Ubuntu
pulseaudio package

  1. Bug #1781428
  2. Activity log

Activity log for bug #1781428

Date Who What changed Old value New value Message
2018-07-12 16:06:59 Jamie Strandboge bug added bug
2018-07-12 16:10:41 Jamie Strandboge description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ... Enable Ubuntu trust store: no Enable Snappy support: no Enable Apparmor: yes From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record.
2018-07-13 02:15:54 Daniel van Vugt pulseaudio (Ubuntu): status New Incomplete
2018-07-16 03:12:00 Daniel van Vugt pulseaudio (Ubuntu): status Incomplete New
2018-08-08 06:49:30 Daniel van Vugt merge proposal linked https://code.launchpad.net/~jamesh/pulseaudio/+git/pulseaudio/+merge/352558
2018-08-08 06:49:39 Daniel van Vugt pulseaudio (Ubuntu): assignee James Henstridge (jamesh)
2018-08-08 06:49:43 Daniel van Vugt pulseaudio (Ubuntu): status New In Progress
2018-08-10 09:15:48 James Henstridge attachment added pulseaudio_12.2-0ubuntu1_12.2-0ubuntu2.diff https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+attachment/5173727/+files/pulseaudio_12.2-0ubuntu1_12.2-0ubuntu2.diff
2018-08-10 12:24:02 Ubuntu Foundations Team Bug Bot tags patch
2018-08-10 12:24:07 Ubuntu Foundations Team Bug Bot bug added subscriber Ubuntu Sponsors Team
2018-08-13 16:31:11 Launchpad Janitor pulseaudio (Ubuntu): status In Progress Fix Released
2018-08-29 09:48:40 James Henstridge nominated for series Ubuntu Bionic
2018-08-29 09:48:40 James Henstridge nominated for series Ubuntu Xenial
2018-08-29 10:57:11 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ubuntu-audio-dev/pulseaudio/+git/pulseaudio/+merge/353962
2018-08-29 11:25:15 Launchpad Janitor merge proposal linked https://code.launchpad.net/~ubuntu-audio-dev/pulseaudio/+git/pulseaudio/+merge/353966
2019-09-29 12:18:27 Jamie Strandboge description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record.
2019-09-29 12:18:56 Jamie Strandboge summary pulseaudio built with --enable-snappy but 'Enable Snappy support: no' please enable snap mediation support
2019-09-29 13:25:25 Jamie Strandboge description # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface Plug Slot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record test-snapd-audio-record:audio-record - - $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-audio-record.record /tmp/out.wav # should fail ... Stream error: Access denied $ sudo snap connect test-snapd-audio-record:audio-record $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-audio-record.play /tmp/out.wav && echo yes ... yes [Regression Potential] The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior). # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record.
2019-09-29 13:25:29 Jamie Strandboge bug task added pulseaudio (Ubuntu Bionic)
2019-09-29 13:25:37 Jamie Strandboge bug task added pulseaudio (Ubuntu Xenial)
2019-09-29 13:25:44 Jamie Strandboge pulseaudio (Ubuntu Xenial): status New In Progress
2019-09-29 13:25:46 Jamie Strandboge pulseaudio (Ubuntu Bionic): status New In Progress
2019-09-29 13:29:41 Jamie Strandboge attachment added test-snapd-pulseaudio_1_amd64.snap https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+attachment/5292538/+files/test-snapd-pulseaudio_1_amd64.snap
2019-09-29 13:30:05 Jamie Strandboge attachment added test-snapd-audio-record_1_amd64.snap https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+attachment/5292539/+files/test-snapd-audio-record_1_amd64.snap
2019-09-29 13:46:16 Jamie Strandboge description [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface Plug Slot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record test-snapd-audio-record:audio-record - - $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-audio-record.record /tmp/out.wav # should fail ... Stream error: Access denied $ sudo snap connect test-snapd-audio-record:audio-record $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-audio-record.play /tmp/out.wav && echo yes ... yes [Regression Potential] The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior). # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface Plug Slot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record test-snapd-audio-record:audio-record - - $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-audio-record.record /tmp/out.wav # should fail ... Stream error: Access denied $ sudo snap connect test-snapd-audio-record:audio-record $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-audio-record.play /tmp/out.wav && echo yes ... yes [Regression Potential] The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior). # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record.
2019-09-29 13:54:24 Jamie Strandboge description [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface Plug Slot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record test-snapd-audio-record:audio-record - - $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-audio-record.record /tmp/out.wav # should fail ... Stream error: Access denied $ sudo snap connect test-snapd-audio-record:audio-record $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-audio-record.play /tmp/out.wav && echo yes ... yes [Regression Potential] The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior). # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface Plug Slot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record test-snapd-audio-record:audio-record - - $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-audio-record.record /tmp/out.wav # should fail ... Stream error: Access denied $ sudo snap connect test-snapd-audio-record:audio-record $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-audio-record.play /tmp/out.wav && echo yes ... yes [Regression Potential] The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior). # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record.
2019-09-30 13:44:57 Jamie Strandboge pulseaudio (Ubuntu Xenial): status In Progress Triaged
2019-09-30 13:45:00 Jamie Strandboge pulseaudio (Ubuntu Bionic): status In Progress Triaged
2019-10-01 13:38:54 Ken VanDine pulseaudio (Ubuntu Xenial): assignee James Henstridge (jamesh)
2019-10-01 13:39:06 Ken VanDine pulseaudio (Ubuntu Bionic): assignee James Henstridge (jamesh)
2019-10-01 13:39:09 Ken VanDine pulseaudio (Ubuntu Xenial): importance Undecided Medium
2019-10-01 13:39:13 Ken VanDine pulseaudio (Ubuntu Bionic): importance Undecided Medium
2019-11-08 06:11:43 James Henstridge attachment added pulseaudio_11.1-1ubuntu7.4_11.1-1ubuntu7.5.diff https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+attachment/5303689/+files/pulseaudio_11.1-1ubuntu7.4_11.1-1ubuntu7.5.diff
2019-11-08 09:13:02 James Henstridge bug watch added https://bugs.freedesktop.org/show_bug.cgi?id=95135
2019-11-08 09:13:02 James Henstridge attachment added pulseaudio_8.0-0ubuntu3.10_8.0-0ubuntu3.11.diff https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+attachment/5303806/+files/pulseaudio_8.0-0ubuntu3.10_8.0-0ubuntu3.11.diff
2019-11-08 14:39:13 Ken VanDine removed subscriber Ubuntu Sponsors Team
2019-11-08 14:39:50 Ken VanDine bug added subscriber Ubuntu Stable Release Updates Team
2019-11-22 11:41:32 Timo Aaltonen pulseaudio (Ubuntu Bionic): status Triaged Fix Committed
2019-11-22 11:41:34 Timo Aaltonen bug added subscriber SRU Verification
2019-11-22 11:41:38 Timo Aaltonen tags patch patch verification-needed verification-needed-bionic
2019-11-22 12:19:20 Timo Aaltonen pulseaudio (Ubuntu Xenial): status Triaged Fix Committed
2019-11-22 12:19:25 Timo Aaltonen tags patch verification-needed verification-needed-bionic patch verification-needed verification-needed-bionic verification-needed-xenial
2019-11-25 22:28:23 Jamie Strandboge description [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface Plug Slot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record test-snapd-audio-record:audio-record - - $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-audio-record.record /tmp/out.wav # should fail ... Stream error: Access denied $ sudo snap connect test-snapd-audio-record:audio-record $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-audio-record.play /tmp/out.wav && echo yes ... yes [Regression Potential] The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior). # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface Plug Slot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record test-snapd-audio-record:audio-record - - $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-audio-record.record /tmp/out.wav # should fail ... Stream error: Access denied $ sudo snap connect test-snapd-audio-record:audio-record $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-audio-record.play /tmp/out.wav && echo yes ... yes [Regression Potential] The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior). # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record.
2019-11-25 22:33:56 Jamie Strandboge tags patch verification-needed verification-needed-bionic verification-needed-xenial patch verification-done-bionic verification-needed verification-needed-xenial
2019-11-25 22:39:23 Jamie Strandboge description [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface Plug Slot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record test-snapd-audio-record:audio-record - - $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-audio-record.record /tmp/out.wav # should fail ... Stream error: Access denied $ sudo snap connect test-snapd-audio-record:audio-record $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-audio-record.play /tmp/out.wav && echo yes ... yes [Regression Potential] The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior). # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface Plug Slot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record test-snapd-audio-record:audio-record - - $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-audio-record.record /tmp/out.wav # should fail ... Stream error: Access denied $ sudo snap connect test-snapd-audio-record:audio-record $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-audio-record.play /tmp/out.wav && echo yes ... yes [Regression Potential] The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior). # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record.
2019-11-25 22:43:56 Jamie Strandboge tags patch verification-done-bionic verification-needed verification-needed-xenial patch verification-done verification-done-bionic verification-done-xenial
2019-12-11 01:46:56 Chris Halse Rogers removed subscriber Ubuntu Stable Release Updates Team
2019-12-11 01:48:01 Launchpad Janitor pulseaudio (Ubuntu Xenial): status Fix Committed Fix Released
2019-12-11 01:48:15 Launchpad Janitor pulseaudio (Ubuntu Bionic): status Fix Committed Fix Released
2019-12-12 14:40:38 Łukasz Zemczak tags patch verification-done verification-done-bionic verification-done-xenial patch verification-failed verification-failed-bionic verification-failed-xenial
2019-12-12 14:56:46 Sebastien Bacher pulseaudio (Ubuntu Xenial): status Fix Released Fix Committed
2019-12-12 14:56:48 Sebastien Bacher pulseaudio (Ubuntu Bionic): status Fix Released Fix Committed
2020-01-23 17:50:21 Manfred Hampl bug added subscriber Manfred Hampl
2020-04-10 21:54:54 Mathew Hodson bug added subscriber Mathew Hodson
2020-04-17 19:45:03 Jamie Strandboge description [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface Plug Slot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record test-snapd-audio-record:audio-record - - $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-audio-record.record /tmp/out.wav # should fail ... Stream error: Access denied $ sudo snap connect test-snapd-audio-record:audio-record $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-audio-record.play /tmp/out.wav && echo yes ... yes [Regression Potential] The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior). # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record. [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface Plug Slot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record test-snapd-audio-record:audio-record - - $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio-record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-audio-record.record /tmp/out.wav # should fail ... Stream error: Access denied $ sudo snap connect test-snapd-audio-record:audio-record $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-audio-record.play /tmp/out.wav && echo yes ... yes [Regression Potential] The regression potential consists of pulseaudio playback and record functionality no longer working for snaps and non-snaps. This is easily tested via the test cases. Furthermore, the patches have seen 5 months real world testing since Ubuntu 19.04's release. Note that the patches for 18.04 and 16.04 include the fixes to 19.04 for classic snaps (and the above test cases verify the correct behavior). # Original summary: pulseaudio built with --enable-snappy but 'Enable Snappy support: no' # Original description From https://launchpadlibrarian.net/377100864/buildlog_ubuntu-cosmic-amd64.pulseaudio_1%3A12.0-1ubuntu1_BUILDING.txt.gz: ... dh_auto_configure -- --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf  ./configure --build=x86_64-linux-gnu --prefix=/usr --includedir=\${prefix}/include --mandir=\${prefix}/share/man --infodir=\${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-silent-rules --libdir=\${prefix}/lib/x86_64-linux-gnu --libexecdir=\${prefix}/lib/x86_64-linux-gnu --disable-maintainer-mode --disable-dependency-tracking --enable-x11 --disable-hal-compat --libdir=\${prefix}/lib/x86_64-linux-gnu --with-module-dir=\${prefix}/lib/pulse-12.0/modules --with-zsh-completion-dir=\${datadir}/zsh/vendor-completions --with-bash-completion-dir=\${datadir}/bash-completion/completions --with-systemduserunitdir=\${prefix}/lib/systemd/user --enable-snappy --disable-bluez4 --enable-gsettings --disable-gconf ...     Enable Ubuntu trust store: no     Enable Snappy support: no     Enable Apparmor: yes At this point, the patch should probably be dropped, otherwise applications like chromium, etc will no longer be able to record.
2020-04-17 20:17:24 Jamie Strandboge tags patch verification-failed verification-failed-bionic verification-failed-xenial patch verification-done-xenial verification-failed verification-failed-bionic
2020-04-17 20:18:25 Jamie Strandboge tags patch verification-done-xenial verification-failed verification-failed-bionic patch verification-done-bionic verification-done-xenial
2020-04-17 20:20:05 Jamie Strandboge tags patch verification-done-bionic verification-done-xenial patch verification-done verification-done-bionic verification-done-xenial
2020-04-17 22:54:15 Mathew Hodson removed subscriber Mathew Hodson
2020-04-20 22:11:21 Mathew Hodson bug watch removed https://bugs.freedesktop.org/show_bug.cgi?id=95135
2020-04-21 09:25:53 Launchpad Janitor pulseaudio (Ubuntu Bionic): status Fix Committed Fix Released
2020-04-21 09:26:56 Launchpad Janitor pulseaudio (Ubuntu Xenial): status Fix Committed Fix Released
2020-04-21 18:25:10 Mathew Hodson pulseaudio (Ubuntu): importance Undecided High