[pulseaudio-discuss] AppArmor profile for PulseAudio

Mikhail Morfikov mmorfikov at gmail.com
Sun Sep 17 18:49:32 UTC 2017 

On 2017-09-17 18:12, Tanu Kaskinen wrote:
> On Thu, 2017-09-14 at 12:33 +0200, Mikhail Morfikov wrote:
>> Hello,
>>
>> I wrote an experimental AppArmor profile for PulseAudio. I also have some
>> profiles for bunch of other apps [1], and the question I want to ask isn't
>> really connected to those profiles, but rather it concerns interactions between
>> some processes and PulseAudio.
>>
>> For instance, I use SMPlayer to watch movies. I also have AppArmor profile for
>> this app, and it's loaded in enforce mode. I've been using this app for some
>> time without any "denied" messages in the system log. After adding the
>> PulseAudio profile to AppArmor (in complain mode so far), I noticed that
>> AppArmor reports the following logs:
>>
>> kernel: audit: type=1400 audit(1505370398.880:1005): apparmor="DENIED"
>> operation="capable" profile="/usr/bin/smplayer" pid=40033 comm="pacmd"
>> capability=19  capname="sys_ptrace"
>> kernel: audit: type=1400 audit(1505370398.880:1006): apparmor="DENIED"
>> operation="ptrace" profile="/usr/bin/smplayer" pid=40033 comm="pacmd"
>> peer="/usr/bin/pulseaudio"
>>
>> As you can see, these messages concerns the SMPlayer profile and not the
>> PulseAudio profile. This can be solved by adding the following rules to the
>> SMPlayer profile:
>>
>>   capability sys_ptrace,
>>   ptrace (trace) peer=/usr/bin/pulseaudio,
>>
>> Why does SMPlayer need the rules now? I have its profile for a while, and
>> SMPlayer never asked for the rules. I know that it's because of creating the
>> profile for PulseAudio, but can anyone explain why?
>>
>> What do the rules actually mean? What would happen when I didn't add them?
>> SMPlayer seems to work just fine without the CAP and ptrace rule.
>>
>> Can anyone cast some light on this?
>>
>> [1] https://github.com/morfikov/files/tree/master/configs/etc/apparmor.d/
> 
> It seems that smplayer is using pacmd for something. pacmd sends a
> signal to pulseaudio, maybe that requires the sys_ptrace capability?
> 
> smplayer could probably replace pacmd with pactl. The two programs are
> roughly equivalent, the difference is that pactl doesn't do anything
> weird like sending signals.
> 
> In any case using pacmd or pactl from smplayer sounds like an ugly
> hack. There are probably nicer ways to do whatever smplayer is doing.
> 
Thanks for the hint. I'll try to ask them, and maybe they'll say something about
this. I have some other players (vlc, mpv) and they don't need any extra rules.

-- 
Morfik

More information about the pulseaudio-discuss mailing list