path: root/wiki/src/blueprint/audit_AppArmor_profiles.mdwn
diff options
authorintrigeri <>2015-05-04 17:40:25 +0000
committerintrigeri <>2015-05-04 17:40:32 +0000
commit15c034617135c510cc4c761eca0183401b4674f1 (patch)
treec354fa7bb7dfc9764992e609237e2cfe68927212 /wiki/src/blueprint/audit_AppArmor_profiles.mdwn
parenta94972e2ce9ddbb039c5992f3a671c83a090df58 (diff)
More AppArmor policy auditing results.
Diffstat (limited to 'wiki/src/blueprint/audit_AppArmor_profiles.mdwn')
1 files changed, 32 insertions, 5 deletions
diff --git a/wiki/src/blueprint/audit_AppArmor_profiles.mdwn b/wiki/src/blueprint/audit_AppArmor_profiles.mdwn
index cd24ec7..342038a 100644
--- a/wiki/src/blueprint/audit_AppArmor_profiles.mdwn
+++ b/wiki/src/blueprint/audit_AppArmor_profiles.mdwn
@@ -15,13 +15,33 @@ Things to check
- `/lib/live/mount/overlay/`
* we add `/lib/live/mount/overlay/home/` to `HOMEDIRS`, so at
least `$HOME` is OK
-* access to webcam
* access to microphone (can we easily block that while still allowing
sound output?)
-* wide-open access to `$HOME` -- everything checked, potential issues
- and remaining todo items follow:
- - `abstractions/ubuntu-browsers.d/{java,user-files}` give read-write
- access to `$HOME` and its content: where are they used?
+ - `abstractions/audio` gives full access to PulseAudio, which
+ no doubt gives access to the microphone; we use that abstraction
+ for Totem, Tor Browser, Evince and Pidgin. The Ubuntu phone
+ mediates access to PulseAudio at the D-Bus level. As of
+ 2015-05-04:
+ * this is only done at the AppArmor level. There is WIP to [make
+ PulseAudio a trusted helper for microphone
+ access](
+ The "trust-store" is a library (external to AppArmor) that
+ services can use. it can prompt, remember the answer, etc.
+ It's currently limited to mir. It can also be preseeded.
+ jdstrand is not sure if there is a CLI for that, but that could
+ be another option. The broader picture is described in the
+ phone-specific bits at
+ <>.
+ * AppArmor support for D-Bus mediation has made it into D-Bus
+ upstream, but the kernel bits have not been upstreamed yet.
+ - regarding Alsa:
+ * `/dev/snd/pcmC[0-9]D[0-9]c` raw audio devices seem to be capture,
+ while `/dev/snd/pcmC[0-9]D[0-9]p` devices seem to be playback
+ devices
+ * do `/dev/snd/hwC[0-9]D[0-9]` give access to the microphone?
+ * do `/dev/controlC[0-9]` give access to the microphone?
+ * does `/dev/snd/seq` give access to the microphone?
+ * does `/dev/snd/timer` give access to the microphone?
* wide-open access to `$HOME` except blacklist -- everything checked,
potential issues and remaining todo items follow:
- Evince, Totem and their previewers have read-write access to
@@ -121,3 +141,10 @@ Checked already
the `$HOME`, Desktop and download directories; combined with the
`private-files-strict` abstraction, it is probably as tight as we
can do without substantially harming UX
+ - `abstractions/ubuntu-browsers.d/{java,user-files}` give read-write
+ access to `$HOME` and its content, but they're not used anywhere
+* access to webcam:
+ - `abstractions/video` gives access via `/sys/class/video4linux/` so
+ some devices; it's not used in any profile we ship
+ - most webcams appear as `/dev/video0` or similar; `rgrep -i video`
+ shows that no profile we ship gives access to such files