Commit 15c03461 authored by intrigeri's avatar intrigeri

More AppArmor policy auditing results.

parent a94972e2
......@@ -15,13 +15,33 @@ Things to check
- `/lib/live/mount/overlay/`
* we add `/lib/live/mount/overlay/home/` to `HOMEDIRS`, so at
least `$HOME` is OK
* access to webcam
* access to microphone (can we easily block that while still allowing
sound output?)
* wide-open access to `$HOME` -- everything checked, potential issues
and remaining todo items follow:
- `abstractions/ubuntu-browsers.d/{java,user-files}` give read-write
access to `$HOME` and its content: where are they used?
- `abstractions/audio` gives full access to PulseAudio, which
no doubt gives access to the microphone; we use that abstraction
for Totem, Tor Browser, Evince and Pidgin. The Ubuntu phone
mediates access to PulseAudio at the D-Bus level. As of
2015-05-04:
* this is only done at the AppArmor level. There is WIP to [make
PulseAudio a trusted helper for microphone
access](https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1224756).
The "trust-store" is a library (external to AppArmor) that
services can use. it can prompt, remember the answer, etc.
It's currently limited to mir. It can also be preseeded.
jdstrand is not sure if there is a CLI for that, but that could
be another option. The broader picture is described in the
phone-specific bits at
<https://wiki.ubuntu.com/AccountPrivileges>.
* AppArmor support for D-Bus mediation has made it into D-Bus
upstream, but the kernel bits have not been upstreamed yet.
- regarding Alsa:
* `/dev/snd/pcmC[0-9]D[0-9]c` raw audio devices seem to be capture,
while `/dev/snd/pcmC[0-9]D[0-9]p` devices seem to be playback
devices
* do `/dev/snd/hwC[0-9]D[0-9]` give access to the microphone?
* do `/dev/controlC[0-9]` give access to the microphone?
* does `/dev/snd/seq` give access to the microphone?
* does `/dev/snd/timer` give access to the microphone?
* wide-open access to `$HOME` except blacklist -- everything checked,
potential issues and remaining todo items follow:
- Evince, Totem and their previewers have read-write access to
......@@ -121,3 +141,10 @@ Checked already
the `$HOME`, Desktop and download directories; combined with the
`private-files-strict` abstraction, it is probably as tight as we
can do without substantially harming UX
- `abstractions/ubuntu-browsers.d/{java,user-files}` give read-write
access to `$HOME` and its content, but they're not used anywhere
* access to webcam:
- `abstractions/video` gives access via `/sys/class/video4linux/` so
some devices; it's not used in any profile we ship
- most webcams appear as `/dev/video0` or similar; `rgrep -i video`
shows that no profile we ship gives access to such files
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment