[Bug 1580463] [NEW] Snap blocks access to system input methods (ibus, fcitx, ...)

Launchpad Bug Tracker 1580463 at bugs.launchpad.net
Fri Sep 20 10:37:08 UTC 2019 

You have been subscribed to a public bug by Gunnar Hjalmarsson (gunnarhj):

= SRU im-config =
[Impact]
ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has AppArmor mediation, ibus-daemon does not so it is important that its abstract socket not be confused with dbus-daemon's. By modifying ibus-daemon's start arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue mediating DBus abstract sockets like normal and also mediate access to the ibus-daemon-specific abstract socket via unix rules. This also tidies up the abstract socket paths so that it is clear which are for ibus-daemon, which for dbus-daemon, etc.

The upload simply adjusts 21_ibus.rc to start ibus-daemon with "--
address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code
changes are required.

[Test Case]
1. start a unity session before updating to the package in -proposed

2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0
IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76

3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
ibus-daem 2973 jamie    8u     unix 0x0000000000000000      0t0   29606 @/tmp/dbus-oxKYpN30 type=STREAM

4. update the package in -proposed and perform '2' and '3'. The
IBUS_ADDRESSES should be the same as before

5. logout of unity, then log back in

6. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0
IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e

(notice '/tmp/ibus/' in the path)

7. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
ibus-daem 3471 jamie    8u     unix 0x0000000000000000      0t0  26107 @/tmp/ibus/dbus-SpxOl8Fc type=STREAM
...

(notice '@/tmp/ibus/' in the path)

In addition to the above, you can test for regressions by opening
'System Settings' under the 'gear' icon in the panel and selecting 'Text
Entry'. From there, add an input source on the right, make sure 'Show
current input source in the menu bar' is checked, then use the input
source panel indicator to change input sources.

Extended test case to verify input support still works in unconfined and
confined applications:

1. Systems Settings Language Support, if prompted install the complete language support
2. Install Chinese (simple and traditional)
3. sudo apt-get install ibus-pinyin ibus-sunpinyin
4. logout / login
5. System Settings / Text Entry - add Chinese (Pinyin) (IBus)
6. select pinyin from the indicator
7. sudo lsof | grep ibus | grep @ # will use @/tmp/dbus-...
8. open gnome-calculator and try to type something in (should get a pop-up)
9. open evince and try to search a pdf (should get a pop up)
10. upgrade apparmor and im-config from xenial-proposed
11. logout and back in
12. sudo lsof | grep ibus | grep @ # will use @/tmp/ibus/...
13. open gnome-calculator and try to type something in (should get a pop-up)
14. open evince and try to search a pdf (should get a pop up)
15. verify no new apparmor denials

[Regression Potential]

The regression potential is considered low because there are no compiled
code changes and because the changes only occur after ibus-daemon is
restarted, which is upon session start, not package upgrade. When it is
restarted, the files in ~/.config/ibus/bus/*-unix-0 are updated
accordingly for other applications to pick up.

This change intentionally requires a change to the unity7 snapd
interface, which is in already done.

This change intentionally requires a change to apparmor to add a unix
rule for communicating with the new ibus address. This is in xenial-
proposed 2.10.95-0ubuntu2.3 (and 2.10.95-0ubuntu2.4). The packages
changes to im-config use 'Breaks: apparmor (<< 2.10.95-0ubuntu2.3) to
ensure that the apparmor abstraction is updated and policy recompiled
before ibus is restarted. This was omitted from the initial im-config
upload which resulted in bug #1588197. Test cases ensuring this is
working properly are included above under 'Extended test case'.

= SRU apparmor =
[Impact]
The upload that adjusts ibus-daemon to start with "--address 'unix:tmpdir=/tmp/ibus'" causes the ibus AppArmor abstraction to no longer be sufficient due to the lack of a rule for the new socket path. This upload adds such a rule.

[Test Case]
1. Start a unity session after updating to the im-config package in -proposed but before the apparmor package in -proposed

2. Use the ibus client program to list the available engines
$ ibus list-engine
language: Spanish; Castilian
  xkb:latam::spa - Spanish (Latin American)
  xkb:es::spa - Spanish
language: Slovak
  xkb:sk:qwerty:slo - Slovak (qwerty)
  xkb:sk::slo - Slovak
...

3. Create an AppArmor profile file, called ibus, with the following
contents:

#include <tunables/global>

profile ibus {
  #include <abstractions/base>
  #include <abstractions/dbus-session-strict>
  #include <abstractions/ibus>

  /usr/bin/ibus mr,

}

4. Load the profile
$ sudo apparmor_parser -qr ibus

5. Rerun the ibus client program under confinement to see that it fails
$ aa-exec -p ibus -- ibus list-engine
Can't connect to IBus.

6. Note the AppArmor denial in the syslog

audit: type=1400 audit(1472252079.589:57): apparmor="DENIED"
operation="connect" profile="ibus" pid=5364 comm="ibus" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive connect"
denied_mask="send connect" addr=none peer_addr="@/tmp/ibus/dbus-
kxnhAsmv" peer="unconfined"

7. Update to the apparmor package in -proposed

8. Reload the profile
$ sudo apparmor_parser -qr ibus

9. Rerun the ibus client program under confinement to see that it works
$ aa-exec -p ibus -- ibus list-engine
language: Spanish; Castilian
  xkb:latam::spa - Spanish (Latin American)
  xkb:es::spa - Spanish
language: Slovak
  xkb:sk:qwerty:slo - Slovak (qwerty)
  xkb:sk::slo - Slovak
...

[Regression Potential]

The regression potential is considered low because there are no compiled
code changes and because the changes only add additional rules to the
apparmor ibus abstraction.

= Original description =
Currently snaps can't access ibus/fcitx from the system, do we need a interface for input methods there?

** Affects: ibus
     Importance: Unknown
         Status: Fix Released

** Affects: apparmor (Ubuntu)
     Importance: Medium
     Assignee: Tyler Hicks (tyhicks)
         Status: Fix Released

** Affects: ibus (Ubuntu)
     Importance: Medium
     Assignee: Gunnar Hjalmarsson (gunnarhj)
         Status: In Progress

** Affects: im-config (Ubuntu)
     Importance: Medium
     Assignee: Jamie Strandboge (jdstrand)
         Status: Fix Released

** Affects: snapd (Ubuntu)
     Importance: Medium
         Status: Fix Released

** Affects: apparmor (Ubuntu Xenial)
     Importance: Medium
     Assignee: Tyler Hicks (tyhicks)
         Status: Fix Released

** Affects: im-config (Ubuntu Xenial)
     Importance: Medium
     Assignee: Jamie Strandboge (jdstrand)
         Status: Fix Released

** Affects: snapd (Ubuntu Xenial)
     Importance: Medium
         Status: Fix Released

** Affects: apparmor (Ubuntu Yakkety)
     Importance: Medium
     Assignee: Tyler Hicks (tyhicks)
         Status: Fix Released

** Affects: im-config (Ubuntu Yakkety)
     Importance: Medium
     Assignee: Jamie Strandboge (jdstrand)
         Status: Fix Released

** Affects: snapd (Ubuntu Yakkety)
     Importance: Medium
         Status: Fix Released


** Tags: patch snap-desktop-issue snapd-interface verification-done
-- 
Snap blocks access to system input methods (ibus, fcitx, ...)
https://bugs.launchpad.net/bugs/1580463
You received this bug notification because you are a member of Ubuntu Sponsors Team, which is subscribed to the bug report.

More information about the Ubuntu-sponsors mailing list