There's currently an abstraction *abstractions/audio* which gives access to all devices/files that have something to do with playing/capturing sounds. Many apps need only the playback devices to play sounds. Other apps need also the capture devices, so they could record sounds via a microphone. Some people don't want to grant the access to the microphone, for instance, in web browsers, or in a text-only messaging app. I thought if I denied the access to the devices like *pcmC[0-9]D[0-9]c* , the app, which wants to use the mic, wouldn't be able to do it. But it looks like even adding in the app's apparmor profile a rule that denies access to anything under the /dev/snd/ dir doesn't really prevent the app from accessing the microphone, or the soundcard.
It looks like PulseAudio is involved here because when I removed all the PA rules from the *abstractions/audio* file, the app can't detect the soundcard anymore, and hence it can't play or record any sound. So how to limit the mic access to certain apps using apparmor profiles? Is that even possible, or am I only forced to grant the app the full access to the soundcard? I'm currently using the linux kernel 5.1.2.
signature.asc
Description: OpenPGP digital signature
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
