[apparmor] I want audio all the time.

Fri Aug 26 07:28:53 UTC 2011

Sorry for rubbish blackberry quoting.

First, your complaints, very well put. You can use bare "include" for the parser, but I think the tools might not yet handle it well. And the giant pile of /etc configuration stuff is definitely less than elegant. "apparmor.d" is all-policy, and the other directory is because we got lazy and didn't force all tools to parse a single config file for their non-policy config. I wonder if it is too late to clean it up?

Second: have you been testing pulseaudio and doing suspend/resume stuff? I've come to detest pulseaudio for not working most of the time, but I've found that running gnome-volume-something and selecting the analog output device rather than my digital hdmi output device does the trick. When the devices aren't listed in that dialog, I kill pulseaudio then curse firefox (ff craps itself because some silly sound daemon went missing). Audio seems to work immediately after boot, but almost never after suspend/resume. I think killing pulseaudio lets it find the card again. Maybe I'm just playing cargo-cult with the cause.

(Honestly, bare ALSA alone never gave me as much trouble as pulseaudio. Hell, OSS never gave me this much trouble either, but perhaps it really was the wrong driver architecture.)

An AppArmor policy that is in complain mode shouldn't influence the program in any way. (There was something, once, but I can no longer recall the details. I think it was a bug with capabilities enforcement...)

Any time AppArmor does influence the execution of a program, there should be a log message about it (unless suppressed with a "deny" rule). Those ALLOWED lines are places that pulseaudio _would_ fail if you changed the policy to enforcing -- so be sure to use aa-logprof (or hand-edit) to add those entries to your policy before removing the complain mode flag.

An AppArmor policy won't do anything for polkit -- they're different, unrelated beasts. Back in the day, you just added your userid to the audio group in /etc/groups and audio just worked -- maybe that still suffices for polkit?

But I'm guessing we're both seeing silly bugs, instead. I hope some of my rambling is useful.
-----Original Message-----
From: apparmor at eli.users.panix.com
Sender: apparmor-bounces at lists.ubuntu.com
Date: Fri, 26 Aug 2011 02:24:13 
To: <apparmor at lists.ubuntu.com>
Subject: [apparmor] I want audio all the time.

I've got a system running Ubuntu 11.4. It's got hardware that has
played sounds for me -- even with the current OS. It's also got a
twisty maze of rooms all alike of access control on this that and
the other which make it hard for me to play audio all the time.
Some sort of "session" or "seat" thing seems to think I'm not
allowed to use the speakers whenever I want to.

This seems like a very reasonable control to put on a large multi-
user system. Which is exactly /not/ what I am running.

I have reasoned that since pulseaudio provides the sound interface,
if I wrote a profile for that program I should be able to play sound
anytime. I don't know if there is a hole in my reasoning or a problem
with my profile, but it is not working.

Here's the profile I've come up with:

  /usr/bin/pulseaudio flags=(complain) {
  # All profiles should have base
    #include <abstractions/base>

  # All the audio stuff should be open to pulseaudio

    #include <abstractions/audio>

  # Anything that calls system(3) probably needs the bash abstraction
  # It might apply.
    #include <abstractions/bash>

    /etc/pulse r,

    @{HOME}/** r,
  }

(An aside with two complaints: 1] Comments should NOT do things. If "#"
starts a comment, then it is really stupid that "#include" does
something.  2] In /etc/, if something ends with .d it is a directory.
When there is /etc/$FOO and /etc/$FOO.d then one of those should be a
file and one a directory. As installed, /etc/apparmor and /etc/apparmor.d
are both directories. You're doing it wrong.)

So anyway. Pulseaudio runs, there appear to be no apparmor complaints
about it and plenty of ALLOWEDs in syslog (PS1=": root ; "):

: root ; grep -c profile=./usr/bin/pulseaudio syslog
59
: root ; grep -c ALLOWED.*profile=./usr/bin/pulseaudio syslog
59
: root ;

But pulseaudio thinks I don't have an audio card, so I think I might
not be allowing something it needs to find my audio. 

It's long, and might not be relevant, so I didn't paste it in, but I
do have "pactl list" output from when pulseaudio worked and now:

http://www.panix.com/~eli/pa/pactl.list.pre.txt
http://www.panix.com/~eli/pa/pactl.list.post-apparmor.txt

Pre has found my audio hardware, post has not.

Elijah

-- 
AppArmor mailing list
AppArmor at lists.ubuntu.com
Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor