Create PulseAudio AppArmor profile
From what I’m being told, PulseAudio provides an API which allows clients to tell the daemon to execute arbitrary commands on its behalf. This effectively bypasses all AppArmor profiles which give access to PulseAudio, such as Firefox, Totem, etc. The confined programs can escape their sandboxes by asking PulseAudio to execute whatever commands they want. The solution is to provide the daemon with its own AppArmor profile.
There is also a program in development to attempt to mitigate this issue through IPC filtering, called flatpak.
#2 Updated by Anonymous 2017-03-13 17:49:26
> Upstream lives there: https://git.launchpad.net/apparmor-profiles/
Upstream actually does have a pulseaudio AppArmor profile available: https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.04/usr.bin.pulseaudio
The upstream profile is very different from Subgraph’s, so eventually it might be handy to ask Subgraph people to contribute their modifications upstream if they think that’s useful.
Currently the pulseaudio profile does not seem to be in Debian, or at least I did not see it.
IMO the right way to get it into Debian would be to ask the Pulseaudio maintainers (contact can be found here: https://tracker.debian.org/pkg/pulseaudio) to add this profile to the Debian package. That could be done by pointing them to this documentation: https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport
#3 Updated by intrigeri 2017-03-13 18:06:33
> IMO the right way to get it into Debian would be to ask the Pulseaudio maintainers to add this profile to the Debian package.
Agreed (obviously)! FWIW I’ve been running this profile on my own system for a while, but I’m using very few of the PulseAudio features, so I can’t guarantee that it’s good enough for Debian; e.g. I don’t think Ubuntu includes it. In the last 2-3 years, the only maintainers of this profile upstream have been Simon Deziel and I. So I would suggest asking Simon if he thinks this profile is mature enough to be enforced by defaults in mainstream distros.
#7 Updated by Anonymous 2017-03-15 13:27:36
I created a bug upstream: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857798
Will try to prepare a patch too.
#11 Updated by cypherpunks 2017-05-13 03:17:30
> I created a bug upstream: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857798
> Will try to prepare a patch too.
>Would you care to ask upstream if they’d like to include it?
So they’re currently waiting on a ticket to be opened at https://bugs.launchpad.net/ubuntu/+source/pulseaudio or wherever their official upstream is (I didn’t look particularly hard). Given the severity of this issue, I think it’d be a good idea to look into it again. I don’t have time to deal with upstream pulseaudio myself.