[Bug 1881232] Re: AppArmor blocks ibus input when IBUS_USE_PORTAL=1
I was able to reproduce the issue and resolve it with the suggested policy with James' suggestions. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881232 Title: AppArmor blocks ibus input when IBUS_USE_PORTAL=1 To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1881232/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881232] Re: AppArmor blocks ibus input when IBUS_USE_PORTAL=1
** Changed in: snapd Status: Triaged => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881232 Title: AppArmor blocks ibus input when IBUS_USE_PORTAL=1 To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1881232/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881232] Re: AppArmor blocks ibus input when IBUS_USE_PORTAL=1
I'll update the desktop interface. Thanks! ** Changed in: snapd Assignee: Samuele Pedroni (pedronis) => Jamie Strandboge (jdstrand) ** Changed in: snapd Status: Confirmed => Triaged -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881232 Title: AppArmor blocks ibus input when IBUS_USE_PORTAL=1 To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1881232/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881232] Re: AppArmor blocks ibus input when IBUS_USE_PORTAL=1
This looks like a good candidate for the "desktop" interface. Security is significantly better than the traditional IBus communication method, since access to IBusContexts are restricted to their owner: https://github.com/ibus/ibus/blob/master/portal/portal.c#L354-L370 ... and IBusContext signals are unicast to the owner rather than broadcast: https://github.com/ibus/ibus/blob/master/portal/portal.c#L408-L414 Further more, IBus's non-portal communication method goes over a separate socket connection. So any session bus rules we add should not inadvertently provide access to the insecure API. I would also consider merging the last two proposed rules into one like so: dbus (send, receive) bus=session path=/org/freedesktop/IBus/InputContext_[0-9]* interface=org.freedesktop.IBus.InputContext peer=(label=unconfined), It doesn't look like there is any methods with different level of privilege on the interface, and this avoids incompatibilities if IBus evolves in future. We probably also want to allow communication with peer=(name=org.freedesktop.portal.IBus) for the base CreateInputContext API, since the service file does not contain an AssumedAppArmorLabel field that would allow service activation to succeed otherwise. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881232 Title: AppArmor blocks ibus input when IBUS_USE_PORTAL=1 To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1881232/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881232] Re: AppArmor blocks ibus input when IBUS_USE_PORTAL=1
** Changed in: snapd Assignee: (unassigned) => Samuele Pedroni (pedronis) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881232 Title: AppArmor blocks ibus input when IBUS_USE_PORTAL=1 To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1881232/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881232] Re: AppArmor blocks ibus input when IBUS_USE_PORTAL=1
** Changed in: snapd (Ubuntu) Status: New => Incomplete ** Changed in: snapd (Ubuntu) Status: Incomplete => Confirmed ** Changed in: snapd (Ubuntu) Importance: Undecided => High -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881232 Title: AppArmor blocks ibus input when IBUS_USE_PORTAL=1 To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1881232/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881232] Re: AppArmor blocks ibus input when IBUS_USE_PORTAL=1
Based on https://github.com/flatpak/flatpak/issues/675, this seems like it would be safe to add to the desktop interface. James Henstridge, can you comment? ** Bug watch added: github.com/flatpak/flatpak/issues #675 https://github.com/flatpak/flatpak/issues/675 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881232 Title: AppArmor blocks ibus input when IBUS_USE_PORTAL=1 To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1881232/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881232] Re: AppArmor blocks ibus input when IBUS_USE_PORTAL=1
** Changed in: snapd Importance: Undecided => High ** Changed in: snapd Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881232 Title: AppArmor blocks ibus input when IBUS_USE_PORTAL=1 To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1881232/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1881232] Re: AppArmor blocks ibus input when IBUS_USE_PORTAL=1
** Also affects: snapd (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1881232 Title: AppArmor blocks ibus input when IBUS_USE_PORTAL=1 To manage notifications about this bug go to: https://bugs.launchpad.net/snapd/+bug/1881232/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
