** Description changed:

  Currently the 'audio' policy group allows access to pulseaudio which
  allows apps to use the microphone and eavesdrop on the user. Pulseaudio
  needs to be modified to use trust-store, like location-service does.
  Integrating with trust-store means that when an app tries use the
  microphone via pulseaudio, pulseaudio will contact trust-store, the
  trust-store will prompt the user ("Foo wants to use the microphone. Is
  this ok? Yes|No"), optionally cache the result and return the result to
  pulseaudio. In this manner the user is given a contextual prompt at the
  time of access by the app. Using caching this decision can be remembered
  the next time. If caching is used, there should be a method to change
  the decision in settings.
  
  Targeting to T-Series for now, since the trust-store is not in a
  reusable form yet.
  
  Original description:
  David and the security team (inspired by an observation from Rick) discussed 
that when recording, pulseaudio should somehow unobtrusively show the user that 
it is recording. The easiest thing to do would be for pulseaudio to alert 
indicator-sound which would then turn its icon red (similar to 
indicator-message turning blue with new messages). Marking 'high' because apps 
with access to pulseaudio can currently eavedrop on users. If the app is 
allowed to do networking (the default for apps), then it can ship that 
information off to a server somewhere.
  
  Note 1, the alert to indicator-sound must happen via the out of process
  pulseaudio server and not the confined app itself to be effective.
  
  Note 2, we should consider how to enforce this for foreground apps only.
  Application lifecycle should probably handle this for 13.10 (apps are
  suspended if not in foreground or if the screensaver is on), but we
  don't want an app on the converged device to record in the background
  when the user isn't paying attention. Example eavesdropping attack:
  start recording only when the screensaver is on (perhaps inhibiting the
  screensaver during recording would be enough).
+ 
+ <https://wiki.ubuntu.com/AccountPrivileges#Phone>: "On the phone, if an
+ app tries to access your ... microphone ... or video recording, this
+ should be subject to permission. “Video recording” should be separate
+ from “Camera” so that an app does not need two permissions when
+ recording video, one for the camera and one for the microphone. If an
+ app has permission to record video, it should have access to the
+ microphone whenever it is recording video..."

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1224756

Title:
  Pulseaudio should integrate with trust-store

To manage notifications about this bug go to:
https://bugs.launchpad.net/canonical-devices-system-image/+bug/1224756/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Reply via email to