Snap blocks access to system input methods (ibus, fcitx, ...)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ibus |
Fix Released
|
Unknown
|
|||
apparmor (Ubuntu) |
Fix Released
|
Medium
|
Tyler Hicks | ||
Xenial |
Fix Released
|
Medium
|
Tyler Hicks | ||
Yakkety |
Fix Released
|
Medium
|
Tyler Hicks | ||
ibus (Ubuntu) |
Fix Released
|
Medium
|
Gunnar Hjalmarsson | ||
im-config (Ubuntu) |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Xenial |
Fix Released
|
Medium
|
Jamie Strandboge | ||
Yakkety |
Fix Released
|
Medium
|
Jamie Strandboge | ||
snapd (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned | ||
Yakkety |
Fix Released
|
Medium
|
Unassigned |
Bug Description
= SRU im-config =
[Impact]
ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has AppArmor mediation, ibus-daemon does not so it is important that its abstract socket not be confused with dbus-daemon's. By modifying ibus-daemon's start arguments to use "--address 'unix:tmpdir=
The upload simply adjusts 21_ibus.rc to start ibus-daemon with "--address 'unix:tmpdir=
[Test Case]
1. start a unity session before updating to the package in -proposed
2. $ grep IBUS_ADDRESS ~/.config/
IBUS_ADDRESS=
3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
ibus-daem 2973 jamie 8u unix 0x0000000000000000 0t0 29606 @/tmp/dbus-oxKYpN30 type=STREAM
4. update the package in -proposed and perform '2' and '3'. The IBUS_ADDRESSES should be the same as before
5. logout of unity, then log back in
6. $ grep IBUS_ADDRESS ~/.config/
IBUS_ADDRESS=
(notice '/tmp/ibus/' in the path)
7. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
ibus-daem 3471 jamie 8u unix 0x0000000000000000 0t0 26107 @/tmp/ibus/
...
(notice '@/tmp/ibus/' in the path)
In addition to the above, you can test for regressions by opening 'System Settings' under the 'gear' icon in the panel and selecting 'Text Entry'. From there, add an input source on the right, make sure 'Show current input source in the menu bar' is checked, then use the input source panel indicator to change input sources.
Extended test case to verify input support still works in unconfined and confined applications:
1. Systems Settings Language Support, if prompted install the complete language support
2. Install Chinese (simple and traditional)
3. sudo apt-get install ibus-pinyin ibus-sunpinyin
4. logout / login
5. System Settings / Text Entry - add Chinese (Pinyin) (IBus)
6. select pinyin from the indicator
7. sudo lsof | grep ibus | grep @ # will use @/tmp/dbus-...
8. open gnome-calculator and try to type something in (should get a pop-up)
9. open evince and try to search a pdf (should get a pop up)
10. upgrade apparmor and im-config from xenial-proposed
11. logout and back in
12. sudo lsof | grep ibus | grep @ # will use @/tmp/ibus/...
13. open gnome-calculator and try to type something in (should get a pop-up)
14. open evince and try to search a pdf (should get a pop up)
15. verify no new apparmor denials
[Regression Potential]
The regression potential is considered low because there are no compiled code changes and because the changes only occur after ibus-daemon is restarted, which is upon session start, not package upgrade. When it is restarted, the files in ~/.config/
This change intentionally requires a change to the unity7 snapd interface, which is in already done.
This change intentionally requires a change to apparmor to add a unix rule for communicating with the new ibus address. This is in xenial-proposed 2.10.95-0ubuntu2.3 (and 2.10.95-
= SRU apparmor =
[Impact]
The upload that adjusts ibus-daemon to start with "--address 'unix:tmpdir=
[Test Case]
1. Start a unity session after updating to the im-config package in -proposed but before the apparmor package in -proposed
2. Use the ibus client program to list the available engines
$ ibus list-engine
language: Spanish; Castilian
xkb:latam::spa - Spanish (Latin American)
xkb:es::spa - Spanish
language: Slovak
xkb:sk:qwerty:slo - Slovak (qwerty)
xkb:sk::slo - Slovak
...
3. Create an AppArmor profile file, called ibus, with the following contents:
#include <tunables/global>
profile ibus {
#include <abstractions/base>
#include <abstractions/
#include <abstractions/ibus>
/usr/bin/ibus mr,
}
4. Load the profile
$ sudo apparmor_parser -qr ibus
5. Rerun the ibus client program under confinement to see that it fails
$ aa-exec -p ibus -- ibus list-engine
Can't connect to IBus.
6. Note the AppArmor denial in the syslog
audit: type=1400 audit(147225207
7. Update to the apparmor package in -proposed
8. Reload the profile
$ sudo apparmor_parser -qr ibus
9. Rerun the ibus client program under confinement to see that it works
$ aa-exec -p ibus -- ibus list-engine
language: Spanish; Castilian
xkb:latam::spa - Spanish (Latin American)
xkb:es::spa - Spanish
language: Slovak
xkb:sk:qwerty:slo - Slovak (qwerty)
xkb:sk::slo - Slovak
...
[Regression Potential]
The regression potential is considered low because there are no compiled code changes and because the changes only add additional rules to the apparmor ibus abstraction.
= Original description =
Currently snaps can't access ibus/fcitx from the system, do we need a interface for input methods there?
Related branches
tags: | added: snap-desktop-issue snapd-interface |
summary: |
- Needs for an input method interface? + Snap blocks access to system input methods (ibus, fctix, ...) |
Changed in snapd (Ubuntu): | |
status: | New → In Progress |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in im-config (Ubuntu Yakkety): | |
status: | New → In Progress |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in im-config (Ubuntu Yakkety): | |
status: | In Progress → Fix Committed |
Changed in im-config (Ubuntu Xenial): | |
status: | New → In Progress |
assignee: | nobody → Jamie Strandboge (jdstrand) |
Changed in im-config (Ubuntu Yakkety): | |
importance: | Undecided → Medium |
Changed in im-config (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in snapd (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in im-config (Ubuntu Xenial): | |
status: | In Progress → Triaged |
description: | updated |
description: | updated |
description: | updated |
description: | updated |
Changed in im-config (Ubuntu Xenial): | |
status: | Triaged → In Progress |
Changed in snapd (Ubuntu Yakkety): | |
status: | Incomplete → Confirmed |
Changed in apparmor (Ubuntu Xenial): | |
status: | New → Triaged |
Changed in apparmor (Ubuntu Yakkety): | |
status: | New → In Progress |
Changed in apparmor (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in apparmor (Ubuntu Yakkety): | |
importance: | Undecided → Medium |
Changed in apparmor (Ubuntu Xenial): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in apparmor (Ubuntu Yakkety): | |
assignee: | nobody → Tyler Hicks (tyhicks) |
Changed in snapd (Ubuntu Yakkety): | |
status: | Confirmed → Fix Committed |
summary: |
- Snap blocks access to system input methods (ibus, fctix, ...) + Snap blocks access to system input methods (ibus, fcitx, ...) |
description: | updated |
description: | updated |
description: | updated |
Changed in ibus: | |
status: | Unknown → New |
Changed in ibus: | |
status: | New → Fix Released |
Changed in ibus (Ubuntu): | |
status: | In Progress → Fix Released |
We either need an interface or to simply update the unity7 interface accordingly. Can you please provide a snap and instructions on how to reproduce (for both ibus and fcitx)?