6

If I tell applications like VLC or Audacity to record from my webcam or microphone, they just wake the hardware if sleeping and do their work without my interference.

Although this is a good thing, I've always wondered, due to privacy concerns: is there a way to restrict applications access to a hardware device?

While writing this, I came up with the idea of using something like SELinux or AppArmor to restrict access to /dev/something. Is this possible? Could there be a better or easier way?

Also, is there any more hardware besides the webcam and microphone that I should be concerned about?

admirabilis
  • 4,642
  • 9
  • 41
  • 57
  • 1
    The original work for SELinux was done by the NSA, yes. They released it as open source from the beginning and it has had years of public review. There's nothing scary about it. – j883376 Jun 13 '13 at 09:13

1 Answers1

3

I guess the traditional way would be to make pseudo-users (like the games-user) for the program/set of programs, assign this user to the groups for devices it should access (eg. camera), and run the program(s) SUID as this user. If you removed permissions for "others" (not owner or group), only the owner and members of the group - including the pseudo-user - could access it.

Further more, you could use the group of the program(s) to restrict which users where allowed to execute the program(s). Make a group (eg. conference) for the users allowed to make video-conferences, and restrict the execution of the associated programs (the ones granted special access to camera and mic) to this group only.

+++

Another way is running the program SGID as the special-group belonging to the device, and remove permission for "others". This of course only work if the program need to access just one restricted device.

Baard Kopperud
  • 7,023
  • 6
  • 42
  • 62