AppArmor Profile For Pulseaudio

Pulseaudio is an application used on many Linux systems to handle audio. It isn’t PIE, so it’s not a bad idea to restrict it. I believe Fedora uses an SELinux profile for Pulseaudio, but as an Ubuntu user I’m left having to make an AppArmor profile for it. If you’ve been reading my blog you’ll know that AppArmor is a Mandatory Access Control system used by default by Ubuntu, among other Linux¬†distributions. Restricting programs with AppArmor limits potential damage of vulnerabilities in those programs.

This profile works on my 64bit Ubuntu system. I’ll keep it updated here in case something changes, but I’m watching video via Chrome just fine. It’s obviously not a very strong AppArmor profile as Pulseaudio starts off running with very high rights/ capabilities, but we can at least somewhat limit file access. I’m going to try to limit lib access further, but for now this is something.

I’ll update this as needed, but as it is things should work smoothly. Follow me @insanitybit for consistent updates.

The profile:

# Last Modified: Tue Apr 16 18:22:57 2013
#include <tunables/global>

/usr/bin/pulseaudio {
capability chown,
capability dac_override,
capability fowner,
capability fsetid,
capability kill,
capability setgid,
capability setuid,
capability sys_nice,
capability sys_ptrace,
capability sys_resource,

 

/dev/null rw,
/dev/random r,
/dev/snd/controlC* rw,
/dev/snd/pcm* rw,
/dev/urandom r,
/etc/group r,
/etc/ld.so.cache r,
/etc/locale.alias r,
/etc/localtime r,
/etc/nsswitch.conf r,
/etc/passwd r,
/etc/pulse/client.conf r,
/etc/pulse/daemon.conf r,
/etc/pulse/default.pa r,
/etc/pulse/system.pa r,
/etc/udev/udev.conf r,
/home/*/.ICEauthority r,
/home/*/.Xauthority r,
/home/*/.config/pulse/ rw,
/home/*/.config/pulse/* rwk,
/home/*/.esd_auth rwk,
/home/*/.pulse-cookie rwk,
/home/*/.pulse/ rw,
/home/*/.pulse/* rw,
/home/*/orcexec.* rw,
/lib/x86_64-linux-gnu/libc-*.so mr,
/lib/x86_64-linux-gnu/libcap.so.* mr,
/lib/x86_64-linux-gnu/libdbus-*.so.* mr,
/lib/x86_64-linux-gnu/libdl-*.so mr,
/lib/x86_64-linux-gnu/libglib-*.so.* mr,
/lib/x86_64-linux-gnu/libjson.so.* mr,
/lib/x86_64-linux-gnu/libm-*.so mr,
/lib/x86_64-linux-gnu/libnsl-*.so mr,
/lib/x86_64-linux-gnu/libnss_compat-*.so mr,
/lib/x86_64-linux-gnu/libnss_files-*.so mr,
/lib/x86_64-linux-gnu/libnss_nis-*.so mr,
/lib/x86_64-linux-gnu/libpcre.so.* mr,
/lib/x86_64-linux-gnu/libpthread-*.so mr,
/lib/x86_64-linux-gnu/libresolv-*.so mr,
/lib/x86_64-linux-gnu/librt-*.so mr,
/lib/x86_64-linux-gnu/libselinux.so.* mr,
/lib/x86_64-linux-gnu/libudev.so.* mr,
/lib/x86_64-linux-gnu/libuuid.so.* mr,
/lib/x86_64-linux-gnu/libwrap.so.* mr,
/lib/x86_64-linux-gnu/libz.so.* mr,
/proc/*/mounts r,
/proc/asound/card*/ r,
/proc/asound/card*/pc*/ r,
/proc/asound/card*/pc*/sub*/ r,
/proc/asound/card*/pc*/sub*/status r,
/proc/cpuinfo r,
/proc/filesystems r,
/proc/stat r,
/proc/sys/kernel/ngroups_max r,
/root/.esd_auth rwk,
/root/.pulse-cookie rw,
/root/.pulse/ rw,
/root/.pulse/* rw,
/run/pulse/ rw,
/run/pulse/.pulse-cookie rwk,
/run/pulse/dbus-socket rwk,
/run/pulse/native rwk,
/run/pulse/pid rwk,
/run/shm/ r,
/run/shm/* rw,
/run/udev/data/*sound:card* r,
/run/user/*/pulse/ rw,
/run/user/*/pulse/* rwk,
/run/user/lightdm/ rw,
/run/user/lightdm/pulse/ rw,
/run/user/lightdm/pulse/* rwk,
/sys/bus/ r,
/sys/class/ r,
/sys/class/sound/ r,
/sys/devices/pci[0-9]*/**/*class r,
/sys/devices/pci[0-9]*/**/uevent r,
/sys/devices/system/cpu/ r,
/sys/devices/system/cpu/online r,
/sys/devices/virtual/dmi/id/bios_vendor r,
/sys/devices/virtual/dmi/id/board_vendor r,
/sys/devices/virtual/dmi/id/sys_vendor r,
owner /tmp/** mrwk,
/usr/bin/pulseaudio mrix,
/usr/lib/ r,
/usr/lib/libpulse*.so* mr,
/usr/lib/locale/locale-archive r,
/usr/lib/pulse-*/modules/*.so* mr,
/usr/lib/pulseaudio/pulse/gconf-helper rix,
/usr/lib/x86_64-linux-gnu/alsa-lib/*pulse.so mr,
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache mr,
/usr/lib/x86_64-linux-gnu/libFLAC.so.* mr,
/usr/lib/x86_64-linux-gnu/libICE.so.* mr,
/usr/lib/x86_64-linux-gnu/libSM.so.* mr,
/usr/lib/x86_64-linux-gnu/libX11-xcb.so.* mr,
/usr/lib/x86_64-linux-gnu/libX11.so.* mr,
/usr/lib/x86_64-linux-gnu/libXau.so.* mr,
/usr/lib/x86_64-linux-gnu/libXdmcp.so.* mr,
/usr/lib/x86_64-linux-gnu/libXext.so.* mr,
/usr/lib/x86_64-linux-gnu/libXtst.so.* mr,
/usr/lib/x86_64-linux-gnu/libasound.so.* mr,
/usr/lib/x86_64-linux-gnu/libasyncns.so.* mr,
/usr/lib/x86_64-linux-gnu/libdbus-glib-1.so.* mr,
/usr/lib/x86_64-linux-gnu/libffi.so.* mr,
/usr/lib/x86_64-linux-gnu/libgconf-*.so.* mr,
/usr/lib/x86_64-linux-gnu/libgio-*.so.* mr,
/usr/lib/x86_64-linux-gnu/libgmodule-*.so.* mr,
/usr/lib/x86_64-linux-gnu/libgobject-*.so.* mr,
/usr/lib/x86_64-linux-gnu/libjson.so.* mr,
/usr/lib/x86_64-linux-gnu/libltdl.so.* mr,
/usr/lib/x86_64-linux-gnu/libogg.so.* mr,
/usr/lib/x86_64-linux-gnu/liborc-*.so.* mr,
/usr/lib/x86_64-linux-gnu/libpulse.so.* mr,
/usr/lib/x86_64-linux-gnu/libsamplerate.so.* mr,
/usr/lib/x86_64-linux-gnu/libsndfile.so.* mr,
/usr/lib/x86_64-linux-gnu/libspeexdsp.so.* mr,
/usr/lib/x86_64-linux-gnu/libtdb.so.* mr,
/usr/lib/x86_64-linux-gnu/libvorbis.so.* mr,
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.* mr,
/usr/lib/x86_64-linux-gnu/libxcb.so.* mr,
/usr/lib/x86_64-linux-gnu/pulseaudio/lib*-*.so* mr,
/usr/share/alsa/** r,
/usr/share/applications/ r,
/usr/share/applications/* r,
/usr/share/pulseaudio/** r,
/var/lib/dbus/machine-id r,
/var/lib/lightdm/.Xauthority r,
/var/lib/lightdm/.config/pulse/ rw,
/var/lib/lightdm/.config/pulse/* rwk,
/var/lib/lightdm/.esd_auth rwk,
owner /var/lib/lightdm/.pulse-cookie rwk,
/var/lib/lightdm/.pulse/ r,
owner /var/lib/lightdm/.pulse/* w,
/var/lib/lightdm/.pulse/* r,
/var/lib/pulse/ rw,
/var/lib/pulse/*-default-sink rw,
/var/lib/pulse/*-default-source rw,
/var/lib/pulse/*.tdb rw,
@{PROC}/[0-9]*/fd/ r,
@{PROC}/[0-9]*/maps r,
@{PROC}/[0-9]*/stat r,

}

One thought on “AppArmor Profile For Pulseaudio

  1. Pingback: Hardening Ubuntu Linux » InsanityBit InsanityBit

Leave a Reply

Your email address will not be published. Required fields are marked *