In email correspondence, David said that we should disable access to the
cli and dbus-sockets and only allow access to native. This has been
added to policy. With a pending kernel patch, those avenues will be
fixed. David also said that with the native socket apps can load pulse
system modules. That is sufficient for 13.10, but will likely want to
add security hooks to pulse going forward. I'll mark the saucy task as
"Won't Fix" for now. We can define work items for mediating module load
down the line.
** Also affects: apparmor-easyprof-ubuntu (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to pulseaudio in Ubuntu.
https://bugs.launchpad.net/bugs/1211380
Title:
pulseaudio socket needs confined app restrictions
Status in PulseAudio sound server:
New
Status in “apparmor-easyprof-ubuntu” package in Ubuntu:
Fix Released
Status in “pulseaudio” package in Ubuntu:
Confirmed
Status in “apparmor-easyprof-ubuntu” source package in Saucy:
Fix Released
Status in “pulseaudio” source package in Saucy:
Won't Fix
Bug description:
Confined applications need access to the pulseaudio socket.
Unfortunately, this allows them to perform dangerous operations, such as load
a module from an arbitrary path.
It also allows them to enumerate installed applications by listing clients.
The Pulseaudio daemon should verify if an application is confined, and
if so, restrict access to certain commands.
If module loading cannot be disabled for confined applications,
perhaps it could be modified to only load modules from trusted system
locations.
To manage notifications about this bug go to:
https://bugs.launchpad.net/pulseaudio/+bug/1211380/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
