pulseaudio should use app-specific directory for shm files
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pulseaudio (Ubuntu) |
Confirmed
|
Medium
|
Unassigned |
Bug Description
Currently we have apparmor rules for pulseaudio like this:
owner /{run,dev}
deny /{run,dev}
The rules are this way because the shared memory files are not app specific and is possible for one app to access another app's shared memory file. It would be better if the files were app-specific to better isolation the apps (this is something we are doing
elsewhere). A short-term option would be to put this shm file in an app-specific directory such as one of these:
$XDG_RUNTIME_
$XDG_RUNTIME_
A longer-term alternative would be to integrate this more directly within AppArmor and its policy language. I'm currently marking this bug as 'Medium' right now-- the policy currently doesn't allow write to these SHM files and audio works ok.
When I run my click package on an UbuntuTouch tablet (image version 44), this is no audio because pulseaudio is not allowed :
in the application log :
libust[5076/5079]: Error: Error opening shm /lttng- ust-wait- 5-32011 (in get_wait_shm() at lttng-ust- comm.c: 886) ust-wait- 5-32011 (in get_wait_shm() at lttng-ust- comm.c: 886) 32011/pulse) : Permission denied
libust[5076/5079]: Error: Error opening shm /lttng-
shm_open() failed: Permission denied
Failed to create secure directory (/run/user/
In syslog : 6.479:557) : apparmor="DENIED" operation="open" parent=994 profile= "com.ubuntu. developer. name.appname_ appname_ 1.00" name="/ run/user/ 32011/pulse/ " pid=5248 comm="main.out" requested_mask="r" denied_mask="r" fsuid=32011 ouid=32011
ubuntu-phablet kernel: type=1400 audit(140094811