snappy-hwe-snaps

Merge ~morphis/snappy-hwe-snaps/+git/pulseaudio:feature/disallow-module-loading into ~snappy-hwe-team/snappy-hwe-snaps/+git/pulseaudio:master

  1. Git
  2. lp:~morphis/snappy-hwe-snaps/+git/pulseaudio
  3. feature/disallow-module-loading
  4. Merge into master
Proposed by Simon Fels
Status: Rejected
Rejected by: Simon Fels
Proposed branch: ~morphis/snappy-hwe-snaps/+git/pulseaudio:feature/disallow-module-loading
Merge into: ~snappy-hwe-team/snappy-hwe-snaps/+git/pulseaudio:master
Diff against target: 33 lines (+10/-1)
2 files modified
bin/pulseaudio (+2/-1)
tests/main/module-loading-disabled/task.yaml (+8/-0)
Reviewer Review Type Date Requested Status
System Enablement Bot continuous-integration Approve
Review via email: mp+314715@code.launchpad.net

Description of the change

Disallow module loading as recommended by upstream

Upstream recommends disabling module loading when running pulseaudio
in system mode to prevent users from loading malicious code into the
daemon.

To post a comment you must log in.
Revision history for this message
System Enablement Bot (system-enablement-ci-bot) wrote :

FAILED: Continuous integration, rev:300690f4c7d1d77364d120a4530f10b0d8c77add
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/638/
Executed test runs:
    FAILURE: https://jenkins.canonical.com/system-enablement/job/generic-run-snap-spread-tests/357/console
    None: https://jenkins.canonical.com/system-enablement/job/generic-update-snap-mp/546/console

Click here to trigger a rebuild:
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/638/rebuild

review: Needs Fixing (continuous-integration)
Revision history for this message
System Enablement Bot (system-enablement-ci-bot) wrote :

PASSED: Continuous integration, rev:300690f4c7d1d77364d120a4530f10b0d8c77add
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/643/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/system-enablement/job/generic-run-snap-spread-tests/361
    None: https://jenkins.canonical.com/system-enablement/job/generic-update-snap-mp/551/console

Click here to trigger a rebuild:
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/643/rebuild

review: Approve (continuous-integration)

Unmerged commits

300690f... by Simon Fels

Disallow module loading as recommended by upstream

Upstream recommends disabling module loading when running pulseaudio
in system mode to prevent users from loading malicious code into the
daemon.

8bf1198... by Simon Fels

Correct indentation of export statement

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/bin/pulseaudio b/bin/pulseaudio
2index d9fb85f..8e23f97 100755
3--- a/bin/pulseaudio
4+++ b/bin/pulseaudio
5@@ -15,12 +15,13 @@ EXTRA_ARGS=
6
7 if [ -e $SNAP_DATA/config/debug ] ; then
8 EXTRA_ARGS="$EXTRA_ARGS -vvvv"
9- export LIBASOUND_DEBUG=1
10+ export LIBASOUND_DEBUG=1
11 fi
12
13 $SNAP/usr/bin/pulseaudio \
14 --exit-idle-time=-1 \
15 --disallow-exit=yes \
16+ --disallow-module-loading \
17 --system \
18 -F $SNAP/etc/pulse/default.pa \
19 -p $SNAP/usr/lib/pulse-8.0/modules \
20diff --git a/tests/main/module-loading-disabled/task.yaml b/tests/main/module-loading-disabled/task.yaml
21new file mode 100644
22index 0000000..39798f8
23--- /dev/null
24+++ b/tests/main/module-loading-disabled/task.yaml
25@@ -0,0 +1,8 @@
26+summary: Verify module loading is disabled
27+
28+description: |
29+ As we're running pulseaudio in system mode (see https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/User/SystemWide/)
30+ for more details we have module loading disabled to prevent any client from loading malicious code into the daemon.
31+
32+execute: |
33+ ! /snap/bin/pulseaudio.pactl load-module module-null-sink

Subscribers

People subscribed via source and target branches

to all changes: