[pulseaudio-discuss] More on the native protocol complexity

Lennart Poettering lennart at poettering.net
Sat Apr 24 17:10:49 PDT 2010 

On Fri, 23.04.10 13:36, Rafal Wojtczuk (rafal at invisiblethingslab.com) wrote:

> Hello,
> On Apr 5, Lennart wrote (about native protocol):
> > Note that the protocol is kinda complex, both because it grew
> > historically and because some parts have to be complex. i.e. the
> > timing/flow control logic is non-trivial. Reimplementing that won't be
> > fun.
> >
> > tbh I don't think the native protocol while it works quite well these
> > days is something that deserves to be reimplemented by other projects.
> 
> The problem is that for some tasks the complexity of the native protocol is
> prohibitive. Consider the following scenario (that I am trying to solve
> now):
> There are two [virtual btw] machines, VM_USER and VM_HOST. We want to allow
> users in VM_USER to play sound on the soundcard attached to VM_HOST. So, the
> obvious method is to run pulseaudio daemon in VM_HOST, and prepare client.conf 
> in VM_USER so that it connects pa clients to VM_HOST over the network. However,
> VM_HOST does not want to trust VM_USER more than necessary. VM_HOST does not
> want to give VM_USER full access to the native protocol capabilities (like
> PA_COMMAND_LOAD_MODULE), nor to give it a chance to exploit a potential bug 
> (logic one, or buffer overflow) in this 150K C-code protocol.

PA does not do any access control on anything beyond on the connections
themselves. (With one exception: for uses in the system-wide stuff you
can switch off module loading after startup with
--disallow-module-loading. In fact that switch is enforced nowadays if
you enable system mode, IIRC).

It's a bit like X in that area: once you are connected you get full
access. And I belive that makes sense, as this is not really software to
be exposed on the internet, and adding a full access control layer would
add a massive and complex code piece I really don't want to
maintain. Especially since I don't want to guarantee that that kind of
access control would be enforced everywhere and properly. Or in other
words: I don't want to make a promise that I cannot really keep and
would mean a lot of work for something unnecessary on most setups.

I have been advocating not to use the system-mode of PA, unless folks
have a very good reason, precisely due to things like this.

So, I said it many times and I say it again: you really want to make
sure that client and server can trust each other. The PA protocol is not
suitable as a security isolation for audio apps.

Note that I don't really say all this lightly. For the record,
avahi-daemon (which I mostly wrote), is still the only software on
modern distributions that is installed by default and by default
chroot()s itself for security reasons. It also uses Linux capabilities
to minimizes its security impact. Avahi is probably still one of the
safest daemons in Linux distro default installations you can find these
days ;-). I have thought doing something similar for PA when running it
in system mode. However, that really doesn't work, because PA is
highly extensible and uses a lot of libraries that are hard to
oversee. The number of holes one would have to punch in a security jail
such as chroot() would make the whole story moot. Systems like SELinux are
probably better way to secure things here.

> A solution acceptable from VM_HOST's point of view on security is:
> 1) Load module-simple-protocol-tcp in VM_HOST
> 2) Run pulseaudio daemon in VM_USER (and make users connect to it, instead
> to VM_HOST). Load module-pipe-sink, and pass the pipe output over the network 
> to port 4711 in VM_HOST (to module-simple-protocol-tcp code).

That is not workable, as this provides no timing info at all. Video will
be jumpy, and with uncontrolled latencies.

> Anything else I could try ?

Yes: jail PA in some security framework. Make it drop privs. Use SELinux.

> > timing/flow control logic is non-trivial. Reimplementing that won't be
> > fun.
> Yeah.
> But in this particular example (particular e.g. because we can assume near 0
> network latency), can someone figure out some better configuration, based on
> module-simple-protocol-tcp+module-pipe-sink or anything else that does not
> involve a complex protocol, but achieves good synchronization ? 

Well, what I usually suggest to thin client people is to use some
security framework to limit the impact what PA could do if some rogue
user manages to exploit it. At the very least disable module loading and
make it drop privs, as the system mode will do for you. And then, each
time a different user connects make sure to restart PA and erase its
state files in the FS.

Something similar applies to X, as the X protocol is even more complex
(though probably better known and understood).

> Alternatively, is it possible to quickly estimate how many of 90 PA_COMMAND_* 
> functions in protocol-native.c are required to be implemented to allow 
> simple playback only ? Maybe it would be possible to implement
> simplified-native-protocol.c, or sanitize incoming packets before passing
> them to pulseaudio.

Probably not too many of those commands are necessary of basic
clients. The majority is used exclusively by software like pavucontrol.  

Lennart

-- 
Lennart Poettering                        Red Hat, Inc.
lennart [at] poettering [dot] net
http://0pointer.net/lennart/           GnuPG 0x1A015CC4

More information about the pulseaudio-discuss mailing list