** Description changed:
= SRU im-config =
[Impact]
ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is
indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has
AppArmor mediation, ibus-daemon does not so it is important that its abstract
socket not be confused with dbus-daemon's. By modifying ibus-daemon's start
arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue
mediating DBus abstract sockets like normal and also mediate access to the
ibus-daemon-specific abstract socket via unix rules. This also tidies up the
abstract socket paths so that it is clear which are for ibus-daemon, which for
dbus-daemon, etc.
The upload simply adjusts 21_ibus.rc to start ibus-daemon with "--
address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code
changes are required.
[Test Case]
1. start a unity session before updating to the package in -proposed
- 2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0
+ 2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0
IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76
3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
ibus-daem 2973 jamie 8u unix 0x0000000000000000 0t0 29606
@/tmp/dbus-oxKYpN30 type=STREAM
4. update the package in -proposed and perform '2' and '3'. The
IBUS_ADDRESSES should be the same as before
5. logout of unity, then log back in
- 6. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0
+ 6. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0
IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e
(notice '/tmp/ibus/' in the path)
7. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
ibus-daem 3471 jamie 8u unix 0x0000000000000000 0t0 26107
@/tmp/ibus/dbus-SpxOl8Fc type=STREAM
...
(notice '@/tmp/ibus/' in the path)
In addition to the above, you can test for regressions by opening
'System Settings' under the 'gear' icon in the panel and selecting 'Text
Entry'. From there, add an input source on the right, make sure 'Show
current input source in the menu bar' is checked, then use the input
source panel indicator to change input sources.
[Regression Potential]
The regression potential is considered low because there are no compiled
code changes and because the changes only occur after ibus-daemon is
restarted, which is upon session start, not package upgrade. When it is
restarted, the files in ~/.config/ibus/bus/*-unix-0 are updated
accordingly for other applications to pick up.
This change intentionally requires a change to the unity7 snapd
interface, which is in progress. Currently the change should not regress
snapdsbehavior due to other issues surrounding using ibus unrelated to
security policy.
+ = SRU apparmor =
+ [Impact]
+ The upload that adjusts ibus-daemon to start with "--address
'unix:tmpdir=/tmp/ibus'" causes the ibus AppArmor abstraction to no longer be
sufficient due to the lack of a rule for the new socket path. This upload adds
such a rule.
+
+ [Test Case]
+ 1. Start a unity session after updating to the im-config package in -proposed
but before the apparmor package in -proposed
+
+ 2. Use the ibus client program to list the available engines
+ $ ibus list-engine
+ language: Spanish; Castilian
+ xkb:latam::spa - Spanish (Latin American)
+ xkb:es::spa - Spanish
+ language: Slovak
+ xkb:sk:qwerty:slo - Slovak (qwerty)
+ xkb:sk::slo - Slovak
+ ...
+
+ 3. Create an AppArmor profile file, called ibus, with the following
+ contents:
+
+ #include <tunables/global>
+
+ profile ibus {
+ #include <abstractions/base>
+ #include <abstractions/dbus-session-strict>
+ #include <abstractions/ibus>
+
+ /usr/bin/ibus mr,
+
+ }
+
+ 4. Load the profile
+ $ sudo apparmor_parser -qr ibus
+
+ 5. Rerun the ibus client program under confinement to see that it fails
+ $ aa-exec -p ibus -- ibus list-engine
+ Can't connect to IBus.
+
+ 6. Note the AppArmor denial in the syslog
+
+ audit: type=1400 audit(1472252079.589:57): apparmor="DENIED"
+ operation="connect" profile="ibus" pid=5364 comm="ibus" family="unix"
+ sock_type="stream" protocol=0 requested_mask="send receive connect"
+ denied_mask="send connect" addr=none peer_addr="@/tmp/ibus/dbus-
+ kxnhAsmv" peer="unconfined"
+
+ 7. Update to the apparmor package in -proposed
+
+ 8. Rerun the ibus client program under confinement to see that it works
+
+ $ aa-exec -p ibus -- ibus list-engine
+ language: Spanish; Castilian
+ xkb:latam::spa - Spanish (Latin American)
+ xkb:es::spa - Spanish
+ language: Slovak
+ xkb:sk:qwerty:slo - Slovak (qwerty)
+ xkb:sk::slo - Slovak
+ ...
+
+ [Regression Potential]
+
+ The regression potential is considered low because there are no compiled
+ code changes and because the changes only add additional rules to the
+ apparmor ibus abstraction.
+
= Original description =
Currently snaps can't access ibus/fcitx from the system, do we need a
interface for input methods there?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to apparmor in Ubuntu.
https://bugs.launchpad.net/bugs/1580463
Title:
Snap blocks access to system input methods (ibus, fcitx, ...)
Status in apparmor package in Ubuntu:
In Progress
Status in im-config package in Ubuntu:
Fix Released
Status in snapd package in Ubuntu:
Fix Released
Status in apparmor source package in Xenial:
Triaged
Status in im-config source package in Xenial:
In Progress
Status in snapd source package in Xenial:
Fix Released
Status in apparmor source package in Yakkety:
In Progress
Status in im-config source package in Yakkety:
Fix Released
Status in snapd source package in Yakkety:
Fix Released
Bug description:
= SRU im-config =
[Impact]
ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is
indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has
AppArmor mediation, ibus-daemon does not so it is important that its abstract
socket not be confused with dbus-daemon's. By modifying ibus-daemon's start
arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue
mediating DBus abstract sockets like normal and also mediate access to the
ibus-daemon-specific abstract socket via unix rules. This also tidies up the
abstract socket paths so that it is clear which are for ibus-daemon, which for
dbus-daemon, etc.
The upload simply adjusts 21_ibus.rc to start ibus-daemon with "--
address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code
changes are required.
[Test Case]
1. start a unity session before updating to the package in -proposed
2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0
IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76
3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
ibus-daem 2973 jamie 8u unix 0x0000000000000000 0t0 29606
@/tmp/dbus-oxKYpN30 type=STREAM
4. update the package in -proposed and perform '2' and '3'. The
IBUS_ADDRESSES should be the same as before
5. logout of unity, then log back in
6. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0
IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e
(notice '/tmp/ibus/' in the path)
7. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
ibus-daem 3471 jamie 8u unix 0x0000000000000000 0t0 26107
@/tmp/ibus/dbus-SpxOl8Fc type=STREAM
...
(notice '@/tmp/ibus/' in the path)
In addition to the above, you can test for regressions by opening
'System Settings' under the 'gear' icon in the panel and selecting
'Text Entry'. From there, add an input source on the right, make sure
'Show current input source in the menu bar' is checked, then use the
input source panel indicator to change input sources.
[Regression Potential]
The regression potential is considered low because there are no
compiled code changes and because the changes only occur after ibus-
daemon is restarted, which is upon session start, not package upgrade.
When it is restarted, the files in ~/.config/ibus/bus/*-unix-0 are
updated accordingly for other applications to pick up.
This change intentionally requires a change to the unity7 snapd
interface, which is in progress. Currently the change should not
regress snapdsbehavior due to other issues surrounding using ibus
unrelated to security policy.
= SRU apparmor =
[Impact]
The upload that adjusts ibus-daemon to start with "--address
'unix:tmpdir=/tmp/ibus'" causes the ibus AppArmor abstraction to no longer be
sufficient due to the lack of a rule for the new socket path. This upload adds
such a rule.
[Test Case]
1. Start a unity session after updating to the im-config package in -proposed
but before the apparmor package in -proposed
2. Use the ibus client program to list the available engines
$ ibus list-engine
language: Spanish; Castilian
xkb:latam::spa - Spanish (Latin American)
xkb:es::spa - Spanish
language: Slovak
xkb:sk:qwerty:slo - Slovak (qwerty)
xkb:sk::slo - Slovak
...
3. Create an AppArmor profile file, called ibus, with the following
contents:
#include <tunables/global>
profile ibus {
#include <abstractions/base>
#include <abstractions/dbus-session-strict>
#include <abstractions/ibus>
/usr/bin/ibus mr,
}
4. Load the profile
$ sudo apparmor_parser -qr ibus
5. Rerun the ibus client program under confinement to see that it fails
$ aa-exec -p ibus -- ibus list-engine
Can't connect to IBus.
6. Note the AppArmor denial in the syslog
audit: type=1400 audit(1472252079.589:57): apparmor="DENIED"
operation="connect" profile="ibus" pid=5364 comm="ibus" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive connect"
denied_mask="send connect" addr=none peer_addr="@/tmp/ibus/dbus-
kxnhAsmv" peer="unconfined"
7. Update to the apparmor package in -proposed
8. Rerun the ibus client program under confinement to see that it
works
$ aa-exec -p ibus -- ibus list-engine
language: Spanish; Castilian
xkb:latam::spa - Spanish (Latin American)
xkb:es::spa - Spanish
language: Slovak
xkb:sk:qwerty:slo - Slovak (qwerty)
xkb:sk::slo - Slovak
...
[Regression Potential]
The regression potential is considered low because there are no
compiled code changes and because the changes only add additional
rules to the apparmor ibus abstraction.
= Original description =
Currently snaps can't access ibus/fcitx from the system, do we need a
interface for input methods there?
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1580463/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
