tags + patch Hi,
>> I'll try to prepare a patch to make it easier for you to integrate it. > > That would be great. Please find a patch attached. The will simply to copy the file to /etc/apparmor.d/ and only if the user has AppArmor installed and enabled, this will then confine the pulseaudio executable. Furthremore, dh_apparmor should create an empty file /etc/apparmor.d/local/usr.bin.pulseaudio which can be used for local overrides. FYI I've not tried to build the package with this modification. Let me know if it works out :) Cheers! ulrike
diff --git a/apparmor/usr.bin.pulseaudio b/apparmor/usr.bin.pulseaudio new file mode 100644 index 0000000..23113ac --- /dev/null +++ b/apparmor/usr.bin.pulseaudio @@ -0,0 +1,117 @@ +# Origin: https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.04/usr.bin.pulseaudio +# Last commit: b0d658f9caba715e54b6efd41e298fd9d4511bd9 +#include <tunables/global> + +/usr/bin/pulseaudio { + #include <abstractions/base> + #include <abstractions/audio> + #include <abstractions/dbus-session> + #include <abstractions/dbus-strict> + #include <abstractions/nameservice> + #include <abstractions/X> + + dbus send + bus=system + path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.RealtimeKit1 + member={MakeThreadRealtime,MakeThreadHighPriority} + peer=(name=org.freedesktop.RealtimeKit1), + + dbus send + bus=system + path=/org/freedesktop/RealtimeKit1 + interface=org.freedesktop.DBus.Properties + member=Get, + + unix (connect, receive, send) type=stream peer=(addr="@/tmp/.ICE-unix/[0-9]*"), + ptrace (read,trace) peer=@{profile_name}, + + /usr/bin/pulseaudio mixr, + + /etc/pulse/ r, + /etc/pulse/* r, + /etc/udev/udev.conf r, + /etc/timidity/.pulse_cookie w, + + owner @{HOME}/.esd_auth rwk, + owner @{HOME}/.pulse-cookie rwk, + owner @{HOME}/.config/pulse/cookie rwk, + owner @{HOME}/{.config/pulse,.pulse}/ rw, + owner @{HOME}/{.config/pulse,.pulse}/* rw, + + owner /run/pulse/ rw, + owner /run/pulse/.pulse-cookie rwk, + owner /run/pulse/dbus-socket rwk, + owner /run/pulse/native rwk, + owner /run/pulse/pid rwk, + owner /run/user/[0-9]*/pulse/ rw, + owner /run/user/[0-9]*/pulse/* rwk, + /run/udev/data/+sound:card* r, + /run/udev/data/c116:[0-9]* r, + /run/udev/data/c14:[0-9]* r, + + # logind + /run/systemd/users/[0-9]* r, + /run/user/[0-9]*/dconf/user k, + + /sys/bus/ r, + /sys/class/ r, + /sys/class/sound/ r, + /sys/devices/pci[0-9]*/**/*class r, + /sys/devices/pci[0-9]*/**/uevent r, + /sys/devices/system/cpu/ r, + /sys/devices/system/cpu/online r, + /sys/devices/virtual/dmi/id/bios_vendor r, + /sys/devices/virtual/dmi/id/board_vendor r, + /sys/devices/virtual/dmi/id/sys_vendor r, + /sys/devices/virtual/sound/**/uevent r, + + /usr/share/alsa/** r, + /usr/share/applications/ r, + /usr/share/applications/* r, + /usr/share/pulseaudio/** r, + /usr/lib/pulse-[1-9]*.[0-9]/modules/*.so mr, + /usr/lib/pulseaudio/pulse/gconf-helper Cx, + + owner /var/lib/gdm3/.config/pulse/ rw, + owner /var/lib/gdm3/.config/pulse/* rw, + owner /var/lib/gdm3/.config/pulse/cookie rwk, + + owner /var/lib/lightdm/.Xauthority r, + owner /var/lib/lightdm/.esd_auth rwk, + owner /var/lib/lightdm/.config/pulse/cookie rwk, + owner /var/lib/lightdm/.config/pulse/ rw, + owner /var/lib/lightdm/.config/pulse/* rw, + + # are these needed? + /var/lib/pulse/ rw, + /var/lib/pulse/*-default-sink rw, + /var/lib/pulse/*-default-source rw, + /var/lib/pulse/*.tdb rw, + + owner @{PROC}/@{pid}/fd/ r, + owner @{PROC}/@{pid}/maps r, + owner @{PROC}/@{pid}/stat r, + + owner /tmp/pulse-*/pid rwk, + owner /tmp/pulse-*/native rwk, + owner /tmp/pulse-*/autospawn.lock rwk, + owner /run/user/*/pulse/autospawn.lock rwk, + + owner /tmp/orcexec.* mrw, + owner /{,var/}run/user/[0-9]*/orcexec.* mrw, + # needed if /tmp is mounted noexec: + owner @{HOME}/orcexec.* mrw, + + owner /tmp/.esd-@{pid}*/ rw, + owner /tmp/.esd-@{pid}*/socket rw, + + profile /usr/lib/pulseaudio/pulse/gconf-helper { + #include <abstractions/base> + + /usr/lib/pulseaudio/pulse/gconf-helper mr, + } + + # Site-specific additions and overrides. See local/README for details. + #include <local/usr.bin.pulseaudio> +} diff --git a/debian/rules b/debian/rules index a16fea9..350fd5a 100755 --- a/debian/rules +++ b/debian/rules @@ -60,6 +60,9 @@ override_dh_shlibdeps: override_dh_install: dh_install --fail-missing + # install apparmor profile + cp debian/apparmor/usr.bin.pulseaudio debian/pulseaudio/etc/apparmor.d/usr.bin.pulseaudio + dh_apparmor --profile-name=usr.bin.pulseaudio -ppulseaudio override_dh_installdocs: dh_installdocs -A NEWS README AGPL
