for the accessibility bus. It is currently very permissive,
    like the dbus and dbus-session abstractions, and grants all permissions on
    the accessibility bus. (LP: #1226141)
  * debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount
    rules. Both rule classes suffered from unexpected auditing behavior when
    using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier
    resulting in accesses being audited and the 'audit deny' modifier
    resulting in accesses not being audited. (LP: #1226356)
  * debian/patches/0072-lp1229393.patch: Fix cache location for .features
    file, which was not being written to the proper location if the parameter
    --cache-loc= is passed to apparmor_parser. This bug resulted in using the
    .features file from /etc/apparmor.d/cache or always recompiling policy.
    Patch thanks to John Johansen. (LP: #1229393)
  * debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX
    domain sockets to include read and write permissions. Both permissions are
    required when a process connects to a UNIX domain socket. Also include new
    tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for
    helping with the policy updates and testing. (LP: #1208988)
  * debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only
    grant access to specific pulseaudio files in the pulse runtime directory
    to remove access to potentially dangerous files (LP: #1211380)

  [ Jamie Strandboge ]
  * debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia
    (LP: #1228882)
  * 0076_sanitized_helper_dbus_access.patch: allow applications run under
    sanitized_helper to connect to DBus
 -- Tyler Hicks <email address hidden> Fri, 04 Oct 2013 17:29:52 -0700

Changed in apparmor (Ubuntu Saucy):
status: Confirmed → Fix Released
description: updated
Jamie Strandboge (jdstrand) wrote :

Closing trusty task

Changed in pulseaudio (Ubuntu Trusty):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers