[apparmor] I want audio all the time.

apparmor at eli.users.panix.com apparmor at eli.users.panix.com
Fri Aug 26 06:24:13 UTC 2011 

I've got a system running Ubuntu 11.4. It's got hardware that has
played sounds for me -- even with the current OS. It's also got a
twisty maze of rooms all alike of access control on this that and
the other which make it hard for me to play audio all the time.
Some sort of "session" or "seat" thing seems to think I'm not
allowed to use the speakers whenever I want to.

This seems like a very reasonable control to put on a large multi-
user system. Which is exactly /not/ what I am running.

I have reasoned that since pulseaudio provides the sound interface,
if I wrote a profile for that program I should be able to play sound
anytime. I don't know if there is a hole in my reasoning or a problem
with my profile, but it is not working.

Here's the profile I've come up with:

  /usr/bin/pulseaudio flags=(complain) {
  # All profiles should have base
    #include <abstractions/base>

  # All the audio stuff should be open to pulseaudio

    #include <abstractions/audio>

  # Anything that calls system(3) probably needs the bash abstraction
  # It might apply.
    #include <abstractions/bash>

    /etc/pulse r,

    @{HOME}/** r,
  }

(An aside with two complaints: 1] Comments should NOT do things. If "#"
starts a comment, then it is really stupid that "#include" does
something.  2] In /etc/, if something ends with .d it is a directory.
When there is /etc/$FOO and /etc/$FOO.d then one of those should be a
file and one a directory. As installed, /etc/apparmor and /etc/apparmor.d
are both directories. You're doing it wrong.)

So anyway. Pulseaudio runs, there appear to be no apparmor complaints
about it and plenty of ALLOWEDs in syslog (PS1=": root ; "):

: root ; grep -c profile=./usr/bin/pulseaudio syslog
59
: root ; grep -c ALLOWED.*profile=./usr/bin/pulseaudio syslog
59
: root ;

But pulseaudio thinks I don't have an audio card, so I think I might
not be allowing something it needs to find my audio. 

It's long, and might not be relevant, so I didn't paste it in, but I
do have "pactl list" output from when pulseaudio worked and now:

http://www.panix.com/~eli/pa/pactl.list.pre.txt
http://www.panix.com/~eli/pa/pactl.list.post-apparmor.txt

Pre has found my audio hardware, post has not.

Elijah

More information about the AppArmor mailing list