[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
Closing trusty task ** Changed in: pulseaudio (Ubuntu Trusty) Status: Confirmed => Won't Fix -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “pulseaudio” package in Ubuntu: Confirmed Status in “apparmor” source package in Saucy: Fix Released Status in “apparmor-easyprof-ubuntu” source package in Saucy: Fix Released Status in “pulseaudio” source package in Saucy: Won't Fix Status in “apparmor” source package in Trusty: Fix Released Status in “apparmor-easyprof-ubuntu” source package in Trusty: Fix Released Status in “pulseaudio” source package in Trusty: Won't Fix Bug description: Confined applications need access to the pulseaudio socket. Currently several sockets are available to apps, and some allow performing dangerous operations, such as loading a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
** Description changed: - Confined applications need access to the pulseaudio socket. + Confined applications need access to the pulseaudio socket. Currently + several sockets are available to apps, and some allow performing + dangerous operations, such as loading a module from an arbitrary path. - Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. - It also allows them to enumerate installed applications by listing clients. + It also allows them to enumerate installed applications by listing + clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “pulseaudio” package in Ubuntu: Confirmed Status in “apparmor” source package in Saucy: Fix Released Status in “apparmor-easyprof-ubuntu” source package in Saucy: Fix Released Status in “pulseaudio” source package in Saucy: Won't Fix Status in “apparmor” source package in t-series: Fix Released Status in “apparmor-easyprof-ubuntu” source package in t-series: Fix Released Status in “pulseaudio” source package in t-series: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Currently several sockets are available to apps, and some allow performing dangerous operations, such as loading a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
** Changed in: apparmor (Ubuntu T-series) Status: Confirmed => Fix Released ** Changed in: apparmor-easyprof-ubuntu (Ubuntu T-series) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “pulseaudio” package in Ubuntu: Confirmed Status in “apparmor” source package in Saucy: Fix Released Status in “apparmor-easyprof-ubuntu” source package in Saucy: Fix Released Status in “pulseaudio” source package in Saucy: Won't Fix Status in “apparmor” source package in t-series: Fix Released Status in “apparmor-easyprof-ubuntu” source package in t-series: Fix Released Status in “pulseaudio” source package in t-series: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
** Branch linked: lp:ubuntu/apparmor -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “pulseaudio” package in Ubuntu: Confirmed Status in “apparmor” source package in Saucy: Fix Released Status in “apparmor-easyprof-ubuntu” source package in Saucy: Fix Released Status in “pulseaudio” source package in Saucy: Won't Fix Status in “apparmor” source package in t-series: Confirmed Status in “apparmor-easyprof-ubuntu” source package in t-series: Confirmed Status in “pulseaudio” source package in t-series: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
This bug was fixed in the package apparmor - 2.8.0-0ubuntu30 --- apparmor (2.8.0-0ubuntu30) saucy; urgency=low [ Tyler Hicks ] * debian/patches/0059-dbus-rules-for-dbus-abstractions.patch: Add an abstraction for the accessibility bus. It is currently very permissive, like the dbus and dbus-session abstractions, and grants all permissions on the accessibility bus. (LP: #1226141) * debian/patches/0071-lp1226356.patch: Fix issues in parsing D-Bus and mount rules. Both rule classes suffered from unexpected auditing behavior when using the 'deny' and 'audit deny' rule modifiers. The 'deny' modifier resulting in accesses being audited and the 'audit deny' modifier resulting in accesses not being audited. (LP: #1226356) * debian/patches/0072-lp1229393.patch: Fix cache location for .features file, which was not being written to the proper location if the parameter --cache-loc= is passed to apparmor_parser. This bug resulted in using the .features file from /etc/apparmor.d/cache or always recompiling policy. Patch thanks to John Johansen. (LP: #1229393) * debian/patches/0073-lp1208988.patch: Update AppArmor file rules of UNIX domain sockets to include read and write permissions. Both permissions are required when a process connects to a UNIX domain socket. Also include new tests for mediation of UNIX domain sockets. Thanks to Jamie Strandboge for helping with the policy updates and testing. (LP: #1208988) * debian/patches/0075-lp1211380.patch: Adjust the audio abstraction to only grant access to specific pulseaudio files in the pulse runtime directory to remove access to potentially dangerous files (LP: #1211380) [ Jamie Strandboge ] * debian/patches/0074-lp1228882.patch: typo in ubuntu-browsers.d/multimedia (LP: #1228882) * 0076_sanitized_helper_dbus_access.patch: allow applications run under sanitized_helper to connect to DBus -- Tyler HicksFri, 04 Oct 2013 17:29:52 -0700 ** Changed in: apparmor (Ubuntu Saucy) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “apparmor” package in Ubuntu: Fix Released Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “pulseaudio” package in Ubuntu: Confirmed Status in “apparmor” source package in Saucy: Fix Released Status in “apparmor-easyprof-ubuntu” source package in Saucy: Fix Released Status in “pulseaudio” source package in Saucy: Won't Fix Status in “apparmor” source package in t-series: Confirmed Status in “apparmor-easyprof-ubuntu” source package in t-series: Confirmed Status in “pulseaudio” source package in t-series: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
** Branch linked: lp:ubuntu/saucy-proposed/apparmor -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “apparmor” package in Ubuntu: Confirmed Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “pulseaudio” package in Ubuntu: Confirmed Status in “apparmor” source package in Saucy: Confirmed Status in “apparmor-easyprof-ubuntu” source package in Saucy: Fix Released Status in “pulseaudio” source package in Saucy: Won't Fix Status in “apparmor” source package in t-series: Confirmed Status in “apparmor-easyprof-ubuntu” source package in t-series: Confirmed Status in “pulseaudio” source package in t-series: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
Adding a task for AppArmor, as the generic audio abstraction grants access to the cli socket and should be locked down to only grant access to the pid and native files. ** Also affects: apparmor (Ubuntu) Importance: Undecided Status: New ** Changed in: apparmor (Ubuntu Saucy) Importance: Undecided => Medium ** Changed in: apparmor (Ubuntu Saucy) Status: New => Confirmed ** Changed in: apparmor (Ubuntu Saucy) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: apparmor (Ubuntu T-series) Importance: Undecided => Medium ** Changed in: apparmor (Ubuntu T-series) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “apparmor” package in Ubuntu: Confirmed Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “pulseaudio” package in Ubuntu: Confirmed Status in “apparmor” source package in Saucy: Confirmed Status in “apparmor-easyprof-ubuntu” source package in Saucy: Fix Released Status in “pulseaudio” source package in Saucy: Won't Fix Status in “apparmor” source package in t-series: Confirmed Status in “apparmor-easyprof-ubuntu” source package in t-series: Confirmed Status in “pulseaudio” source package in t-series: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
** Also affects: pulseaudio (Ubuntu T-series) Importance: Undecided Status: New ** Also affects: apparmor-easyprof-ubuntu (Ubuntu T-series) Importance: Undecided Status: New ** Changed in: pulseaudio (Ubuntu Saucy) Importance: Critical => Undecided ** Changed in: pulseaudio (Ubuntu T-series) Importance: Undecided => Medium ** Changed in: pulseaudio (Ubuntu) Importance: Critical => Medium ** Changed in: pulseaudio (Ubuntu T-series) Status: New => Confirmed ** Changed in: pulseaudio (Ubuntu) Milestone: ubuntu-13.10 => None ** Changed in: apparmor-easyprof-ubuntu (Ubuntu T-series) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “pulseaudio” package in Ubuntu: Confirmed Status in “apparmor-easyprof-ubuntu” source package in Saucy: Fix Released Status in “pulseaudio” source package in Saucy: Won't Fix Status in “apparmor-easyprof-ubuntu” source package in t-series: Confirmed Status in “pulseaudio” source package in t-series: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
In email correspondence, David said that we should disable access to the cli and dbus-sockets and only allow access to native. This has been added to policy. With a pending kernel patch, those avenues will be fixed. David also said that with the native socket apps can load pulse system modules. That is sufficient for 13.10, but will likely want to add security hooks to pulse going forward. I'll mark the saucy task as "Won't Fix" for now. We can define work items for mediating module load down the line. ** Also affects: apparmor-easyprof-ubuntu (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “pulseaudio” package in Ubuntu: Confirmed Status in “apparmor-easyprof-ubuntu” source package in Saucy: Fix Released Status in “pulseaudio” source package in Saucy: Won't Fix Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
apparmor-easyprof-ubuntu has the correct pulse socket accesses in 1.0.32. ** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy) Importance: Undecided => Critical ** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy) Status: New => Fix Released ** Changed in: apparmor-easyprof-ubuntu (Ubuntu Saucy) Assignee: (unassigned) => Jamie Strandboge (jdstrand) ** Changed in: pulseaudio (Ubuntu Saucy) Status: Confirmed => Won't Fix ** Changed in: pulseaudio (Ubuntu Saucy) Milestone: ubuntu-13.10 => None -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “apparmor-easyprof-ubuntu” package in Ubuntu: Fix Released Status in “pulseaudio” package in Ubuntu: Confirmed Status in “apparmor-easyprof-ubuntu” source package in Saucy: Fix Released Status in “pulseaudio” source package in Saucy: Won't Fix Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
** Branch linked: lp:ubuntu/saucy-proposed/apparmor-easyprof-ubuntu -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “pulseaudio” package in Ubuntu: Confirmed Status in “pulseaudio” source package in Saucy: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
I just noticed your question. David, there is both a libapparmor API and a DBus API. See man aa_getcon for details. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “pulseaudio” package in Ubuntu: Confirmed Status in “pulseaudio” source package in Saucy: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
** Also affects: pulseaudio Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in PulseAudio sound server: New Status in “pulseaudio” package in Ubuntu: Confirmed Status in “pulseaudio” source package in Saucy: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
Okay, how does PulseAudio determine if a client is confined or not? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in “pulseaudio” package in Ubuntu: Confirmed Status in “pulseaudio” source package in Saucy: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1211380] Re: pulseaudio socket needs confined app restrictions
** Also affects: pulseaudio (Ubuntu Saucy) Importance: Undecided Status: New ** Changed in: pulseaudio (Ubuntu Saucy) Importance: Undecided => Critical ** Changed in: pulseaudio (Ubuntu Saucy) Status: New => Confirmed ** Changed in: pulseaudio (Ubuntu Saucy) Milestone: None => ubuntu-13.10 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1211380 Title: pulseaudio socket needs confined app restrictions Status in “pulseaudio” package in Ubuntu: Confirmed Status in “pulseaudio” source package in Saucy: Confirmed Bug description: Confined applications need access to the pulseaudio socket. Unfortunately, this allows them to perform dangerous operations, such as load a module from an arbitrary path. It also allows them to enumerate installed applications by listing clients. The Pulseaudio daemon should verify if an application is confined, and if so, restrict access to certain commands. If module loading cannot be disabled for confined applications, perhaps it could be modified to only load modules from trusted system locations. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1211380/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp