Can this be done in a confined application?

Hey everyone,

I wrote an application that I’d like to package as a snap. However, I only got it working with confinement: classic

Here is what it needs to do:

  • R/W to the unix socket /run/user/{uid}/pulse/native. I believe from reading the docs this is not something that’s allowed unless running in classic confinement. However, I need to talk to the host pulse audio and load LADSPA modules. Considering there’s separate interfaces for audio-playback and audio-record talking raw PulseAudio native protocol to the host server is probably out?

  • Read access to ~/.config/pulse/cookie, because pulse requires this as authentication to talk to its unix socket mentioned above.

  • Put LADSPA modules somewhere, where the PulseAudio can find it, and provide a path. Currently I’m writing them to /tmp but mapping either /tmp or /dev/shm via layouts is not allowed. Is there somewhere I could even put them where I know the path outside the sandbox?

After working on this for a day, I believe this is simply not possible in a sandboxed snap. If so, the requirements for classic confinement is somewhat nebulous in saying management snaps are unsupported.

An application that manages pulseaudio configuration via loading modules/setting up loopbacks etc. probably qualifies as a management snap?

Is this correct and am I right in my assumption that a snap package for my app is basically a no-go?

You have access to $XDG_RUNTIME_DIR/pulse/native and ~/.config/pulse/cookie through the audio-playback and audio-record interfaces.

However, the Pulse Audio shipped in Ubuntu is configured to prevent strict confined snaps from issuing the PA_COMMAND_LOAD_MODULE or PA_COMMAND_UNLOAD_MODULE commands. This restriction was put in place as part of USN-4355-1 (in short, the snap security policy is implemented as a module, so letting a sandboxed client manipulate modules is a bad idea).

I don’t see us making an exception for something like this, since what you’re describing would essentially be a sandbox bypass vulnerability: the Pulse Audio daemon runs unconfined, so if you could get it to dlopen a library provided by your snap, then you’d be executing code outside of the samdbox.

You might be best off pursuing classic confinement for something like this.

2 Likes