please enable snap mediation support

Bug #1781428 reported by Jamie Strandboge on 2018-07-12
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
pulseaudio (Ubuntu)
Undecided
James Henstridge
Xenial
Medium
James Henstridge
Bionic
Medium
James Henstridge

Bug Description

[Impact]
Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected.

To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418).

The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU.

[Test Case]

IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy

For unconfined applications:
$ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes"
yes

$ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording
^Cyes

$ paplay /tmp/out.wav && echo "yes"
yes

For confined, non-snap applications:
$ sudo apt-get install evince

$ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes

$ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording
^Cyes

$ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes"
yes

For classic snaps:
$ sudo snap install test-snapd-classic-confinement --classic

$ snap run --shell test-snapd-classic-confinement

$ cat /proc/self/attr/current # verify we are classic confined
snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain)

$ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes"
yes

$ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording
^Cyes

$ paplay /tmp/out.wav && echo "yes"
yes

$ exit # out of snap run --shell

For strict snaps with pulseaudio:
$ sudo snap install test-snapd-pulseaudio --edge

$ snap connections test-snapd-pulseaudio
Interface Plug Slot Notes
pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio -

$ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created
...

$ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/

$ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes
xcb_connection_has_error() returned true
yes

(note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested)

$ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass
...
^Cyes

$ test-snapd-pulseaudio.play /tmp/out.wav && echo yes
...
yes

For strict snaps with audio-playback/audio-record:
$ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04
$ sudo snap install test-snapd-audio-record --edge

$ snap connections test-snapd-audio-record # record not connected
Interface Plug Slot Notes
audio-playback test-snapd-audio-record:audio-playback :audio-playback -
audio-record test-snapd-audio-record:audio-record - -

$ test-snapd-audio-record.play --help # ensure SNAP dirs are created
...

$ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/

$ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes
xcb_connection_has_error() returned true
yes

(note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested)

$ test-snapd-audio-record.record /tmp/out.wav # should fail
...
Stream error: Access denied

$ sudo snap connect test-snapd-audio-record:audio-record

$ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass
...
^Cyes

$ test-snapd-audio-record.play /tmp/out.wav && echo yes
...
yes

[Regression Potential]

The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior).

# Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no'

# Original description

From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz:

...
dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf
 ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf
...
    Enable Ubuntu trust store: no
    Enable Snappy support: no
    Enable Apparmor: yes

At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record.

Related branches

description: updated
Daniel van Vugt (vanvugt) wrote :

I'm not familiar with the workings of those patches - only basic fixes to make them build OK.

Certainly "Enable Snappy support: no" looks like a bug worth fixing. But I don't know who has the authority to decide about dropping any of those patches.

Also how does this relate to Chromium?

Changed in pulseaudio (Ubuntu):
status: New → Incomplete
Jamie Strandboge (jdstrand) wrote :

We can't just enable the patches any more because it will change how snaps that plugs 'pulseaudio' will work. Put concretely, the patches are meant to detect if the connecting process is a snap and if it is, unconditionally deny recording. Some snaps that 'plugs: [ pulseaudio ]' have legitimate use for audio recording, such as the chromium and firefox snaps for Google Meet, etc. If these patches all of a sudden were fixed, then snaps like firefox and chromium would no longer be able to record audio.

While Ubuntu will end up patching pulseaudio in some way to support record mediation, it won't be with these patches. This is being discussed in https://forum.snapcraft.io/t/pulseaudio-recording/6361. If you have experience with pulseaudio and are interested in the upcoming changes, please keep an eye on the forum (and ideally participate in the conversation). Thanks!

Changed in pulseaudio (Ubuntu):
status: Incomplete → New
Changed in pulseaudio (Ubuntu):
assignee: nobody → James Henstridge (jamesh)
status: New → In Progress
James Henstridge (jamesh) wrote :

Attached is a debdiff for a 1:12.2-0ubuntu2 release of pulseaudio with an updated snap policy module and the default configuration modified to enable it.

I also took the opportunity to remove the Ubuntu Phone era trust-store module, which hasn't been built since February.

The attachment "pulseaudio_12.2-0ubuntu1_12.2-0ubuntu2.diff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pulseaudio - 1:12.2-0ubuntu2

---------------
pulseaudio (1:12.2-0ubuntu2) cosmic; urgency=medium

  * Update snap policy to make access to audio recording conditional on
    plugging the "pulseaudio" or "audio-record" interfaces (LP: #1781428):
    - 0700-modules-add-snappy-policy-module.patch: rewrite to query
      snapd for the client's plugged interfaces.
    - 0701-enable-snap-policy-module.patch: enable the module in the
      default configuration.
    - Build depend on libsnapd-glib-dev.
  * Remove module-trust-store patch set:
    - 0409-Trust-store-patch.patch: trimmed down to pulsecore changes.
    - 0410-Add-thread-to-activate-trust-store-interface.patch: removed.
    - 0417-increase-timeout-check-apparmor.patch: removed.

 -- James Henstridge <email address hidden> Tue, 07 Aug 2018 17:01:22 +0800

Changed in pulseaudio (Ubuntu):
status: In Progress → Fix Released
description: updated
summary: - pulseaudio built with --enable-snappy but 'Enable Snappy support: no'
+ please enable snap mediation support
Jamie Strandboge (jdstrand) wrote :
description: updated
Changed in pulseaudio (Ubuntu Xenial):
status: New → In Progress
Changed in pulseaudio (Ubuntu Bionic):
status: New → In Progress
Jamie Strandboge (jdstrand) wrote :
Jamie Strandboge (jdstrand) wrote :

Attaching test-snapd-pulseaudio and test-snapd-audio-record snaps.

description: updated
description: updated
Changed in pulseaudio (Ubuntu Xenial):
status: In Progress → Triaged
Changed in pulseaudio (Ubuntu Bionic):
status: In Progress → Triaged
Changed in pulseaudio (Ubuntu Xenial):
assignee: nobody → James Henstridge (jamesh)
Changed in pulseaudio (Ubuntu Bionic):
assignee: nobody → James Henstridge (jamesh)
Changed in pulseaudio (Ubuntu Xenial):
importance: Undecided → Medium
Changed in pulseaudio (Ubuntu Bionic):
importance: Undecided → Medium
James Henstridge (jamesh) wrote :

The xenial backport is non-functional due to a symbol collision between libjson-c.so (required by libpulse) and libjson-glib.so (required by snapd-glib). This doesn't affect the Bionic backport though.

James Henstridge (jamesh) wrote :

Attached is a debdiff for the bionic backport. I've run through @jdstrand's test plan on a clean Ubuntu 18.04 install, and everything appears to be behaving as expected.

pulseaudio (1:11.1-1ubuntu7.5) bionic; urgency=medium

  * Update snap policy to make access to audio recording conditional on
    plugging the "pulseaudio" or "audio-record" interfaces (LP: #1781428):
    - 0700-modules-add-snappy-policy-module.patch: rewrite to query
      snapd for the client's plugged interfaces.
    - 0701-enable-snap-policy-module.patch: enable the module in the
      default configuration.
    - Build depend on libsnapd-glib-dev.
  * Remove module-trust-store patch set:
    - 0409-Trust-store-patch.patch: trimmed down to pulsecore changes.
    - 0410-Add-thread-to-activate-trust-store-interface.patch: removed.
    - 0417-increase-timeout-check-apparmor.patch: removed.

 -- James Henstridge <email address hidden> Wed, 05 Nov 2019 17:16:25 +0800

James Henstridge (jamesh) wrote :

Attached is a debdiff for the Xenial version of the backport. In addition to the snap policy module patches, this includes a backport of the libjson-c dependency removal changes from Pulse Audio 10.0 (which applied cleanly without modification). This is required because libjson-c and libjson-glib declare a few symbols with the same name, causing problems for the policy module.

Based on discussion in https://bugs.freedesktop.org/show_bug.cgi?id=95135, the libjson-c dependency was causing problems for other applications too.

I was able to complete @jdstrand's test plan on a clean 16.04 install with these updates.

pulseaudio (1:8.0-0ubuntu3.11) xenial; urgency=medium

  * Backport the snap policy module to make access to audio recording
    conditional on plugging the "pulseaudio" or "audio-record" interfaces
    (LP: #1781428):
    - 0450-modules-add-snappy-policy-module.patch: rewrite to query
      snapd for the client's plugged interfaces.
    - 0451-enable-snap-policy-module.patch: enable the module in the
      default configuration.
    - Build depend on libsnapd-glib-dev.
  * Backport libjson-c dependency removal from Pulse Audio 10. This is
    required by the snap policy module due to a symbol name clash with
    libjson-glib.
    - 0805-remove-libjson-c-dependency.patch: new file.

 -- James Henstridge <email address hidden> Tue, 05 Nov 2019 17:16:22 +0800

James Henstridge (jamesh) wrote :

The two packages are in the upload queue now:

    https://launchpad.net/ubuntu/xenial/+queue?queue_state=1&queue_text=pulseaudio
    https://launchpad.net/ubuntu/bionic/+queue?queue_state=1&queue_text=pulseaudio

One additional acceptance test would be to verify that the policy module continues to work across snapd restarts. So at the end of the test script, add something like:

The policy module continues to function over snapd restarts:

$ sudo systemctl restart snapd.service
$ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass
...
^Cyes

This was a problem with old versions of snapd-glib (before 1.44, I think), but shouldn't be a problem now.

Hello Jamie, or anyone else affected,

Accepted pulseaudio into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pulseaudio/1:11.1-1ubuntu7.5 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in pulseaudio (Ubuntu Bionic):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-bionic
Timo Aaltonen (tjaalton) wrote :

Hello Jamie, or anyone else affected,

Accepted pulseaudio into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pulseaudio/1:8.0-0ubuntu3.11 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in pulseaudio (Ubuntu Xenial):
status: Triaged → Fix Committed
tags: added: verification-needed-xenial
description: updated
Jamie Strandboge (jdstrand) wrote :

Installing 1:11.1-1ubuntu7.5 from bionic-proposed, the test plan and James' addition for mediation is preserved across snapd restart all works as expected. Marking as verification done.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Jamie Strandboge (jdstrand) wrote :

Installing 1:8.0-0ubuntu3.11 from xenial-proposed, the test plan and James' addition for mediation is preserved across snapd restart all works as expected. Marking as verification done.

description: updated
tags: added: verification-done verification-done-xenial
removed: verification-needed verification-needed-xenial

The verification of the Stable Release Update for pulseaudio has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pulseaudio - 1:8.0-0ubuntu3.11

---------------
pulseaudio (1:8.0-0ubuntu3.11) xenial; urgency=medium

  * Backport the snap policy module to make access to audio recording
    conditional on plugging the "pulseaudio" or "audio-record" interfaces
    (LP: #1781428):
    - 0450-modules-add-snappy-policy-module.patch: rewrite to query
      snapd for the client's plugged interfaces.
    - 0451-enable-snap-policy-module.patch: enable the module in the
      default configuration.
    - Build depend on libsnapd-glib-dev.
  * Backport libjson-c dependency removal from Pulse Audio 10. This is
    required by the snap policy module due to a symbol name clash with
    libjson-glib.
    - 0805-remove-libjson-c-dependency.patch: new file.

 -- James Henstridge <email address hidden> Tue, 05 Nov 2019 17:16:22 +0800

Changed in pulseaudio (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package pulseaudio - 1:11.1-1ubuntu7.5

---------------
pulseaudio (1:11.1-1ubuntu7.5) bionic; urgency=medium

  * Update snap policy to make access to audio recording conditional on
    plugging the "pulseaudio" or "audio-record" interfaces (LP: #1781428):
    - 0700-modules-add-snappy-policy-module.patch: rewrite to query
      snapd for the client's plugged interfaces.
    - 0701-enable-snap-policy-module.patch: enable the module in the
      default configuration.
    - Build depend on libsnapd-glib-dev.
  * Remove module-trust-store patch set:
    - 0409-Trust-store-patch.patch: trimmed down to pulsecore changes.
    - 0410-Add-thread-to-activate-trust-store-interface.patch: removed.
    - 0417-increase-timeout-check-apparmor.patch: removed.

 -- James Henstridge <email address hidden> Wed, 05 Nov 2019 17:16:25 +0800

Changed in pulseaudio (Ubuntu Bionic):
status: Fix Committed → Fix Released
Łukasz Zemczak (sil2100) wrote :

This update has been pulled from -updates by Sebastien as it was causing pulling in snapd via a recommends chain on systems that do not want to have snapd installed. A fix is in the works from what I know. Marking it as verification-failed so that it doesn't get re-released by accident.

tags: added: verification-failed verification-failed-bionic verification-failed-xenial
removed: verification-done verification-done-bionic verification-done-xenial
Changed in pulseaudio (Ubuntu Xenial):
status: Fix Released → Fix Committed
Changed in pulseaudio (Ubuntu Bionic):
status: Fix Released → Fix Committed
Jamie Strandboge (jdstrand) wrote :

Note, there is a spread test in snapd that checks for if the mediation patches are dropped (or added). While it is fine for https://launchpad.net/bugs/1856054 to be fast tracked, this pulseaudio bug should not be marked as Fix Released before the end of year break unless you coordinate with the snapd team first so as to avoid the spread test failing when no one is around to fix it.

Specifically, snapd needs:
https://github.com/snapcore/snapd/pull/7885
https://github.com/snapcore/snapd/pull/7886

To be clear, the snapd deb doesn't need to be involved in any of this; it is just coordinating with upstream so the upstream CI doesn't break over the holidays.

Manfred Hampl (m-hampl) wrote :

Now with the updated snap packages published, (see Bug #1856196 ), when will the pulseaudio packages be re-published?

Everyone on Xenial and Bionic who did a package update between 2019-12-11 and 2019-12-12 now has orphaned pulseaudio packages installed, blocking the installation of additional pulseaudio packages! see Bug #1858164 Bug #1858164

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.