** Description changed: - Currently snaps can't access ibus/fcitx from the system, do we need a - interface for input methods there? + = SRU im-config = + [Impact] + ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has AppArmor mediation, ibus-daemon does not so it is important that its abstract socket not be confused with dbus-daemon's. By modifying ibus-daemon's start arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue mediating DBus abstract sockets like normal and also mediate access to the ibus-daemon-specific abstract socket via unix rules. This also tidies up the abstract socket paths so that it is clear which are for ibus-daemon, which for dbus-daemon, etc. + + The upload simply adjusts 21_ibus.rc to start ibus-daemon with "-- + address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code + changes are required. + + [Test Case] + 1. start a unity session + + 2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 + IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus- + SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e + + A system without this update will instead show something like: + IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76 + + 3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' + ibus-daem 3471 jamie 8u unix 0x0000000000000000 0t0 26107 @/tmp/ibus/dbus-SpxOl8Fc type=STREAM + ... + + A system without this update will instead show something like: + ibus-daem 2973 jamie 8u unix 0x0000000000000000 0t0 29606 @/tmp/dbus-oxKYpN30 type=STREAM + + In addition to the above, you can test for regressions by opening + 'System Settings' under the 'gear' icon in the panel and selecting 'Text + Entry'. From there, add an input source on the right, make sure 'Show + current input source in the menu bar' is checked, then use the input + source panel indicator to change input sources. + + + [Regression Potential] + + The regression potential is considered low because there are no compiled + code changes and because the changes only occur after ibus-daemon is + restarted, which is upon session start, not package upgrade. When it is + restarted, the files in ~/.config/ibus/bus/*-unix-0 are updated + accordingly for other applications to pick up. + + + = Original description = + Currently snaps can't access ibus/fcitx from the system, do we need a interface for input methods there?
** Description changed: = SRU im-config = - [Impact] + [Impact] ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has AppArmor mediation, ibus-daemon does not so it is important that its abstract socket not be confused with dbus-daemon's. By modifying ibus-daemon's start arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue mediating DBus abstract sockets like normal and also mediate access to the ibus-daemon-specific abstract socket via unix rules. This also tidies up the abstract socket paths so that it is clear which are for ibus-daemon, which for dbus-daemon, etc. The upload simply adjusts 21_ibus.rc to start ibus-daemon with "-- address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code changes are required. [Test Case] 1. start a unity session 2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus- SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e A system without this update will instead show something like: IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76 3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 3471 jamie 8u unix 0x0000000000000000 0t0 26107 @/tmp/ibus/dbus-SpxOl8Fc type=STREAM ... A system without this update will instead show something like: ibus-daem 2973 jamie 8u unix 0x0000000000000000 0t0 29606 @/tmp/dbus-oxKYpN30 type=STREAM In addition to the above, you can test for regressions by opening 'System Settings' under the 'gear' icon in the panel and selecting 'Text Entry'. From there, add an input source on the right, make sure 'Show current input source in the menu bar' is checked, then use the input source panel indicator to change input sources. - - [Regression Potential] + [Regression Potential] The regression potential is considered low because there are no compiled code changes and because the changes only occur after ibus-daemon is restarted, which is upon session start, not package upgrade. When it is restarted, the files in ~/.config/ibus/bus/*-unix-0 are updated accordingly for other applications to pick up. + This change intentionally requires a change to the unity7 snapd + interface, which is in progress. = Original description = Currently snaps can't access ibus/fcitx from the system, do we need a interface for input methods there? ** Description changed: = SRU im-config = [Impact] ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has AppArmor mediation, ibus-daemon does not so it is important that its abstract socket not be confused with dbus-daemon's. By modifying ibus-daemon's start arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue mediating DBus abstract sockets like normal and also mediate access to the ibus-daemon-specific abstract socket via unix rules. This also tidies up the abstract socket paths so that it is clear which are for ibus-daemon, which for dbus-daemon, etc. The upload simply adjusts 21_ibus.rc to start ibus-daemon with "-- address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code changes are required. [Test Case] 1. start a unity session 2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus- SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e A system without this update will instead show something like: IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76 3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus' ibus-daem 3471 jamie 8u unix 0x0000000000000000 0t0 26107 @/tmp/ibus/dbus-SpxOl8Fc type=STREAM ... A system without this update will instead show something like: ibus-daem 2973 jamie 8u unix 0x0000000000000000 0t0 29606 @/tmp/dbus-oxKYpN30 type=STREAM In addition to the above, you can test for regressions by opening 'System Settings' under the 'gear' icon in the panel and selecting 'Text Entry'. From there, add an input source on the right, make sure 'Show current input source in the menu bar' is checked, then use the input source panel indicator to change input sources. [Regression Potential] The regression potential is considered low because there are no compiled code changes and because the changes only occur after ibus-daemon is restarted, which is upon session start, not package upgrade. When it is restarted, the files in ~/.config/ibus/bus/*-unix-0 are updated accordingly for other applications to pick up. This change intentionally requires a change to the unity7 snapd - interface, which is in progress. + interface, which is in progress. Currently the change should not regress + snapdsbehavior due to other issues surrounding using ibus unrelated to + security policy. = Original description = Currently snaps can't access ibus/fcitx from the system, do we need a interface for input methods there? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1580463 Title: Snap blocks access to system input methods (ibus, fctix, ...) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/im-config/+bug/1580463/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
