snappy-hwe-snaps

Merge ~morphis/snappy-hwe-snaps/+git/pulseaudio:feature/disallow-module-loading into ~snappy-hwe-team/snappy-hwe-snaps/+git/pulseaudio:master

  1. Git
  2. lp:~morphis/snappy-hwe-snaps/+git/pulseaudio
  3. feature/disallow-module-loading
  4. Merge into master
Proposed by Simon Fels
Status: Merged
Approved by: Jim Hodapp
Approved revision: 300690f4c7d1d77364d120a4530f10b0d8c77add
Merged at revision: fbe9b6530fd0b838c0158b23f71ee44c7507c388
Proposed branch: ~morphis/snappy-hwe-snaps/+git/pulseaudio:feature/disallow-module-loading
Merge into: ~snappy-hwe-team/snappy-hwe-snaps/+git/pulseaudio:master
Diff against target: 33 lines (+10/-1)
2 files modified
bin/pulseaudio (+2/-1)
tests/main/module-loading-disabled/task.yaml (+8/-0)
Reviewer Review Type Date Requested Status
System Enablement Bot continuous-integration Approve
Jim Hodapp (community) code Approve
Konrad ZapaƂowicz Pending
Review via email: mp+314716@code.launchpad.net

Description of the change

Disallow module loading as recommended by upstream

Upstream recommends disabling module loading when running pulseaudio
in system mode to prevent users from loading malicious code into the
daemon.

To post a comment you must log in.
Revision history for this message
Jim Hodapp (jhodapp) wrote :

Looks very good, thanks for being proactive on this.

review: Approve (code)
Revision history for this message
System Enablement Bot (system-enablement-ci-bot) wrote :

PASSED: Continuous integration, rev:300690f4c7d1d77364d120a4530f10b0d8c77add
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/637/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/system-enablement/job/generic-run-snap-spread-tests/356
    None: https://jenkins.canonical.com/system-enablement/job/generic-update-snap-mp/545/console

Click here to trigger a rebuild:
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/637/rebuild

review: Approve (continuous-integration)
Revision history for this message
System Enablement Bot (system-enablement-ci-bot) wrote :

PASSED: Continuous integration, rev:300690f4c7d1d77364d120a4530f10b0d8c77add
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/642/
Executed test runs:
    SUCCESS: https://jenkins.canonical.com/system-enablement/job/generic-run-snap-spread-tests/360
    None: https://jenkins.canonical.com/system-enablement/job/generic-update-snap-mp/550/console

Click here to trigger a rebuild:
https://jenkins.canonical.com/system-enablement/job/generic-build-snap/642/rebuild

review: Approve (continuous-integration)

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/bin/pulseaudio b/bin/pulseaudio
2index d9fb85f..8e23f97 100755
3--- a/bin/pulseaudio
4+++ b/bin/pulseaudio
5@@ -15,12 +15,13 @@ EXTRA_ARGS=
6
7 if [ -e $SNAP_DATA/config/debug ] ; then
8 EXTRA_ARGS="$EXTRA_ARGS -vvvv"
9- export LIBASOUND_DEBUG=1
10+ export LIBASOUND_DEBUG=1
11 fi
12
13 $SNAP/usr/bin/pulseaudio \
14 --exit-idle-time=-1 \
15 --disallow-exit=yes \
16+ --disallow-module-loading \
17 --system \
18 -F $SNAP/etc/pulse/default.pa \
19 -p $SNAP/usr/lib/pulse-8.0/modules \
20diff --git a/tests/main/module-loading-disabled/task.yaml b/tests/main/module-loading-disabled/task.yaml
21new file mode 100644
22index 0000000..39798f8
23--- /dev/null
24+++ b/tests/main/module-loading-disabled/task.yaml
25@@ -0,0 +1,8 @@
26+summary: Verify module loading is disabled
27+
28+description: |
29+ As we're running pulseaudio in system mode (see https://www.freedesktop.org/wiki/Software/PulseAudio/Documentation/User/SystemWide/)
30+ for more details we have module loading disabled to prevent any client from loading malicious code into the daemon.
31+
32+execute: |
33+ ! /snap/bin/pulseaudio.pactl load-module module-null-sink

Subscribers

People subscribed via source and target branches

to all changes: