Postpone mediating access to the microphone via AppArmor.

wiki/src/blueprint/audit_AppArmor_profiles.mdwn

@@ -39,34 +39,6 @@ Things to check
     `/{,usr/}lib*/{,**/}*.so{,.*} m`
   - the `ubuntu-helpers` abstraction has
     `/{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m`
-* access to microphone (can we easily block that while still allowing
-  sound output?)
-  - `abstractions/audio` gives full access to PulseAudio, which
-     no doubt gives access to the microphone; we use that abstraction
-     for Totem, Tor Browser, Evince and Pidgin. The Ubuntu phone
-     mediates access to PulseAudio at the D-Bus level. As of
-     2015-05-04:
-     * this is only done at the AppArmor level. There is WIP to [make
-       PulseAudio a trusted helper for microphone
-       access](https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756).
-       The "trust-store" is a library (external to AppArmor) that
-       services can use. it can prompt, remember the answer, etc.
-       It's currently limited to mir. It can also be preseeded.
-       jdstrand is not sure if there is a CLI for that, but that could
-       be another option. The broader picture is described in
-       <https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement>
-       and in the phone-specific bits at
-       <https://wiki.ubuntu.com/AccountPrivileges>.
-     * AppArmor support for D-Bus mediation has made it into D-Bus
-       upstream, but the kernel bits have not been upstreamed yet.
-  - regarding Alsa:
-    * `/dev/snd/pcmC[0-9]D[0-9]c` raw audio devices seem to be capture,
-      while `/dev/snd/pcmC[0-9]D[0-9]p` devices seem to be playback
-      devices
-    * do `/dev/snd/hwC[0-9]D[0-9]` give access to the microphone?
-    * do `/dev/controlC[0-9]` give access to the microphone?
-    * does `/dev/snd/seq` give access to the microphone?
-    * does `/dev/snd/timer` give access to the microphone?
 * wide-open access to `$HOME` except blacklist -- everything checked,
   potential issues and remaining todo items follow:
   - Evince, Totem and their previewers have read-write access to
@@ -118,6 +90,41 @@ Things to keep in mind
 Checked already
 ===============
 
+Could be improved later
+-----------------------
+
+* access to microphone (can we easily block that while still allowing
+  sound output?)
+  - `abstractions/audio` gives full access to PulseAudio, which
+     no doubt gives access to the microphone; we use that abstraction
+     for Totem, Tor Browser, Evince and Pidgin. The Ubuntu phone
+     mediates access to PulseAudio at the D-Bus level. As of
+     2015-05-04:
+     * this is only done at the AppArmor level. There is WIP to [make
+       PulseAudio a trusted helper for microphone
+       access](https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756).
+       The "trust-store" is a library (external to AppArmor) that
+       services can use. it can prompt, remember the answer, etc.
+       It's currently limited to mir. It can also be preseeded.
+       jdstrand is not sure if there is a CLI for that, but that could
+       be another option. The broader picture is described in
+       <https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement>
+       and in the phone-specific bits at
+       <https://wiki.ubuntu.com/AccountPrivileges>.
+     * AppArmor support for D-Bus mediation has made it into D-Bus
+       upstream, but the kernel bits have not been upstreamed yet.
+  - regarding Alsa:
+    * `/dev/snd/pcmC[0-9]D[0-9]c` raw audio devices seem to be capture,
+      while `/dev/snd/pcmC[0-9]D[0-9]p` devices seem to be playback
+      devices
+    * do `/dev/snd/hwC[0-9]D[0-9]` give access to the microphone?
+    * do `/dev/controlC[0-9]` give access to the microphone?
+    * does `/dev/snd/seq` give access to the microphone?
+    * does `/dev/snd/timer` give access to the microphone?
+
+Currently OK
+------------
+
 * Ux rules don't sanitize `$PATH`
   (<https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986>) =>
   they must only be used to run software that does *not* rely on