I'm temporarily marking this SRU bug as verification-failed so that it
doesn't get let through until kernel bug 1579135 is fixed. Without the
kernel bug fix for bug 1579135, this SRU has the potential for oopsing
the kernel of some users. Lets sit on this SRU until the Xenial kernel
currently in -proposed has been released for ~1 week to give users some
time to upgrade and reboot.
** Tags removed: verification-needed
** Tags added: verification-failed
** Description changed:
+ IMPORTANT: SRU Team, see comment #25 for why this bug is temporarily
+ marked verification-failed
+
= SRU im-config =
[Impact]
ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is
indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has
AppArmor mediation, ibus-daemon does not so it is important that its abstract
socket not be confused with dbus-daemon's. By modifying ibus-daemon's start
arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue
mediating DBus abstract sockets like normal and also mediate access to the
ibus-daemon-specific abstract socket via unix rules. This also tidies up the
abstract socket paths so that it is clear which are for ibus-daemon, which for
dbus-daemon, etc.
The upload simply adjusts 21_ibus.rc to start ibus-daemon with "--
address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code
changes are required.
[Test Case]
1. start a unity session before updating to the package in -proposed
2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0
IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76
3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
ibus-daem 2973 jamie 8u unix 0x0000000000000000 0t0 29606
@/tmp/dbus-oxKYpN30 type=STREAM
4. update the package in -proposed and perform '2' and '3'. The
IBUS_ADDRESSES should be the same as before
5. logout of unity, then log back in
6. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0
IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e
(notice '/tmp/ibus/' in the path)
7. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
ibus-daem 3471 jamie 8u unix 0x0000000000000000 0t0 26107
@/tmp/ibus/dbus-SpxOl8Fc type=STREAM
...
(notice '@/tmp/ibus/' in the path)
In addition to the above, you can test for regressions by opening
'System Settings' under the 'gear' icon in the panel and selecting 'Text
Entry'. From there, add an input source on the right, make sure 'Show
current input source in the menu bar' is checked, then use the input
source panel indicator to change input sources.
[Regression Potential]
The regression potential is considered low because there are no compiled
code changes and because the changes only occur after ibus-daemon is
restarted, which is upon session start, not package upgrade. When it is
restarted, the files in ~/.config/ibus/bus/*-unix-0 are updated
accordingly for other applications to pick up.
This change intentionally requires a change to the unity7 snapd
interface, which is in progress. Currently the change should not regress
snapdsbehavior due to other issues surrounding using ibus unrelated to
security policy.
= SRU apparmor =
[Impact]
The upload that adjusts ibus-daemon to start with "--address
'unix:tmpdir=/tmp/ibus'" causes the ibus AppArmor abstraction to no longer be
sufficient due to the lack of a rule for the new socket path. This upload adds
such a rule.
[Test Case]
1. Start a unity session after updating to the im-config package in -proposed
but before the apparmor package in -proposed
2. Use the ibus client program to list the available engines
$ ibus list-engine
language: Spanish; Castilian
- xkb:latam::spa - Spanish (Latin American)
- xkb:es::spa - Spanish
+ xkb:latam::spa - Spanish (Latin American)
+ xkb:es::spa - Spanish
language: Slovak
- xkb:sk:qwerty:slo - Slovak (qwerty)
- xkb:sk::slo - Slovak
+ xkb:sk:qwerty:slo - Slovak (qwerty)
+ xkb:sk::slo - Slovak
...
3. Create an AppArmor profile file, called ibus, with the following
contents:
#include <tunables/global>
profile ibus {
- #include <abstractions/base>
- #include <abstractions/dbus-session-strict>
- #include <abstractions/ibus>
+ #include <abstractions/base>
+ #include <abstractions/dbus-session-strict>
+ #include <abstractions/ibus>
- /usr/bin/ibus mr,
+ /usr/bin/ibus mr,
}
4. Load the profile
$ sudo apparmor_parser -qr ibus
5. Rerun the ibus client program under confinement to see that it fails
$ aa-exec -p ibus -- ibus list-engine
Can't connect to IBus.
6. Note the AppArmor denial in the syslog
audit: type=1400 audit(1472252079.589:57): apparmor="DENIED"
operation="connect" profile="ibus" pid=5364 comm="ibus" family="unix"
sock_type="stream" protocol=0 requested_mask="send receive connect"
denied_mask="send connect" addr=none peer_addr="@/tmp/ibus/dbus-
kxnhAsmv" peer="unconfined"
7. Update to the apparmor package in -proposed
8. Rerun the ibus client program under confinement to see that it works
$ aa-exec -p ibus -- ibus list-engine
language: Spanish; Castilian
- xkb:latam::spa - Spanish (Latin American)
- xkb:es::spa - Spanish
+ xkb:latam::spa - Spanish (Latin American)
+ xkb:es::spa - Spanish
language: Slovak
- xkb:sk:qwerty:slo - Slovak (qwerty)
- xkb:sk::slo - Slovak
+ xkb:sk:qwerty:slo - Slovak (qwerty)
+ xkb:sk::slo - Slovak
...
[Regression Potential]
The regression potential is considered low because there are no compiled
code changes and because the changes only add additional rules to the
apparmor ibus abstraction.
= Original description =
Currently snaps can't access ibus/fcitx from the system, do we need a
interface for input methods there?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1580463
Title:
Snap blocks access to system input methods (ibus, fcitx, ...)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1580463/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
