Feature #12325

Create PulseAudio AppArmor profile

Added by cypherpunks 2017-03-13 01:54:51 . Updated 2019-03-18 15:36:03 .

Status:
Confirmed
Priority:
Low
Assignee:
Category:
Target version:
Start date:
2017-03-13
Due date:
% Done:

20%

Feature Branch:
Type of work:
Debian
Blueprint:

Starter:
0
Affected tool:
Deliverable for:

Description

From what I’m being told, PulseAudio provides an API which allows clients to tell the daemon to execute arbitrary commands on its behalf. This effectively bypasses all AppArmor profiles which give access to PulseAudio, such as Firefox, Totem, etc. The confined programs can escape their sandboxes by asking PulseAudio to execute whatever commands they want. The solution is to provide the daemon with its own AppArmor profile[1].

There is also a program in development to attempt to mitigate this issue through IPC filtering, called flatpak[2].

[1] https://github.com/subgraph/subgraph-os-apparmor-profiles/blob/master/profiles/usr.bin.pulseaudio
[2] https://github.com/flatpak/flatpak/


Subtasks


History

#1 Updated by intrigeri 2017-03-13 07:04:06

Upstream lives there: https://git.launchpad.net/apparmor-profiles/

#2 Updated by Anonymous 2017-03-13 17:49:26

intrigeri wrote:
> Upstream lives there: https://git.launchpad.net/apparmor-profiles/

Upstream actually does have a pulseaudio AppArmor profile available: https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.04/usr.bin.pulseaudio

The upstream profile is very different from Subgraph’s, so eventually it might be handy to ask Subgraph people to contribute their modifications upstream if they think that’s useful.

Currently the pulseaudio profile does not seem to be in Debian, or at least I did not see it.

IMO the right way to get it into Debian would be to ask the Pulseaudio maintainers (contact can be found here: https://tracker.debian.org/pkg/pulseaudio) to add this profile to the Debian package. That could be done by pointing them to this documentation: https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport

#3 Updated by intrigeri 2017-03-13 18:06:33

> IMO the right way to get it into Debian would be to ask the Pulseaudio maintainers to add this profile to the Debian package.

Agreed (obviously)! FWIW I’ve been running this profile on my own system for a while, but I’m using very few of the PulseAudio features, so I can’t guarantee that it’s good enough for Debian; e.g. I don’t think Ubuntu includes it. In the last 2-3 years, the only maintainers of this profile upstream have been Simon Deziel and I. So I would suggest asking Simon if he thinks this profile is mature enough to be enforced by defaults in mainstream distros.

#4 Updated by Anonymous 2017-03-14 08:49:46

  • Assignee deleted (None)

I’ll try to look into it, ask Simon and create a Debian bug for Pulseaudio with information.

#5 Updated by intrigeri 2017-03-14 09:19:49

> I’ll try to look into it, ask Simon and create a Debian bug for Pulseaudio with information.

Woohoo! \o/

Don’t hesitate using this profile yourself too :)

#6 Updated by Anonymous 2017-03-14 15:25:14

I’ve asked Simon and he thinks the profile is fine. So I’ll take care of the next steps on the Debian side.

#7 Updated by Anonymous 2017-03-15 13:27:36

I created a bug upstream: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857798
Will try to prepare a patch too.

#8 Updated by Anonymous 2017-03-15 14:26:52

submitted a patch too.

#9 Updated by Anonymous 2017-03-15 14:44:39

intrigeri wrote:
> > I’ll try to look into it, ask Simon and create a Debian bug for Pulseaudio with information.
>
> Woohoo! \o/
>
> Don’t hesitate using this profile yourself too :)

Yep i do now.

#10 Updated by Anonymous 2017-03-18 11:31:27

  • Status changed from New to Confirmed
  • Priority changed from Elevated to Low
  • % Done changed from 0 to 20

Downgrading priority. We now have to wait for this to be included in Debian and then we’ll automatically get it in Tails.

#11 Updated by cypherpunks 2017-05-13 03:17:30

u wrote:
> I created a bug upstream: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857798
> Will try to prepare a patch too.

>Would you care to ask upstream if they’d like to include it?

So they’re currently waiting on a ticket to be opened at https://bugs.launchpad.net/ubuntu/+source/pulseaudio or wherever their official upstream is (I didn’t look particularly hard). Given the severity of this issue, I think it’d be a good idea to look into it again. I don’t have time to deal with upstream pulseaudio myself.

#12 Updated by Anonymous 2017-12-04 14:21:04

Current situation is that the Debian maintainer has asked upstream if they’d like to ship the profile and they said yes. They are waiting for somebody to send them a patch.

#13 Updated by Anonymous 2018-01-16 09:40:04

u wrote:
> Current situation is that the Debian maintainer has asked upstream if they’d like to ship the profile and they said yes. They are waiting for somebody to send them a patch.

somebody = me.

#14 Updated by Anonymous 2019-03-18 15:36:03

  • Assignee deleted ()
  • Type of work changed from Code to Debian

Would be nice to have but I want to focus on other things currently.