Bug#857798: Please add an AppArmor profile for Pulseaudio
Felipe Sateler
fsateler at debian.org
Wed Mar 15 13:03:30 UTC 2017
Control: tags -1 moreinfo
Hi,
On Wed, Mar 15, 2017 at 5:07 AM, Ulrike Uhlig <ulrike at debian.org> wrote:
> Package: pulseaudio
> Severity: normal
>
> Hi,
>
> as you might know, AppArmor confines programs according to a set of
> rules that specify what files a given program can access. This approach
> helps protect the system against both known and unknown vulnerabilities.
> In several distributions such as Ubuntu or Tails, AppArmor is enabled by
> default.
>
> There is an AppArmor profile for Pulseaudio available upstream:
> https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.04/usr.bin.pulseaudio
> I've asked the original authors if this profile is ready to be included
> and they confirmed. In any case, this profile is only active if people
> have installed AppArmor in first case, so it should never break the
> package for users without AppArmor.
>
> The profile can be included in the Pulseaudio packaging quite easily.
> All the necessary steps are documented here:
> https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport
>
> Please also see examples in the packages torbrowser-launcher or in
> Icedove
> (https://anonscm.debian.org/cgit/pkg-mozilla/icedove.git/tree/debian).
I have some doubts:
1. What is the benefit of shipping the profile info in pulseaudio
versus shipping it in the apparmor-profiles package?
2. Wouldn't that benefit be best achieved if the profile was shipped
by (pulse) upstream?
I'm wary of being in charge of stuff I don't use, and I would think
upstream would be as well. Would apparmor maintainers be willing to
step in to help when problems appear with the profile?
>
> I'll try to prepare a patch to make it easier for you to integrate it.
That would be great.
--
Saludos,
Felipe Sateler
More information about the pkg-pulseaudio-devel
mailing list