Bug#857798: Please add an AppArmor profile for Pulseaudio

Felipe Sateler fsateler at debian.org
Wed Mar 15 13:03:30 UTC 2017

Control: tags -1 moreinfo


On Wed, Mar 15, 2017 at 5:07 AM, Ulrike Uhlig <ulrike at debian.org> wrote:
> Package: pulseaudio
> Severity: normal
> Hi,
> as you might know, AppArmor confines programs according to a set of
> rules that specify what files a given program can access. This approach
> helps protect the system against both known and unknown vulnerabilities.
> In several distributions such as Ubuntu or Tails, AppArmor is enabled by
> default.
> There is an AppArmor profile for Pulseaudio available upstream:
> https://git.launchpad.net/apparmor-profiles/tree/ubuntu/17.04/usr.bin.pulseaudio
> I've asked the original authors if this profile is ready to be included
> and they confirmed. In any case, this profile is only active if people
> have installed AppArmor in first case, so it should never break the
> package for users without AppArmor.
> The profile can be included in the Pulseaudio packaging quite easily.
> All the necessary steps are documented here:
> https://wiki.debian.org/AppArmor/Contribute/FirstTimeProfileImport
> Please also see examples in the packages torbrowser-launcher or in
> Icedove
> (https://anonscm.debian.org/cgit/pkg-mozilla/icedove.git/tree/debian).

I have some doubts:

1. What is the benefit of shipping the profile info in pulseaudio
versus shipping it in the apparmor-profiles package?
2. Wouldn't that benefit be best achieved if the profile was shipped
by (pulse) upstream?

I'm wary of being in charge of stuff I don't use, and I would think
upstream would be as well. Would apparmor maintainers be willing to
step in to help when problems appear with the profile?

> I'll try to prepare a patch to make it easier for you to integrate it.

That would be great.


Felipe Sateler

More information about the pkg-pulseaudio-devel mailing list