[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Changed in: pulseaudio (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
This bug was fixed in the package pulseaudio - 1:11.1-1ubuntu7.5 --- pulseaudio (1:11.1-1ubuntu7.5) bionic; urgency=medium * Update snap policy to make access to audio recording conditional on plugging the "pulseaudio" or "audio-record" interfaces (LP: #1781428): - 0700-modules-add-snappy-policy-module.patch: rewrite to query snapd for the client's plugged interfaces. - 0701-enable-snap-policy-module.patch: enable the module in the default configuration. - Build depend on libsnapd-glib-dev. * Remove module-trust-store patch set: - 0409-Trust-store-patch.patch: trimmed down to pulsecore changes. - 0410-Add-thread-to-activate-trust-store-interface.patch: removed. - 0417-increase-timeout-check-apparmor.patch: removed. -- James Henstridge Wed, 05 Nov 2019 17:16:25 +0800 ** Changed in: pulseaudio (Ubuntu Bionic) Status: Fix Committed => Fix Released ** Changed in: pulseaudio (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
This bug was fixed in the package pulseaudio - 1:8.0-0ubuntu3.11 --- pulseaudio (1:8.0-0ubuntu3.11) xenial; urgency=medium * Backport the snap policy module to make access to audio recording conditional on plugging the "pulseaudio" or "audio-record" interfaces (LP: #1781428): - 0450-modules-add-snappy-policy-module.patch: rewrite to query snapd for the client's plugged interfaces. - 0451-enable-snap-policy-module.patch: enable the module in the default configuration. - Build depend on libsnapd-glib-dev. * Backport libjson-c dependency removal from Pulse Audio 10. This is required by the snap policy module due to a symbol name clash with libjson-glib. - 0805-remove-libjson-c-dependency.patch: new file. -- James Henstridge Tue, 05 Nov 2019 17:16:22 +0800 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
It's also blocking these: https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bugs?field.tag =update-reverted -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Hi, This SRU is blocking another pulseaudio SRU #1869819 [1] to support a Conexant codec on HP EliteDesk 800 G5 SFF with Canonical/Ubuntu Desktop certification. 1:11.1-1ubuntu7.5 for this bug is still in bionic-proposed, will we finish the SRU for bionic by end of this month? [1] Bug #1869819 “[SRU] System can't detect external headset in the ...” : Bugs : OEM Priority Project - https://bugs.launchpad.net/bugs/1869819 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Bug watch removed: freedesktop.org Bugzilla #95135 https://bugs.freedesktop.org/show_bug.cgi?id=95135 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
I confirmed that https://people.canonical.com/~ubuntu-archive/proposed- migration/xenial/update_excuses.html shows no autopkgtest regression for xenial. I also ran through the TEST CASE for this bug and xenial passed. Marking verification-done-xenial ** Tags removed: verification-failed-xenial ** Tags added: verification-done-xenial -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
I confirmed that https://people.canonical.com/~ubuntu-archive/proposed- migration/bionic/update_excuses.html shows no autopkgtest regression for bionic. I also ran through the TEST CASE for this bug and bionic passed. Marking verification-done-bionic. ** Tags removed: verification-failed verification-failed-bionic ** Tags added: verification-done-bionic ** Tags added: verification-done -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge + $ sudo snap connect test-snapd-pulseaudio:pulseaudio $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 - interface not being connecting which is unrelated to mediation. x11 is + interface not being connected which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav &&
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
All the xenial autopkgtests have passed. What do we need to do to get these published again? -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-record
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Now with the updated snap packages published, (see Bug #1856196 ), when will the pulseaudio packages be re-published? Everyone on Xenial and Bionic who did a package update between 2019-12-11 and 2019-12-12 now has orphaned pulseaudio packages installed, blocking the installation of additional pulseaudio packages! see Bug #1858164 Bug #1858164 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Note, there is a spread test in snapd that checks for if the mediation patches are dropped (or added). While it is fine for https://launchpad.net/bugs/1856054 to be fast tracked, this pulseaudio bug should not be marked as Fix Released before the end of year break unless you coordinate with the snapd team first so as to avoid the spread test failing when no one is around to fix it. Specifically, snapd needs: https://github.com/snapcore/snapd/pull/7885 https://github.com/snapcore/snapd/pull/7886 To be clear, the snapd deb doesn't need to be involved in any of this; it is just coordinating with upstream so the upstream CI doesn't break over the holidays. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Changed in: pulseaudio (Ubuntu Xenial) Status: Fix Released => Fix Committed ** Changed in: pulseaudio (Ubuntu Bionic) Status: Fix Released => Fix Committed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
This update has been pulled from -updates by Sebastien as it was causing pulling in snapd via a recommends chain on systems that do not want to have snapd installed. A fix is in the works from what I know. Marking it as verification-failed so that it doesn't get re-released by accident. ** Tags removed: verification-done verification-done-bionic verification-done-xenial ** Tags added: verification-failed verification-failed-bionic verification-failed-xenial -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
This bug was fixed in the package pulseaudio - 1:8.0-0ubuntu3.11 --- pulseaudio (1:8.0-0ubuntu3.11) xenial; urgency=medium * Backport the snap policy module to make access to audio recording conditional on plugging the "pulseaudio" or "audio-record" interfaces (LP: #1781428): - 0450-modules-add-snappy-policy-module.patch: rewrite to query snapd for the client's plugged interfaces. - 0451-enable-snap-policy-module.patch: enable the module in the default configuration. - Build depend on libsnapd-glib-dev. * Backport libjson-c dependency removal from Pulse Audio 10. This is required by the snap policy module due to a symbol name clash with libjson-glib. - 0805-remove-libjson-c-dependency.patch: new file. -- James Henstridge Tue, 05 Nov 2019 17:16:22 +0800 ** Changed in: pulseaudio (Ubuntu Xenial) Status: Fix Committed => Fix Released ** Changed in: pulseaudio (Ubuntu Bionic) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
This bug was fixed in the package pulseaudio - 1:11.1-1ubuntu7.5 --- pulseaudio (1:11.1-1ubuntu7.5) bionic; urgency=medium * Update snap policy to make access to audio recording conditional on plugging the "pulseaudio" or "audio-record" interfaces (LP: #1781428): - 0700-modules-add-snappy-policy-module.patch: rewrite to query snapd for the client's plugged interfaces. - 0701-enable-snap-policy-module.patch: enable the module in the default configuration. - Build depend on libsnapd-glib-dev. * Remove module-trust-store patch set: - 0409-Trust-store-patch.patch: trimmed down to pulsecore changes. - 0410-Add-thread-to-activate-trust-store-interface.patch: removed. - 0417-increase-timeout-check-apparmor.patch: removed. -- James Henstridge Wed, 05 Nov 2019 17:16:25 +0800 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Released Status in pulseaudio source package in Bionic: Fix Released Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Installing 1:8.0-0ubuntu3.11 from xenial-proposed, the test plan and James' addition for mediation is preserved across snapd restart all works as expected. Marking as verification done. ** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes + + $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Installing 1:11.1-1ubuntu7.5 from bionic-proposed, the test plan and James' addition for mediation is preserved across snapd restart all works as expected. Marking as verification done. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes $ exit # out of snap run --shell For strict snaps with pulseaudio: $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface Plug
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: - $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap + $ sudo snap install test-snapd-pulseaudio --edge $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 - $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap + $ sudo snap install test-snapd-audio-record --edge $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Hello Jamie, or anyone else affected, Accepted pulseaudio into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pulseaudio/1:8.0-0ubuntu3.11 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: pulseaudio (Ubuntu Xenial) Status: Triaged => Fix Committed ** Tags added: verification-needed-xenial -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Fix Committed Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Hello Jamie, or anyone else affected, Accepted pulseaudio into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/pulseaudio/1:11.1-1ubuntu7.5 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: pulseaudio (Ubuntu Bionic) Status: Triaged => Fix Committed ** Tags added: verification-needed verification-needed-bionic -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Triaged Status in pulseaudio source package in Bionic: Fix Committed Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
The two packages are in the upload queue now: https://launchpad.net/ubuntu/xenial/+queue?queue_state=1_text=pulseaudio https://launchpad.net/ubuntu/bionic/+queue?queue_state=1_text=pulseaudio One additional acceptance test would be to verify that the policy module continues to work across snapd restarts. So at the end of the test script, add something like: The policy module continues to function over snapd restarts: $ sudo systemctl restart snapd.service $ test-snapd-audio-record.record /tmp/out.wav && echo yes # should pass ... ^Cyes This was a problem with old versions of snapd-glib (before 1.44, I think), but shouldn't be a problem now. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Triaged Status in pulseaudio source package in Bionic: Triaged Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Attached is a debdiff for the Xenial version of the backport. In addition to the snap policy module patches, this includes a backport of the libjson-c dependency removal changes from Pulse Audio 10.0 (which applied cleanly without modification). This is required because libjson-c and libjson-glib declare a few symbols with the same name, causing problems for the policy module. Based on discussion in https://bugs.freedesktop.org/show_bug.cgi?id=95135, the libjson-c dependency was causing problems for other applications too. I was able to complete @jdstrand's test plan on a clean 16.04 install with these updates. pulseaudio (1:8.0-0ubuntu3.11) xenial; urgency=medium * Backport the snap policy module to make access to audio recording conditional on plugging the "pulseaudio" or "audio-record" interfaces (LP: #1781428): - 0450-modules-add-snappy-policy-module.patch: rewrite to query snapd for the client's plugged interfaces. - 0451-enable-snap-policy-module.patch: enable the module in the default configuration. - Build depend on libsnapd-glib-dev. * Backport libjson-c dependency removal from Pulse Audio 10. This is required by the snap policy module due to a symbol name clash with libjson-glib. - 0805-remove-libjson-c-dependency.patch: new file. -- James Henstridge Tue, 05 Nov 2019 17:16:22 +0800 ** Bug watch added: freedesktop.org Bugzilla #95135 https://bugs.freedesktop.org/show_bug.cgi?id=95135 ** Patch added: "pulseaudio_8.0-0ubuntu3.10_8.0-0ubuntu3.11.diff" https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+attachment/5303806/+files/pulseaudio_8.0-0ubuntu3.10_8.0-0ubuntu3.11.diff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Triaged Status in pulseaudio source package in Bionic: Triaged Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Attached is a debdiff for the bionic backport. I've run through @jdstrand's test plan on a clean Ubuntu 18.04 install, and everything appears to be behaving as expected. pulseaudio (1:11.1-1ubuntu7.5) bionic; urgency=medium * Update snap policy to make access to audio recording conditional on plugging the "pulseaudio" or "audio-record" interfaces (LP: #1781428): - 0700-modules-add-snappy-policy-module.patch: rewrite to query snapd for the client's plugged interfaces. - 0701-enable-snap-policy-module.patch: enable the module in the default configuration. - Build depend on libsnapd-glib-dev. * Remove module-trust-store patch set: - 0409-Trust-store-patch.patch: trimmed down to pulsecore changes. - 0410-Add-thread-to-activate-trust-store-interface.patch: removed. - 0417-increase-timeout-check-apparmor.patch: removed. -- James Henstridge Wed, 05 Nov 2019 17:16:25 +0800 ** Patch added: "pulseaudio_11.1-1ubuntu7.4_11.1-1ubuntu7.5.diff" https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+attachment/5303689/+files/pulseaudio_11.1-1ubuntu7.4_11.1-1ubuntu7.5.diff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Triaged Status in pulseaudio source package in Bionic: Triaged Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
The xenial backport is non-functional due to a symbol collision between libjson-c.so (required by libpulse) and libjson-glib.so (required by snapd-glib). This doesn't affect the Bionic backport though. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Triaged Status in pulseaudio source package in Bionic: Triaged Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Changed in: pulseaudio (Ubuntu Xenial) Assignee: (unassigned) => James Henstridge (jamesh) ** Changed in: pulseaudio (Ubuntu Bionic) Assignee: (unassigned) => James Henstridge (jamesh) ** Changed in: pulseaudio (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: pulseaudio (Ubuntu Bionic) Importance: Undecided => Medium -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Triaged Status in pulseaudio source package in Bionic: Triaged Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Changed in: pulseaudio (Ubuntu Xenial) Status: In Progress => Triaged ** Changed in: pulseaudio (Ubuntu Bionic) Status: In Progress => Triaged -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: Triaged Status in pulseaudio source package in Bionic: Triaged Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] IMPORTANT: if updating pulseaudio while the session is running, either need to reboot for the test or kill pulseaudio so it can restart with the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] - Since the pulseaudio mediation behavior triggers when the security label - starts with 'snap.' it is su + IMPORTANT: if updating pulseaudio while the session is running, either + need to reboot for the test or kill pulseaudio so it can restart with + the new snap policy For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in- snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio-playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes - For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes - For strict snaps with audio-playback/audio-record: + $ sudo snap refresh core --candidate # make sure have 2.41. 'install' on 16.04 $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- record/common/ $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
Attaching test-snapd-pulseaudio and test-snapd-audio-record snaps. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: In Progress Status in pulseaudio source package in Bionic: In Progress Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record-- $ test-snapd-audio-record.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Description changed: + [Impact] + Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. - # Original summary: pulseaudio built with --enable-snappy but 'Enable - Snappy support: no' + To correct this situation but not regress existing behavior, Ubuntu + 19.04's pulseaudio was updated patch to allow playback to all connected + clients (snaps or not), record by classic snaps (see bug 1787324) and + record by strict mode snaps if either the pulseaudio or new-in- + snapd-2.41 audio-record interfaces were connected. With this change, + snapd is in a position to migrate snaps to the new audio-playback and + audio-record interfaces and properly mediate audio recording (see + https://forum.snapcraft.io/t/upcoming-pulseaudio-interface- + deprecation/13418). + + The patch to pulseaudio consists of adding a module, enabling it in + default.pa and then when it is enabled, pulseaudio when faced with a + record operation will, when the connecting process is a snap (ie, its + security label (ie, apparmor label) starts with 'snap.'), query snapd + via its control socket to ask if the snap is classic and if not, whether + the pulseaudio or audio-record interfaces are connected. Adjusting + pulseaudio in the manner does not require coordination with any release + of snapd. It does need a newer version of snapd-glib, which was recently + updated to 1.49 in the last SRU. + + [Test Case] + + Since the pulseaudio mediation behavior triggers when the security label + starts with 'snap.' it is su + + For unconfined applications: + $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" + yes + + $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ paplay /tmp/out.wav && echo "yes" + yes + + For confined, non-snap applications: + $ sudo apt-get install evince + + $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav + && echo yes + + $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" + yes + + + For classic snaps: + $ sudo snap install test-snapd-classic-confinement --classic + + $ snap run --shell test-snapd-classic-confinement + + $ cat /proc/self/attr/current # verify we are classic confined + snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) + + $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" + yes + + $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording + ^Cyes + + $ paplay /tmp/out.wav && echo "yes" + yes + + For strict snaps with pulseaudio: + $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap + + $ snap connections test-snapd-pulseaudio + Interface Plug Slot Notes + pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - + + $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created + ... + + $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- + pulseaudio/common/ + + $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes + xcb_connection_has_error() returned true + yes + + (note, the xcb_connection_has_error() message is due to the x11 + interface not being connecting which is unrelated to mediation. x11 is + left out to ensure that just audio-playback/audio-record are tested) + + $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass + ... + ^Cyes + + $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes + ... + yes + + + For strict snaps with audio-playback/audio-record: + $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap + + $ snap connections test-snapd-audio-record # record not connected + Interface PlugSlot Notes + audio-playback test-snapd-audio-record:audio-playback :audio-playback - + audio-recordtest-snapd-audio-record:audio-record-- + + $ test-snapd-audio-record.play --help # ensure SNAP dirs are created + ... + + $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd-audio- + record/common/ + + $ test-snapd-audio-record.play /var/snap/test-snapd-audio-record/common/Noise.wav && echo yes + xcb_connection_has_error() returned true + yes + + (note, the xcb_connection_has_error() message is due to the x11 + interface not being connecting which is
[Desktop-packages] [Bug 1781428] Re: please enable snap mediation support
** Attachment added: "test-snapd-audio-record_1_amd64.snap" https://bugs.launchpad.net/ubuntu/+source/pulseaudio/+bug/1781428/+attachment/5292539/+files/test-snapd-audio-record_1_amd64.snap -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to pulseaudio in Ubuntu. https://bugs.launchpad.net/bugs/1781428 Title: please enable snap mediation support Status in pulseaudio package in Ubuntu: Fix Released Status in pulseaudio source package in Xenial: In Progress Status in pulseaudio source package in Bionic: In Progress Bug description: [Impact] Ubuntu 16.10 added rudimentary snap support to disable audio recording if the connecting process was a snap. By Ubuntu 18.04, something changed in the build resulting in 'Enable Snappy support: no' with audio recording no longer being mediated by pulseaudio (access to the pulseaudio socket continued to be mediated by snapd's apparmor policy). This resulted in any application with the pulseaudio interface connected to be able to also record. Ubuntu 16.04 never had mediation patches and always allowed recording when the pulseaudio interface was connected. To correct this situation but not regress existing behavior, Ubuntu 19.04's pulseaudio was updated patch to allow playback to all connected clients (snaps or not), record by classic snaps (see bug 1787324) and record by strict mode snaps if either the pulseaudio or new-in-snapd-2.41 audio-record interfaces were connected. With this change, snapd is in a position to migrate snaps to the new audio- playback and audio-record interfaces and properly mediate audio recording (see https://forum.snapcraft.io/t/upcoming-pulseaudio- interface-deprecation/13418). The patch to pulseaudio consists of adding a module, enabling it in default.pa and then when it is enabled, pulseaudio when faced with a record operation will, when the connecting process is a snap (ie, its security label (ie, apparmor label) starts with 'snap.'), query snapd via its control socket to ask if the snap is classic and if not, whether the pulseaudio or audio-record interfaces are connected. Adjusting pulseaudio in the manner does not require coordination with any release of snapd. It does need a newer version of snapd-glib, which was recently updated to 1.49 in the last SRU. [Test Case] Since the pulseaudio mediation behavior triggers when the security label starts with 'snap.' it is su For unconfined applications: $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For confined, non-snap applications: $ sudo apt-get install evince $ aa-exec -p /usr/bin/evince -- paplay /usr/share/sounds/alsa/Noise.wav && echo yes $ rm -f /tmp/out.wav ; aa-exec -p /usr/bin/evince -- parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ aa-exec -p /usr/bin/evince -- paplay /tmp/out.wav && echo "yes" yes For classic snaps: $ sudo snap install test-snapd-classic-confinement --classic $ snap run --shell test-snapd-classic-confinement $ cat /proc/self/attr/current # verify we are classic confined snap.test-snapd-classic-confinement.test-snapd-classic-confinement (complain) $ paplay /usr/share/sounds/alsa/Noise.wav && echo "yes" yes $ rm -f /tmp/out.wav ; parecord /tmp/out.wav && echo "yes" # ctrl-c to stop recording ^Cyes $ paplay /tmp/out.wav && echo "yes" yes For strict snaps with pulseaudio: $ sudo snap install --dangerous ./test-snapd-pulseaudio_1_amd64.snap $ snap connections test-snapd-pulseaudio Interface Plug Slot Notes pulseaudio test-snapd-pulseaudio:pulseaudio :pulseaudio - $ test-snapd-pulseaudio.play --help # ensure SNAP dirs are created ... $ sudo cp /usr/share/sounds/alsa/Noise.wav /var/snap/test-snapd- pulseaudio/common/ $ test-snapd-pulseaudio.play /var/snap/test-snapd-pulseaudio/common/Noise.wav && echo yes xcb_connection_has_error() returned true yes (note, the xcb_connection_has_error() message is due to the x11 interface not being connecting which is unrelated to mediation. x11 is left out to ensure that just audio-playback/audio-record are tested) $ test-snapd-pulseaudio.record /tmp/out.wav && echo yes # should pass ... ^Cyes $ test-snapd-pulseaudio.play /tmp/out.wav && echo yes ... yes For strict snaps with audio-playback/audio-record: $ sudo snap install --dangerous ./test-snapd-audio-record_1_amd64.snap $ snap connections test-snapd-audio-record # record not connected Interface PlugSlot Notes audio-playback test-snapd-audio-record:audio-playback :audio-playback - audio-recordtest-snapd-audio-record:audio-record--
