snap policy module can be unloaded, circumventing audio recording restrictions for snaps

Attached is a snapcraft.yaml file that can be used to build an exploit snap. With it built and installed, we can see that recording is initially blocked:

    $ record-exploit.parecord /tmp/foo.wav
    Stream error: Access denied

But if we disable the security policy first, we can record:

    $ record-exploit.disable-security
    $ record-exploit.parecord /tmp/foo.wav
    ^C

The snap also exposes a "record-exploit.pactl" command to help demonstrate what is possible from within confinement.

Attached is a proposed fix for the vulnerability (at least the focal version). It connects to more hooks to prevent snaps from:
 * requesting the daemon quit
 * listing modules
 * loading modules
 * unloading modules
 * kill clients

It also updates some deprecated libsnapd-glib API usage. With this version installed, the "record-exploit.disable-security" command will fail. Other commands that will fail include:

    record-exploit.pactl list modules
    record-exploit.pactl load-module whatever
    record-exploit.pactl unload-module 1
    record-exploit.pactl exit

(there is no pactl command to test killing clients).

Thanks James! I've assigned this to myself for sponsoring through the -security pocket and issuing a USN. After the USN is issued, are you planning a groovy update?

FYI, we need a no change rebuild for snapd-glib 1.49 in xenial and bionic based on the changes to debian/control. I'll be doing that as well.

No change rebuild for -security*

Yep. The non *-updates versions in those two releases are not sufficient for the snap policy module to function correctly. IIRC, versions before 2.40 or 2.41 did not properly reconnect if snapd restarted while PulseAudio was running.

FYI, after local testing, I uploaded focal debdiff as is and backports for xenial-eoan to the security ppa. Once built, I'll retest and issue the USN.

This bug was fixed in the package pulseaudio - 1:13.99.1-1ubuntu3.2

---------------
pulseaudio (1:13.99.1-1ubuntu3.2) focal-security; urgency=medium

  * SECURITY UPDATE: stop snaps from loading and unloading modules, to
    prevent bypass of audio recording restriction (LP: #1877102)
    - d/p/0407-access-Add-access-control-hooks.patch: make sure access
      hook IDs are non-zero.
    - d/p/0700-modules-add-snappy-policy-module.patch: Prevent snaps from
      controlling modules, terminating the daemon, or disconnecting clients.
    - CVE-2020-11931

 -- James Henstridge <email address hidden> Wed, 29 Apr 2020 18:44:47 +0800

This bug was fixed in the package pulseaudio - 1:13.0-1ubuntu1.2

---------------
pulseaudio (1:13.0-1ubuntu1.2) eoan-security; urgency=medium

  * SECURITY UPDATE: stop snaps from loading and unloading modules, to
    prevent bypass of audio recording restriction (LP: #1877102). Patch thanks
    to James Henstridge
    - d/p/0407-access-Add-access-control-hooks.patch: make sure access
      hook IDs are non-zero.
    - d/p/0700-modules-add-snappy-policy-module.patch: Prevent snaps from
      controlling modules, terminating the daemon, or disconnecting clients.
    - CVE-2020-11931
  * debian/control: Build-Depends on libsnapd-glib-dev (>= 1.49)

 -- Jamie Strandboge <email address hidden> Wed, 06 May 2020 21:33:27 +0000

This bug was fixed in the package pulseaudio - 1:8.0-0ubuntu3.12

---------------
pulseaudio (1:8.0-0ubuntu3.12) xenial-security; urgency=medium

  * SECURITY UPDATE: stop snaps from loading and unloading modules, to
    prevent bypass of audio recording restriction (LP: #1877102). Patch thanks
    to James Henstridge
    - d/p/0407-access-Add-access-control-hooks.patch: make sure access
      hook IDs are non-zero.
    - d/p/0450-modules-add-snappy-policy-module.patch: Prevent snaps from
      controlling modules, terminating the daemon, or disconnecting clients.
    - CVE-2020-11931
  * debian/control: Build-Depends on libsnapd-glib-dev (>= 1.49)

 -- Jamie Strandboge <email address hidden> Thu, 07 May 2020 20:43:53 +0000

This bug was fixed in the package pulseaudio - 1:11.1-1ubuntu7.7

---------------
pulseaudio (1:11.1-1ubuntu7.7) bionic-security; urgency=medium

  * SECURITY UPDATE: stop snaps from loading and unloading modules, to
    prevent bypass of audio recording restriction (LP: #1877102). Patch thanks
    to James Henstridge
    - d/p/0407-access-Add-access-control-hooks.patch: make sure access
      hook IDs are non-zero.
    - d/p/0700-modules-add-snappy-policy-module.patch: Prevent snaps from
      controlling modules, terminating the daemon, or disconnecting clients.
    - CVE-2020-11931
  * debian/control: Build-Depends on libsnapd-glib-dev (>= 1.49)

 -- Jamie Strandboge <email address hidden> Wed, 06 May 2020 22:08:56 +0000

I'll apply the focal patch to what is in groovy-proposed.

The attachment "pulseaudio_13.99.1-1ubuntu3_13.99.1-1ubuntu4.diff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

Uploaded https://launchpad.net/ubuntu/+source/pulseaudio/1:13.99.1-1ubuntu5 to groovy based on 1:13.99.1-1ubuntu4 from groovy-proposed.

This bug was fixed in the package pulseaudio - 1:13.99.1-1ubuntu6

---------------
pulseaudio (1:13.99.1-1ubuntu6) groovy; urgency=medium

  * debian/patches/git_config_upgrade.patch:
     -stream-restore: Forget pre-14.0 stream routing, old configurations are
      incompatible and create routing issues where e.g the speaker despite
      having headset selected (lp: #1866194)
  * debian/rules:
    - enable --enable-stream-restore-clear-old-devices
  * debian/rules:
    - don't let tests fail build on riscv

 -- Sebastien Bacher <email address hidden> Wed, 03 Jun 2020 17:28:51 +0200