[Bug 1761585] Re: ibus_bus_init does an unconditional call to chmod on $HOME/.config/ibus/bus

Łukasz Zemczak 1761585 at bugs.launchpad.net
Mon Apr 9 11:55:33 UTC 2018 

Hello Olivier, or anyone else affected,

Accepted ibus into xenial-proposed. The package will build now and be
available at https://launchpad.net/ubuntu/+source/ibus/1.5.11-1ubuntu2.1
in a few hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested and change the tag from
verification-needed-xenial to verification-done-xenial. If it does not
fix the bug for you, please add a comment stating that, and change the
tag to verification-failed-xenial. In either case, without details of
your testing we will not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance!

** Changed in: ibus (Ubuntu Xenial)
       Status: New => Fix Committed

** Tags added: verification-needed verification-needed-xenial

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1761585

Title:
  ibus_bus_init does an unconditional call to chmod on
  $HOME/.config/ibus/bus

Status in ibus:
  Fix Released
Status in ibus package in Ubuntu:
  Fix Released
Status in ibus source package in Xenial:
  Fix Committed

Bug description:
  This was spotted by jdstrand when running the chromium snap, which
  recently enabled ibus support (https://forum.snapcraft.io/t/cant-use-
  input-method-in-snap-apps/4712/12):

  audit[16919]: AVC apparmor="DENIED" operation="chmod"
  profile="snap.chromium.chromium" name="/home/osomon/.config/ibus/bus/"
  pid=16919 comm="chromium-browse" requested_mask="w" denied_mask="w"
  fsuid=1000 ouid=1000

  The code that calls chmod is in ibus_bus_init:

    static void
    ibus_bus_init (IBusBus *bus)
    {
      gchar *path;
      […]
      path = g_path_get_dirname (ibus_get_socket_path ());
      g_mkdir_with_parents (path, 0700);
      g_chmod (path, 0700);
      […]
    }

  This is rather harmless, but it could be avoided by checking first the
  file mode bits on that directory, and do the g_chmod call only if ≠
  0700.

  
  [Impact]

  Snaps that build on a xenial stack against libibus will trigger that apparmor denial, and even if actually harmless this will no doubt be reported as a problem by users who inspect the denials generated by their snaps.
  The patch (that is already upstream: https://github.com/ibus/ibus/commit/28d0c1d4bc47beb38995d84cc4bb1d539c08a070) fixes that by calling chmod conditionally, only if the file mode bits on the ibus socket path are ≠ 0700.

  
  [Test Case]

  Install the chromium snap from the stable channel (version
  65.0.3325.181, revision 274 as of this writing), and monitor the
  system journal for apparmor denials while launching it:

      journalctl -f | grep chmod

  Observe a denial similar to that one:

      audit[16919]: AVC apparmor="DENIED" operation="chmod"
  profile="snap.chromium.chromium" name="/home/osomon/.config/ibus/bus/"
  pid=16919 comm="chromium-browse" requested_mask="w" denied_mask="w"
  fsuid=1000 ouid=1000

  Now rebuild the chromium snap with the patched libibus (this can be
  done by downloading the .snap file, unpacking it with  unsquashfs,
  replacing the libibus files by unpacking the updated deb, then
  repacking the snap with `snapcraft pack`), install it and launch it
  while monitoring the system journal.

  Observe the denial on chmod is gone.

  
  [Regression Potential]

  This is a low-risk, self-contained change. It doesn't change the logic of ibus_bus_init.
  ibus input still working in apps (both debs and snaps) should be enough to prove that there are no regressions.


  
  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: ibus 1.5.17-3ubuntu1
  ProcVersionSignature: Ubuntu 4.15.0-13.14-generic 4.15.10
  Uname: Linux 4.15.0-13-generic x86_64
  NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair
  ApportVersion: 2.20.9-0ubuntu2
  Architecture: amd64
  CurrentDesktop: ubuntu:GNOME
  Date: Thu Apr 5 21:55:30 2018
  EcryptfsInUse: Yes
  InstallationDate: Installed on 2016-07-02 (642 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
  SourcePackage: ibus
  UpgradeStatus: Upgraded to bionic on 2018-01-29 (66 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ibus/+bug/1761585/+subscriptions

More information about the Ubuntu-sponsors mailing list