@Jamie: Works fine here for me. Using a simple snap name: pulseaudio-clients version: 8.0-1 summary: Clients for PulseAudio description: | Contains PulseAudio client utilities
apps: pactl: command: usr/bin/pactl plugs: [pulseaudio] paplay: command: usr/bin/paplay plugs: [pulseaudio] parec: command: usr/bin/parec plugs: [pulseaudio] parts: packages: plugin: nil stage-packages: - pulseaudio to test. Make sure that the module is loaded: simon@nirvana ~/Work/ubuntu/snappy/paplay-snap $ pactl list modules | grep snappy Name: module-snappy-policy If not you can load it with $ pactl load-module module-snappy-policy If you now install the snap from above and run $ pulseaudio-clients.parec you will see the client hangs. If you unload the module $ pactl unload-module module-snappy-policy you will see the client can record now and doesn't hang any longer. The only thing which might have went wrong with the package debdiff is that the module for the snappy policy wasn't added to /etc/pulse/daemon.pa. Will check that now. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1583057 Title: Deny audio recording for all snap applications Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: In Progress Status in pulseaudio source package in Yakkety: Fix Released Bug description: [Impact] Currently snaps on Ubuntu Classic may declare in their snap.yaml that they want access to pulseaudio. When installed, snapd will auto-connect the pulseaudio interface giving the snap access to the pulseaudio server for playback and recording. Because recording is allowed, snaps are allowed to eavesdrop on users without the user knowing. Phase 1 of the pulseaudio interface should block recording for snaps while the details of phase 2 (which combines pulseaudio/snappy interfaces and trust-store) are worked out. [Test Case] First, install pulseaudio then reboot (alternatively can 'killall pulseaudio' from within your session or logout then killall pulseaudio from a vt and then log back in). pulseaudio needs to be restarted for the changes to be in effect and a reboot is the easiest way to achieve that. 1. unconfined can play audio 2. unconfined can record audio 3. non-snap confined can play audio 4. non-snap confined can record audio 5. snap confined can play audio 6. snap confined cannot record audio 7. snap confined devmode can record audio 8. indicator-sound and 'Sound Settings... works' 9. click can record audio if trust-store allows (eg, 'SnapRecorder' from the store) 10. click can play audio (eg, playback of recording from 'SnapRecorder' from the store) Currently '6' is not implemented and all snaps may record audio. When this bug is fixed, no snaps should be able to record audio (until phase 2 is implemented which will be in a different bug). The attached script tests 1-7. 9 and 10 require testing on a device and using [Regression Potential] The patch is quite small and easy to understand and is implemented to only affect processes that want to record and are running with a security label that starts with 'snap.' Unconfined processes and process running under other security labels should not be affected. Original description: Until we have a proper trust-store implementation with snappy and on the desktop/ubuntu core we want pulseaudio to simply deny any audio recording request coming from an app shipped as part of a snap. The implementation adds a module-snappy-policy module to pulseaudio which adds a hook for audio recording requests and checks on connection if the apparmor security label of the connecting peer starts with "snap." which will identify it as a snap application. Pulseaudio with the patch is available as part of the landing request at https://requests.ci-train.ubuntu.com/#/ticket/1428 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1583057/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp