subject:"\[Desktop\-packages\] \[Bug 1224756\] Re\: Pulseaudio should integrate with trust\-store"

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2016-06-13 Thread Andrey Skvortsov

Hi, I see the bug is closed and bugfix is released. There was bounty for fixing 
this bug. 
Person who fixed the issue, can claim to bountysource.com to get money. The 
amount is small, but still.

https://www.bountysource.com/issues/3820281-pulseaudio-should-integrate-
with-trust-store

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in Canonical System Image:
  Fix Released
Status in pulseaudio package in Ubuntu:
  Fix Released

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user ("Foo wants to use
  the microphone. Is this ok? Yes|No"), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

  : "On the phone, if
  an app tries to access your ... microphone ... or video recording,
  this should be subject to permission. “Video recording” should be
  separate from “Camera” so that an app does not need two permissions
  when recording video, one for the camera and one for the microphone.
  If an app has permission to record video, it should have access to the
  microphone whenever it is recording video..."

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-08-31 Thread Pat McGowan

** Changed in: canonical-devices-system-image
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in Canonical System Image:
  Fix Released
Status in pulseaudio package in Ubuntu:
  Fix Released

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user ("Foo wants to use
  the microphone. Is this ok? Yes|No"), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

  : "On the phone, if
  an app tries to access your ... microphone ... or video recording,
  this should be subject to permission. “Video recording” should be
  separate from “Camera” so that an app does not need two permissions
  when recording video, one for the camera and one for the microphone.
  If an app has permission to record video, it should have access to the
  microphone whenever it is recording video..."

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-08-19 Thread John McAleely

** Changed in: pulseaudio (Ubuntu)
   Status: In Progress = Fix Released

** Changed in: canonical-devices-system-image
   Status: In Progress = Fix Committed

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in Canonical System Image:
  Fix Committed
Status in pulseaudio package in Ubuntu:
  Fix Released

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

  https://wiki.ubuntu.com/AccountPrivileges#Phone: On the phone, if
  an app tries to access your ... microphone ... or video recording,
  this should be subject to permission. “Video recording” should be
  separate from “Camera” so that an app does not need two permissions
  when recording video, one for the camera and one for the microphone.
  If an app has permission to record video, it should have access to the
  microphone whenever it is recording video...

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-08-17 Thread John McAleely

Responded to #36 on bug #1230391

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in Canonical System Image:
  In Progress
Status in pulseaudio package in Ubuntu:
  In Progress

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

  https://wiki.ubuntu.com/AccountPrivileges#Phone: On the phone, if
  an app tries to access your ... microphone ... or video recording,
  this should be subject to permission. “Video recording” should be
  separate from “Camera” so that an app does not need two permissions
  when recording video, one for the camera and one for the microphone.
  If an app has permission to record video, it should have access to the
  microphone whenever it is recording video...

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

Re: [Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-08-14 Thread John McAleely

certainly. is there actually any way to *do* background recording, in the
current app lifecycle?

On 14 August 2015 at 19:23, Jamie Strandboge ja...@ubuntu.com wrote:

 Should bug #1230391 be revisited now that this is landing (show a visual
 cue if background recording)?

 --
 You received this bug notification because you are subscribed to the bug
 report.
 https://bugs.launchpad.net/bugs/1224756

 Title:
   Pulseaudio should integrate with trust-store

 Status in Canonical System Image:
   In Progress
 Status in pulseaudio package in Ubuntu:
   In Progress

 Bug description:
   Currently the 'audio' policy group allows access to pulseaudio which
   allows apps to use the microphone and eavesdrop on the user.
   Pulseaudio needs to be modified to use trust-store, like location-
   service does. Integrating with trust-store means that when an app
   tries use the microphone via pulseaudio, pulseaudio will contact
   trust-store, the trust-store will prompt the user (Foo wants to use
   the microphone. Is this ok? Yes|No), optionally cache the result and
   return the result to pulseaudio. In this manner the user is given a
   contextual prompt at the time of access by the app. Using caching this
   decision can be remembered the next time. If caching is used, there
   should be a method to change the decision in settings.

   Targeting to T-Series for now, since the trust-store is not in a
   reusable form yet.

   Original description:
   David and the security team (inspired by an observation from Rick)
 discussed that when recording, pulseaudio should somehow unobtrusively show
 the user that it is recording. The easiest thing to do would be for
 pulseaudio to alert indicator-sound which would then turn its icon red
 (similar to indicator-message turning blue with new messages). Marking
 'high' because apps with access to pulseaudio can currently eavedrop on
 users. If the app is allowed to do networking (the default for apps), then
 it can ship that information off to a server somewhere.

   Note 1, the alert to indicator-sound must happen via the out of
   process pulseaudio server and not the confined app itself to be
   effective.

   Note 2, we should consider how to enforce this for foreground apps
   only. Application lifecycle should probably handle this for 13.10
   (apps are suspended if not in foreground or if the screensaver is on),
   but we don't want an app on the converged device to record in the
   background when the user isn't paying attention. Example eavesdropping
   attack: start recording only when the screensaver is on (perhaps
   inhibiting the screensaver during recording would be enough).

   https://wiki.ubuntu.com/AccountPrivileges#Phone: On the phone, if
   an app tries to access your ... microphone ... or video recording,
   this should be subject to permission. “Video recording” should be
   separate from “Camera” so that an app does not need two permissions
   when recording video, one for the camera and one for the microphone.
   If an app has permission to record video, it should have access to the
   microphone whenever it is recording video...

 To manage notifications about this bug go to:

 https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions


-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in Canonical System Image:
  In Progress
Status in pulseaudio package in Ubuntu:
  In Progress

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-08-14 Thread Jamie Strandboge

Both pulseaudio and the camera service processes are out-of-process from
the app and therefore not themselves governed by app lifecycle. If app
lifecycle made sure to stop recording of audio and/or video when the app
is backgrounded, then a visual cue is arguably not required (see my note
below). If recording is not stopping when the app is backgrounded, we
need to let the user know (eg, like what we do with the dialer now).
Either route is fine from a security perspective, however, allowing the
continuation of recording in the background with a visual cue might
provide more utility.

Note: I personally feel we should be giving a visual cue (even if its
temporary (consider full screen app)) when any recording is happening--
this is subject for debate and needs design input.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in Canonical System Image:
  In Progress
Status in pulseaudio package in Ubuntu:
  In Progress

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

  https://wiki.ubuntu.com/AccountPrivileges#Phone: On the phone, if
  an app tries to access your ... microphone ... or video recording,
  this should be subject to permission. “Video recording” should be
  separate from “Camera” so that an app does not need two permissions
  when recording video, one for the camera and one for the microphone.
  If an app has permission to record video, it should have access to the
  microphone whenever it is recording video...

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-08-14 Thread John McAleely

This is in silo 30 as I type, blocked by bug #1483752

** Changed in: canonical-devices-system-image
   Importance: High = Critical

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in Canonical System Image:
  In Progress
Status in pulseaudio package in Ubuntu:
  In Progress

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

  https://wiki.ubuntu.com/AccountPrivileges#Phone: On the phone, if
  an app tries to access your ... microphone ... or video recording,
  this should be subject to permission. “Video recording” should be
  separate from “Camera” so that an app does not need two permissions
  when recording video, one for the camera and one for the microphone.
  If an app has permission to record video, it should have access to the
  microphone whenever it is recording video...

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-08-14 Thread Jamie Strandboge

Should bug #1230391 be revisited now that this is landing (show a visual
cue if background recording)?

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in Canonical System Image:
  In Progress
Status in pulseaudio package in Ubuntu:
  In Progress

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

  https://wiki.ubuntu.com/AccountPrivileges#Phone: On the phone, if
  an app tries to access your ... microphone ... or video recording,
  this should be subject to permission. “Video recording” should be
  separate from “Camera” so that an app does not need two permissions
  when recording video, one for the camera and one for the microphone.
  If an app has permission to record video, it should have access to the
  microphone whenever it is recording video...

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-07-21 Thread John McAleely

** Changed in: canonical-devices-system-image
   Status: Confirmed = In Progress

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in Canonical System Image:
  In Progress
Status in pulseaudio package in Ubuntu:
  In Progress

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

  https://wiki.ubuntu.com/AccountPrivileges#Phone: On the phone, if
  an app tries to access your ... microphone ... or video recording,
  this should be subject to permission. “Video recording” should be
  separate from “Camera” so that an app does not need two permissions
  when recording video, one for the camera and one for the microphone.
  If an app has permission to record video, it should have access to the
  microphone whenever it is recording video...

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-07-15 Thread David Henningsson

** Changed in: pulseaudio (Ubuntu)
   Status: Triaged = In Progress

** Changed in: pulseaudio (Ubuntu)
 Assignee: (unassigned) = David Henningsson (diwic)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in Canonical System Image:
  Confirmed
Status in pulseaudio package in Ubuntu:
  In Progress

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

  https://wiki.ubuntu.com/AccountPrivileges#Phone: On the phone, if
  an app tries to access your ... microphone ... or video recording,
  this should be subject to permission. “Video recording” should be
  separate from “Camera” so that an app does not need two permissions
  when recording video, one for the camera and one for the microphone.
  If an app has permission to record video, it should have access to the
  microphone whenever it is recording video...

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-07-07 Thread Pat McGowan

** Changed in: canonical-devices-system-image
Milestone: ww28-2015 = ww34-2015

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

  https://wiki.ubuntu.com/AccountPrivileges#Phone: On the phone, if
  an app tries to access your ... microphone ... or video recording,
  this should be subject to permission. “Video recording” should be
  separate from “Camera” so that an app does not need two permissions
  when recording video, one for the camera and one for the microphone.
  If an app has permission to record video, it should have access to the
  microphone whenever it is recording video...

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-07-02 Thread Matthew Paul Thomas

** Tags added: lorcha

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

  https://wiki.ubuntu.com/AccountPrivileges#Phone: On the phone, if
  an app tries to access your ... microphone ... or video recording,
  this should be subject to permission. “Video recording” should be
  separate from “Camera” so that an app does not need two permissions
  when recording video, one for the camera and one for the microphone.
  If an app has permission to record video, it should have access to the
  microphone whenever it is recording video...

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-06-29 Thread Matthew Paul Thomas

** Description changed:

  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user. Pulseaudio
  needs to be modified to use trust-store, like location-service does.
  Integrating with trust-store means that when an app tries use the
  microphone via pulseaudio, pulseaudio will contact trust-store, the
  trust-store will prompt the user (Foo wants to use the microphone. Is
  this ok? Yes|No), optionally cache the result and return the result to
  pulseaudio. In this manner the user is given a contextual prompt at the
  time of access by the app. Using caching this decision can be remembered
  the next time. If caching is used, there should be a method to change
  the decision in settings.
  
  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.
  
  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.
  
  Note 1, the alert to indicator-sound must happen via the out of process
  pulseaudio server and not the confined app itself to be effective.
  
  Note 2, we should consider how to enforce this for foreground apps only.
  Application lifecycle should probably handle this for 13.10 (apps are
  suspended if not in foreground or if the screensaver is on), but we
  don't want an app on the converged device to record in the background
  when the user isn't paying attention. Example eavesdropping attack:
  start recording only when the screensaver is on (perhaps inhibiting the
  screensaver during recording would be enough).
+ 
+ https://wiki.ubuntu.com/AccountPrivileges#Phone: On the phone, if an
+ app tries to access your ... microphone ... or video recording, this
+ should be subject to permission. “Video recording” should be separate
+ from “Camera” so that an app does not need two permissions when
+ recording video, one for the camera and one for the microphone. If an
+ app has permission to record video, it should have access to the
+ microphone whenever it is recording video...

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-06-25 Thread John McAleely

diwic will take a look at this in a couple of weeks, when he returns
from vacation.

** Changed in: pulseaudio (Ubuntu)
 Assignee: Ricardo Salveti (rsalveti) = (unassigned)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-06-12 Thread Ricardo Salveti

Basically we need to change pulseaudio in a way it can ask trusty store
for the right permission when starting the recording process. Please
ping tvoss to know more about how that can be done at the trust-store
level, since there are some examples in the trust-store project.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-06-11 Thread John McAleely

** Changed in: canonical-devices-system-image
 Assignee: Canonical Phone Foundations (canonical-phonedations-team) = 
John McAleely (john.mcaleely)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-06-11 Thread John McAleely

This has clearly been around a while. Some way up, a '10-liner' was
suggested as an option. Two questions:

 - is there a good example of this somewhere else to look at (ie, how-to use 
lp:trust-store)?
 - is the 10 liner (check if record is permitted) still an incremental 
improvement?

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-06-11 Thread Pat McGowan

** Changed in: canonical-devices-system-image
Milestone: ww21-2015 = ww28-2015

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-04-23 Thread Jamie Strandboge

Can this be prioritized higher than it currently is? It keeps getting
pushed back and it was supposed to land before any phones were shipped.
The lack of this feature leaves us open to privacy issues since apps can
record audio without the user knowing.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-04-23 Thread Pat McGowan

** Changed in: canonical-devices-system-image
Milestone: ww17-2015 = ww21-2015

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-04-22 Thread Ricardo Salveti

Please move this to ww21.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-04-13 Thread Pat McGowan

** Changed in: canonical-devices-system-image
Milestone: ww13-2015 = ww17-2015

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-03-12 Thread Ricardo Salveti

** Changed in: canonical-devices-system-image
 Assignee: Michael Frey (mfrey) = Canonical Phone Foundations 
(canonical-phonedations-team)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-03-10 Thread Jim Hodapp

I would go one step further with the proposed indicator method of
letting the user know when an app is recording audio. I would have the
indicator-sound icon change to an image of a microphone (or even pop up
a new icon) and set the color as red. This would be much more self-
evident that recording is taking place than just a red speaker (the
first thing that I would think if I saw that without knowing what it
meant was that something was broken with my audio).

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-03-10 Thread Pat McGowan

** Changed in: canonical-devices-system-image
Milestone: ww09-2015 = ww13-2015

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-02-12 Thread Pat McGowan

** Changed in: canonical-devices-system-image
Milestone: ww07-2015 = ww09-2015

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-02-12 Thread Pat McGowan

** Changed in: canonical-devices-system-image
 Assignee: Canonical Devices Products (canonical-devices-products-team) = 
Michael Frey (mfrey)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-01-28 Thread Pat McGowan

** Changed in: canonical-devices-system-image
Milestone: ww05-2015 = ww09-2015

** Changed in: canonical-devices-system-image
Milestone: ww09-2015 = ww07-2015

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2015-01-14 Thread Pat McGowan

** Changed in: canonical-devices-system-image
Milestone: ww03-2015 = ww05-2015

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-12-05 Thread Pat McGowan

moved to ww03

** Changed in: canonical-devices-system-image
Milestone: ww51-2014 = ww03-2015

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in pulseaudio package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-11-26 Thread Olli Ries

** Changed in: canonical-devices-system-image
   Importance: Undecided = High

** Changed in: canonical-devices-system-image
   Status: New = Confirmed

** Changed in: canonical-devices-system-image
Milestone: None = r1

** Changed in: canonical-devices-system-image
 Assignee: (unassigned) = Canonical Devices Products 
(canonical-devices-products-team)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in the base for Ubuntu mobile products:
  Confirmed
Status in “pulseaudio” package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-10-30 Thread Olli Ries

this bug needs to be targeted after RTM, via ota

** Tags removed: touch-2014-10-23
** Tags added: ota-1

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-10-30 Thread Jamie Strandboge

I understand the desire to push this to ota and also understand that
people are busy, but I want to restate how important this bug fix is--
users need to know if an application is able to record them, otherwise
it is all to easy to end up with eavesdropping applications in the
store.

I am not saying that we should change Olli's assessment for ota-1, but I
am saying it really, *really* needs to happen then and not slip past
ota-1.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-10-02 Thread Michael Frey

** Tags removed: touch-2014-10-9
** Tags added: touch-2014-10-23

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-09-25 Thread Ricardo Salveti

** Changed in: pulseaudio (Ubuntu)
 Assignee: (unassigned) = Ricardo Salveti (rsalveti)

** Tags added: touch-2014-10-9

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-07-31 Thread Jamie Strandboge

** Changed in: pulseaudio (Ubuntu Utopic)
   Importance: High = Critical

** No longer affects: pulseaudio (Ubuntu Saucy)

** No longer affects: pulseaudio (Ubuntu Trusty)

** No longer affects: pulseaudio (Ubuntu Utopic)

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-06-20 Thread Raymond

as pulseaudio allows two or more client perform capturing/playback at
same time , you need same mechanism as pulseaudo allow application which
play digital passthrough with spdif device exclusively

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “pulseaudio” source package in Trusty:
  Won't Fix
Status in “pulseaudio” source package in Utopic:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-06-17 Thread David Henningsson

So, I guess one could insert a check in the call to 
command_create_record_stream (src/pulsecore/protocol-native.c), that would deny 
access if trust-store says so.
However, there is still a way around that. Any app that can access the shm file 
can potentially look at audio data currently streaming to *another* app, i e, 
malicious app Eve can see what PulseAlice sends to the legitmate app Bob.
I'm not sure how much this SHM file is cleaned up (zeroed out) either, so there 
is a possibility the shm file contains old recorded data too.

As for PulseAudio clients telling PulseAudio to access random files on
the file system, I don't think that's true, but I could have missed
something.  Could you be more specific about where this functionality
lies and I'll have a closer look?

As for the LED, any app with access to both the LED and PulseAudio
should be able to do this.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “pulseaudio” source package in Trusty:
  Won't Fix
Status in “pulseaudio” source package in Utopic:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-06-17 Thread Jamie Strandboge

So, I guess one could insert a check in the call to
command_create_record_stream (src/pulsecore/protocol-native.c), that
would deny access if trust-store says so.

Yes. I'm told that the latest in the lp:trust-store API turns this into
~10 lines of code (location-service will have the first example that can
be looked at).

However, there is still a way around that. Any app that can access the shm 
file can potentially look at audio data currently streaming to *another* app, i 
e, malicious app Eve can see what PulseAlice sends to the legitmate app Bob.
I'm not sure how much this SHM file is cleaned up (zeroed out) either, so there 
is a possibility the shm file contains old recorded data too.

Yes, but lets leave that to bug #1224751. We definitely want to clean up
the SHM files, but I'm guessing this will be a longer term goal and I
think this is mostly mitigated by application lifecycle on the phone
since only the foreground app is allowed to run. It would be good for
someone to look at the SHM file to make sure it didn't have previously
recorded data.

As for PulseAudio clients telling PulseAudio to access random files on
the file system, I don't think that's true, but I could have missed
something. Could you be more specific about where this functionality
lies and I'll have a closer look?

Ah, I was told this *may* be true and so I was stating in the bug that
*if* it is true, then we need the additional apparmor integration. If it
is not, then we don't. Based on your assessment, it sounds like it is
not true.

As for the LED, any app with access to both the LED and PulseAudio
should be able to do this.

I think I wasn't clear-- apps currently don't have access to the LEDs,
so I was thinking pulseaudio could potentially add this itself so the
user had a visual cue that recording was happening (and said cue is
outside of the app's control). This comment was intended for the design
team-- I think we need design input before anyone implements this (not
to mention, something in platform api that things like pulseaudio could
use-- AFAIK, right now it is manipulating values in /sys. We would want
to have a proper library for pulseaudio to use).

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “pulseaudio” source package in Trusty:
  Won't Fix
Status in “pulseaudio” source package in Utopic:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe :

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-06-13 Thread Jamie Strandboge

** Also affects: pulseaudio (Ubuntu Utopic)
   Importance: High
   Status: Invalid

** Changed in: pulseaudio (Ubuntu Trusty)
   Status: Confirmed = Won't Fix

** Changed in: pulseaudio (Ubuntu Utopic)
   Status: Invalid = Triaged

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “pulseaudio” source package in Trusty:
  Won't Fix
Status in “pulseaudio” source package in Utopic:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-06-13 Thread Jamie Strandboge

I think implementing a limited client is a good midterm goal, but not something 
for rtm. For rtm I think the most important workflow is achieving mpt's point 
'1' in comment #14. Ie:
 * app tries to record audio
 * at that point, pulseaudio uses lp:trust-store to see if the user said this 
app can record audio. If user said 'no' in the past, then don't allow, if user 
said 'yes', then allow, if user never specified, then prompt using trusted 
session

Complete isolation between apps is a great goal. I think we can live
with an app abusing muting other applications (though it would be good
if the dialer could never be muted by another app to make sure emergency
calls aren't blocked...). The most important thing in my mind from a
security POV is an app silently being able to eavesdrop/spy on the user,
which is the case now. With trust-store support, the user will know the
app can/will record audio. Ideally we would also have mpt's point '2' in
place too so the user is aware that recording is happening.

As for '3', the new camera service will do the same thing as pulseaudio
for '1' and ideally '2'.

** Tags added: rtm14

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “pulseaudio” source package in Trusty:
  Won't Fix
Status in “pulseaudio” source package in Utopic:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-06-13 Thread Jamie Strandboge

There is one other adjustment for pulseaudio that came up today. If an
app is able to handle a file name to pulseaudio (ie, the app process
doesn't have to open it first but instead tells pulseaudio to open and
play a file), then pulseaudio should also have apparmor integration for
playback in addition to trust-store integration for recording.
Fortunately, libapparmor makes this easy-- pulseaudio just needs to get
the connecting process' apparmor label (profile name) via libapparmor,
then make another libapparmor call to ask if a process running under
this apparmor label is allowed to access the file that the app process
specified.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “pulseaudio” source package in Trusty:
  Won't Fix
Status in “pulseaudio” source package in Utopic:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-06-13 Thread Jamie Strandboge

Something that occurred to me-- for devices that ship LEDs, maybe
pulseaudio could turn on the 'record' LED (ie, the red one) when
performing audio recording?

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Triaged
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “pulseaudio” source package in Trusty:
  Won't Fix
Status in “pulseaudio” source package in Utopic:
  Triaged

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-06-12 Thread Ricardo Salveti

David, while I don't see the need to change Pulse in order to be able to
notify the user that a recording is in place, how should we proceed on
the trusted helper side (the user prompt, such as Foo wants to use the
microphone. Is this ok? Yes|No)?

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Invalid
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “pulseaudio” source package in Trusty:
  Confirmed

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: Pulseaudio should integrate with trust-store

2014-06-12 Thread David Henningsson

For the broader concept of PulseAudio and security, the native protocol
of PulseAudio was not built with security in mind, if you by security
mean that some connected clients should be able to do some things, and
other connected clients should be able to do other things. Right now, as
soon as you have a connection to the server, you can do everything from
recording audio to mute other applications.

Implementing a limited client in PulseAudio is of course possible, but
needs quite a bit of work, and lots of careful thought not to leave
anything open security wise.

I haven't been following the discussions around the Touch security stuff
much, and I don't know what trust-store is. So maybe I would need some
introduction, and then we need to brainstorm a bit on the topic and see
what we come up with?

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Invalid
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “pulseaudio” source package in Trusty:
  Confirmed

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: pulseaudio should integrate with trust-store

2013-10-17 Thread Launchpad Bug Tracker

Status changed to 'Confirmed' because the bug affects multiple users.

** Changed in: pulseaudio (Ubuntu T-series)
   Status: New = Confirmed

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Invalid
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “pulseaudio” source package in t-series:
  Confirmed

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

[Desktop-packages] [Bug 1224756] Re: pulseaudio should integrate with trust-store

2013-09-25 Thread Matthew Paul Thomas

I think this is an accurate summary of the discussion on IRC:

1. There should be a run-time prompt the first time an app tries to use
the microphone, just as there is for other sensitive properties. In
future there should be a similar prompt for the camera (bug 1230366).

2. In addition, there should be a reminder whenever a background app is
using the mic, e.g. a Voip client when you've switched to your calendar
to discuss an event, so that you don't forget the mic is live. Again,
the same is true for the camera. (Trusted screencast utilities might be
granted exceptions.)

3. Because both of these apply to just as much to the camera as the mic,
and they will often happen together, they should share UI. In the prompt
case, that means the prompts for both should be aggregated. In the
reminder case, it means the sound indicator isn't an appropriate home
for it.

4. Much the same issue is already faced by the phone app: when you
switch to another app during a call, you need both a reminder that
you're on a call, and a way of switching back to it. Other apps using
the mic (and/or camera) should use the same UI mechanism as the phone
app does, not least because they will often be Voip clients doing the
same job as the phone app. Unfortunately the design for that reminder is
not yet finalized. The current draft is a temporary separate indicator.

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  pulseaudio should integrate with trust-store

Status in “pulseaudio” package in Ubuntu:
  Invalid
Status in “pulseaudio” source package in Saucy:
  Won't Fix
Status in “pulseaudio” source package in t-series:
  New

Bug description:
  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user.
  Pulseaudio needs to be modified to use trust-store, like location-
  service does. Integrating with trust-store means that when an app
  tries use the microphone via pulseaudio, pulseaudio will contact
  trust-store, the trust-store will prompt the user (Foo wants to use
  the microphone. Is this ok? Yes|No), optionally cache the result and
  return the result to pulseaudio. In this manner the user is given a
  contextual prompt at the time of access by the app. Using caching this
  decision can be remembered the next time. If caching is used, there
  should be a method to change the decision in settings.

  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.

  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.

  Note 1, the alert to indicator-sound must happen via the out of
  process pulseaudio server and not the confined app itself to be
  effective.

  Note 2, we should consider how to enforce this for foreground apps
  only. Application lifecycle should probably handle this for 13.10
  (apps are suspended if not in foreground or if the screensaver is on),
  but we don't want an app on the converged device to record in the
  background when the user isn't paying attention. Example eavesdropping
  attack: start recording only when the screensaver is on (perhaps
  inhibiting the screensaver during recording would be enough).

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756/+subscriptions

-- 
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help   : https://help.launchpad.net/ListHelp

47 matches

Mail list logo