[apparmor] How to limit the microphone access to certain apps?
Mikhail Morfikov
mmorfikov at gmail.com
Mon May 20 12:42:25 UTC 2019
There's currently an abstraction *abstractions/audio* which
gives access to all devices/files that have something to do
with playing/capturing sounds. Many apps need only the
playback devices to play sounds. Other apps need also the
capture devices, so they could record sounds via a microphone.
Some people don't want to grant the access to the microphone,
for instance, in web browsers, or in a text-only messaging
app. I thought if I denied the access to the devices like
*pcmC[0-9]D[0-9]c* , the app, which wants to use the mic,
wouldn't be able to do it. But it looks like even adding in
the app's apparmor profile a rule that denies access to
anything under the /dev/snd/ dir doesn't really prevent
the app from accessing the microphone, or the soundcard.
It looks like PulseAudio is involved here because when I
removed all the PA rules from the *abstractions/audio* file,
the app can't detect the soundcard anymore, and hence it
can't play or record any sound.
So how to limit the mic access to certain apps using apparmor
profiles? Is that even possible, or am I only forced to grant
the app the full access to the soundcard?
I'm currently using the linux kernel 5.1.2.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20190520/7706a3d4/attachment.sig>
More information about the AppArmor
mailing list