Public bug reported:
Currently we have apparmor rules for pulseaudio like this:
owner /{run,dev}/shm/pulse-shm* rk,
deny /{run,dev}/shm/pulse-shm* w, # deny unless we have to have it
The rules are this way because the shared memory files are not app specific and
is possible for one app to access another app's shared memory file. It would be
better if the files were app-specific to better isolation the apps (this is
something we are doing
elsewhere). A short-term option would be to put this shm file in an
app-specific directory such as one of these:
$XDG_RUNTIME_DIR/confined/$app_pkgname/
$XDG_RUNTIME_DIR/pulse/$appid/
A longer-term alternative would be to integrate this more directly
within AppArmor and its policy language. I'm currently marking this bug
as 'Medium' right now-- the policy currently doesn't allow write to
these SHM files and audio works ok.
** Affects: pulseaudio (Ubuntu)
Importance: Medium
Status: Confirmed
** Tags: application-confinement
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1224751
Title:
pulseaudio should use app-specific directory for shm files
Status in “pulseaudio” package in Ubuntu:
Confirmed
Bug description:
Currently we have apparmor rules for pulseaudio like this:
owner /{run,dev}/shm/pulse-shm* rk,
deny /{run,dev}/shm/pulse-shm* w, # deny unless we have to have it
The rules are this way because the shared memory files are not app specific
and is possible for one app to access another app's shared memory file. It
would be better if the files were app-specific to better isolation the apps
(this is something we are doing
elsewhere). A short-term option would be to put this shm file in an
app-specific directory such as one of these:
$XDG_RUNTIME_DIR/confined/$app_pkgname/
$XDG_RUNTIME_DIR/pulse/$appid/
A longer-term alternative would be to integrate this more directly
within AppArmor and its policy language. I'm currently marking this
bug as 'Medium' right now-- the policy currently doesn't allow write
to these SHM files and audio works ok.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224751/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
