Commit 7bea44d1 authored by intrigeri's avatar intrigeri
Browse files

Postpone mediating access to the microphone via AppArmor.

parent 60f06787
......@@ -39,34 +39,6 @@ Things to check
`/{,usr/}lib*/{,**/}*.so{,.*} m`
- the `ubuntu-helpers` abstraction has
`/{,usr/,usr/local/}lib{,32,64}/{,**/}*.so{,.*} m`
* access to microphone (can we easily block that while still allowing
sound output?)
- `abstractions/audio` gives full access to PulseAudio, which
no doubt gives access to the microphone; we use that abstraction
for Totem, Tor Browser, Evince and Pidgin. The Ubuntu phone
mediates access to PulseAudio at the D-Bus level. As of
2015-05-04:
* this is only done at the AppArmor level. There is WIP to [make
PulseAudio a trusted helper for microphone
access](https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756).
The "trust-store" is a library (external to AppArmor) that
services can use. it can prompt, remember the answer, etc.
It's currently limited to mir. It can also be preseeded.
jdstrand is not sure if there is a CLI for that, but that could
be another option. The broader picture is described in
<https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement>
and in the phone-specific bits at
<https://wiki.ubuntu.com/AccountPrivileges>.
* AppArmor support for D-Bus mediation has made it into D-Bus
upstream, but the kernel bits have not been upstreamed yet.
- regarding Alsa:
* `/dev/snd/pcmC[0-9]D[0-9]c` raw audio devices seem to be capture,
while `/dev/snd/pcmC[0-9]D[0-9]p` devices seem to be playback
devices
* do `/dev/snd/hwC[0-9]D[0-9]` give access to the microphone?
* do `/dev/controlC[0-9]` give access to the microphone?
* does `/dev/snd/seq` give access to the microphone?
* does `/dev/snd/timer` give access to the microphone?
* wide-open access to `$HOME` except blacklist -- everything checked,
potential issues and remaining todo items follow:
- Evince, Totem and their previewers have read-write access to
......@@ -118,6 +90,41 @@ Things to keep in mind
Checked already
===============
Could be improved later
-----------------------
* access to microphone (can we easily block that while still allowing
sound output?)
- `abstractions/audio` gives full access to PulseAudio, which
no doubt gives access to the microphone; we use that abstraction
for Totem, Tor Browser, Evince and Pidgin. The Ubuntu phone
mediates access to PulseAudio at the D-Bus level. As of
2015-05-04:
* this is only done at the AppArmor level. There is WIP to [make
PulseAudio a trusted helper for microphone
access](https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756).
The "trust-store" is a library (external to AppArmor) that
services can use. it can prompt, remember the answer, etc.
It's currently limited to mir. It can also be preseeded.
jdstrand is not sure if there is a CLI for that, but that could
be another option. The broader picture is described in
<https://wiki.ubuntu.com/SecurityTeam/Specifications/ApplicationConfinement>
and in the phone-specific bits at
<https://wiki.ubuntu.com/AccountPrivileges>.
* AppArmor support for D-Bus mediation has made it into D-Bus
upstream, but the kernel bits have not been upstreamed yet.
- regarding Alsa:
* `/dev/snd/pcmC[0-9]D[0-9]c` raw audio devices seem to be capture,
while `/dev/snd/pcmC[0-9]D[0-9]p` devices seem to be playback
devices
* do `/dev/snd/hwC[0-9]D[0-9]` give access to the microphone?
* do `/dev/controlC[0-9]` give access to the microphone?
* does `/dev/snd/seq` give access to the microphone?
* does `/dev/snd/timer` give access to the microphone?
Currently OK
------------
* Ux rules don't sanitize `$PATH`
(<https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1045986>) =>
they must only be used to run software that does *not* rely on
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment