2

I run the following command in the background constantly to check for camera access on Ubuntu Linux:

lsmod | grep ^uvcvideo

I noticed that every time I load into gmail my check is triggering my kernel's camera module. I assume this is just to test it, but I can't be sure. I want to block firefox (or any application of my choosing) from accessing the uvcvideo module.

To clarify what my command returns normally:

uvcvideo               86016  0

and what happens when I load into gmail:

uvcvideo               86016  1

I think it's just google hangouts asking firefox if I have a camera. Firefox then check if I have one. It happens in any browser.

How can I block a browser/application from using uvcvideo?

Here is a link to the source code for the tool I detected this with:

https://github.com/UniWrighte/Safe_Space

Improve this question
1
  • quick update: I disabled the chat box for the gmail home page and it no longer activates the uvcvideo module when I load the page. That is a good temporary fix, but I want a system level solution I can apply so I can still use chat.
    – David Kamer
    Commented Nov 21, 2018 at 5:59

1 Answer 1

Reset to default
1

Firefox solution:

You can disable permissions for cameras by going to options -> privacy & security (or type about:preferences#privacy into the URL bar) and look under the permissions header. There you can disable for all website by default and whitelist etc.

Linux solution:

Disable the uvcvideo module by modprobe -r uvcvideo. This will disable until next bootup. If you want this to be disabled permanently you will have to add blacklist uvcvideo into the /etc/modprobe.d/blacklist.conf file.

I should also mention that using lsmod only shows if the module is open (doesn't necessarily mean it is capturing) at that point in time and you might not be able to detect cases where the camera opens, takes a picture and then closes over a short period of time.

Finer control:

If you need to sandbox just firefox then you'll probably need to look for a sandbox program or setup a virtual machine or some sort to run it in. I won't go into more detail here as I'm not that familiar with good choices.

Improve this answer
5
  • On the Firefox solution: I did this and it still gets to the OS.
    – David Kamer
    Commented Nov 21, 2018 at 6:18
  • Ok, so I how can I disable uvcvideo for only firefox? Also I have it checking less than every millisecond. Not optimal and I wish I could do it with a watcher but hey if you can open and take a picture in less than 100 milliseconds and time it perfectly every time then I could just run two instances... Anyway that's minutia... So how can I "sandbox" firefox from the camera so I can use the camera with other applications if I want?
    – David Kamer
    Commented Nov 21, 2018 at 6:22
  • 1
    @AlphaD Firejail exposes a vast attack surface... It's not a great program. A security researcher looked into it and found dozens of severe root privesc vulnerabilities, and kept finding them over and over until he stopped due to lack of time (there was no sign in the new bugs slowing down).
    – forest
    Commented Nov 21, 2018 at 8:59
  • Of that I was not aware. I guess I shouldn't have given a specific program choice I'm not that familiar with. I'll delete my comment and edit my answer accordingly.
    – AlphaD
    Commented Nov 21, 2018 at 9:03
  • @AlphaD I considered a VM. I'm looking into doing that. I'm going to wait for a few days to see if anyone answers with a way to directly block module access for a program and if no one answers I'll implement your solution(s) and accept your answer. Thank you.
    – David Kamer
    Commented Nov 21, 2018 at 17:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .