Snap blocks access to system input methods (ibus, fcitx, ...)

We either need an interface or to simply update the unity7 interface accordingly. Can you please provide a snap and instructions on how to reproduce (for both ibus and fcitx)?

Hum, there are some issues there

* ibus/fcitx integrate into the toolkits by using modules, for example to have a gtk3 software working with ibus you need "ibus-gtk3" installed, for fctix you need "fcitx-frontend-gtk3" ... do we expect every snap to have to include those?

* those have an user session daemon, that's the part where I though we would need an interface/plug (or we need the snaps to ship the daemon and start a custom dbus bus and make their own service use that) ... or we need to have the personal core including ibus/fcitx

* the client needs to be able to talk to im service

I didn't get it to work yet but I'm working using the gnome-calculator example and building the snap with "ibus-gtk3" listed in the stage-packages.
To have ibus working you need to
- have ibus installed
- go to unity-control-center -> text input, add a input source using (e.g "chinese (pinyin) (ibus)")
- have ibus configured as input method, that should be default (check GTK_IM_MODULE and use "im-config -n ibus"/restart session if needed)
- select the pinyin layout in the indicator
- type some text in a gtk entry (e.g the calculator one)

that should display a popover widget with chinese symbols

Ok, I got it working, in addition of the previous steps you need:
- cp /usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules.cache to your snap dir
- edit it to keep only ibus/change the dirs to be "/snap/gnome-calculator/current/..."
- have the yaml define "immodules.cache: usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules.cache" in the files section
- set "export GTK_IM_MODULE_FILE=$SNAP/usr/lib/x86_64-linux-gnu/gtk-3.0/3.0.0/immodules.cache" in the calc script
- build/install the snap
- then copy ~/.config/ibus/bus/* from your session to ~/snap/gnome-calculator/<id>/.config/ibus/bus

the bus info seems to be written by the ibus service and needed for the client to access it, unsure how that could be integrated in the snap build...

things work even without devmode, that's probably because ibus is using a private bus between the service and the client and that's not being restricted

"things work even without devmode, that's probably because ibus is using a private bus between the service and the client and that's not being restricted"

Note that we have a few things in the unity7 interface already: accesses to @{HOME}/.config/ibus/bus/* and some accesses to the accessibility bus. @{HOME}/.config/ibus/bus/* contains files with information on where to find the ibus abstract socket. Eg:
$ cat ./.config/ibus/bus/9c3de18b4ba9455c74e059fe00000003-unix-0
# This file is created by ibus-daemon, please do not modify it
IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76
IBUS_DAEMON_PID=2217

We then have dbus-session-strict:
  unix (connect, receive, send)
       type=stream
       peer=(addr="@/tmp/dbus-*"),

There is a problem with this policy though; that access is not very strict at all and we should adjust the unity7 interface accordingly (and test that ibus still works).

Is ibus-daemon actually a dbus service or is it something else?

k, well the issue is that the bus address is written in the real userdir and ibus tries to look at the standard location which is diverted to the private dir in the snap, which is empty... we would need something to copy or bind mount the real dir over

On 05/11/2016 10:22 AM, Jamie Strandboge wrote:
...
>
> We then have dbus-session-strict:
> unix (connect, receive, send)
> type=stream
> peer=(addr="@/tmp/dbus-*"),
>
> There is a problem with this policy though; that access is not very
> strict at all and we should adjust the unity7 interface accordingly (and
> test that ibus still works).

I'm not sure how we could do that without code changes. There's nothing
differentiating the session bus' abstract socket name from the ibus bus'
abstract socket name.

> Is ibus-daemon actually a dbus service or is it something else?

It looks to me like it is its own bus daemon. In other words, the
equivalent of something like `dbus-daemon --session` instead of simply
being a dbus service.

@Tyler, if it is its own service and not dbus, it shouldn't use a name like @/tmp/dbus-*. It should instead use @/tmp/ibus-daemon-* or similar. This 'strict' rule is intended to allow connection to *dbus* services since dbus has apparmor mediation. If a service isn't a dbus service, it should use a different path.

On 05/11/2016 11:46 AM, Tyler Hicks wrote:
> On 05/11/2016 10:22 AM, Jamie Strandboge wrote:
> ...
>>
>> We then have dbus-session-strict:
>> unix (connect, receive, send)
>> type=stream
>> peer=(addr="@/tmp/dbus-*"),
>>
>> There is a problem with this policy though; that access is not very
>> strict at all and we should adjust the unity7 interface accordingly (and
>> test that ibus still works).
>
> I'm not sure how we could do that without code changes. There's nothing
> differentiating the session bus' abstract socket name from the ibus bus'
> abstract socket name.
>
>> Is ibus-daemon actually a dbus service or is it something else?
>
> It looks to me like it is its own bus daemon. In other words, the
> equivalent of something like `dbus-daemon --session` instead of simply
> being a dbus service.
>
Well then we should be able to launch it under a different profile
and use the label to differential the two

FYI, I think we have a handle on how to fix the ibus access wrt security policy to properly mediate the ibus abstract socket that doesn't involve code changes.

@seb128: you gave details on how to get ibus working in comment #3 (thanks!), what about fcitx?

This bug was fixed in the package im-config - 0.29-1ubuntu13

---------------
im-config (0.29-1ubuntu13) yakkety; urgency=medium

  * debian/patches/use-distinguishable-abstract-address.patch: adjust
    ibus-daemon args to include "--address 'unix:tmpdir=/tmp/ibus'" so it has
    a mediatable abstract socket path (LP: #1580463)

 -- Jamie Strandboge <email address hidden> Thu, 26 May 2016 12:53:53 -0500

Hello Sebastien, or anyone else affected,

Accepted im-config into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/im-config/0.29-1ubuntu12.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

> what about fcitx?

so I had a look to that, a bit similar to ibus

* bundle "fcitx-frontend-gtk3" in your deb

* include those lines in the bundle (replace the static version)

export XDG_CACHE_HOME=$SNAP_USER_DATA/.cache-$SNAP_VERSION
mkdir -p $XDG_CACHE_HOME
export GTK_IM_MODULE_DIR=$XDG_CACHE_HOME/immodules
export GTK_IM_MODULE_FILE=$XDG_CACHE_HOME/immodules/immodules.cache

if [ ! -d $GTK_IM_MODULE_DIR ]; then
  mkdir -p $GTK_IM_MODULE_DIR
  ln -s $SNAP/usr/lib/$ARCH/gtk-3.0/3.0.0/immodules/*.so $GTK_IM_MODULE_DIR
  $SNAP/usr/lib/$ARCH/libgtk-3-0/gtk-query-immodules-3.0 > $GTK_IM_MODULE_FILE
fi

that's enough to made it work in devmode (tried on the gnome-calculator example)

unrelated to snap but to configre fcitx configure/working as your im framework under unity7 open language-selector install the chinese support (should give you the fcitx packages you need) and select fcitx as im method in the combo on the first tab, then restart your session. that gives you an indicator with a configure option, you can add a sunpinyn input method from there and use the indicator to switch to it, once that done typing in e.g the calculator input entry should give you an UI with chinese glyphs

works confined after adding "#include <abstractions/fcitx>" to the apparmor profile

Tyler said that he would update the apparmor ibus abstraction for this change, which will be required to not break ibus in evince and webbrowser-app. As such, I'm going to mark this as 'verification-failed' then adjust im-config to Breaks with apparmor less than the version Tyler is uploading.

Hello Sebastien, or anyone else affected,

Accepted snapd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.0.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

FYI, fcitx uses dbus-daemon (as opposed to ibus-daemon, which does not) and so apparmor dbus mediation can be used with 'dbus bus=fcitx,'. As such, im-config does not need an update for fcitx.

Based on comment #15 I removed im-config 0.29-1ubuntu12.1 from xenial-proposed so it doesn't accidentally get promoted.

Hello Sebastien, or anyone else affected,

Accepted snapd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/snapd/2.0.7 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

2.0.8 generates the new input methods policy and it correctly compiles. Marking verification-done.

This bug was fixed in the package snapd - 2.0.8

---------------
snapd (2.0.8) xenial; urgency=medium

  * New upstream release: LP: #1589534
    - debian: make `snap refresh` times more random (LP: #1537793)
    - cmd: ExecInCoreSnap looks in "core" snap first, and only in
      "ubuntu-core" snap if rev>125.
    - cmd/snap: have 'snap list' display helper message on stderr
      (LP: #1587445)
    - snap: make app names more restrictive.

 -- Michael Vogt <email address hidden> Wed, 08 Jun 2016 07:56:58 +0200

This bug was fixed in the package snapd - 2.11+16.10

---------------
snapd (2.11+16.10) yakkety; urgency=medium

  * New upstream release: LP: #1605303
    - increase version number to reflect the nature of the update
      better
    - store, daemon, client, cmd/snap, docs/rest.md: adieu search
      grammar
    - debian: move snapd.refresh.timer into timers.target
    - snapstate: add daemon-reload to fix autopkgtest on yakkety
    - Interfaces: hardware-observe
    - snap: rework the output after a snap operation
    - daemon, cmd/snap: refresh --devmode
    - store, daemon, client, cmd/snap: implement `snap find --private`
    - tests: add network-observe interface spread test
    - interfaces/builtin: allow getsockopt for connected x11 plugs
    - osutil: check for nogrup instead of adm
    - store: small cleanups (more needed)
    - snap/squashfs: fix test not to hardcode snap size
    - client,cmd/snap: cleanup cmd/snap test suite, add extra args
      testThis cleans up the cmd/snap test suite:
    - wrappers: map "never" restart condition to "no."
    - wrappers: run update-desktop-database after add/remove of desktop
      files
    - release: work around elementary mistake
    - many: remove all traces of channel from the buying codepath
    - store: kill setUbuntuStoreHeaders
    - docs: add payment methods documentation
    - many: present user with a choice of payment backends
    - asserts: add cross checks for snap asserts
    - cmd/snap,cmd/snap-exec: support running hooks via snap-exec.
    - tests: improve snap run symlink tests
    - tests: add content sharing interface spread test
    - store & many: a mechanical branch shortening store names
    - snappy: remove old snappy pkg
    - overlord/snapstate: kill flagscompat
    - overlord/snapstate, daemon, client, cmd/snap: devmode override
      (aka confined)
    - tests: extend refresh test to talk to the staging and production
      stores
    - asserts,daemon: cross checks for account and account-key
      assertions
    - client: existing JSON fixtures uses tabs for indentation
    - snap-exec: add proper integration test for snap-exec
    - spread.yaml, tests: replace hello-world with test-snapd-tools
    - tests: add locale-control interface spread test
    - tests: add mount-observe interface spread test
    - tests: add system-observe interface spread test
    - many: add AuthContext to mediate user updates to the state
    - store/auth: add helper for the macaroon refresh endpoint
    - cmd: add buy command
    - overlord: switch snapstate.Update to use ListRefresh (aka
      /snaps/metadata)
    - snap-exec: fix silly off-by-one error
    - tests: stop using hello-world.echo in the tests
    - tests: add env command to test-snapd-tools
    - classic: remove (most of) "classic" mode, this is implemented as a
      snap now
    - many: remove snapstate.Candidate and other cleanups
    - many: removed authenticator, store gets a user instead
    - asserts: fix minor doc comment typo
    - snap: ensure unknown arguments to `snap run` are ignored
    - overlord/auth: add Device/SetDevice to persist device identity in
      state
    - overlord: make SyncBoot work aga...

This bug was fixed in the package apparmor - 2.10.95-4ubuntu4

---------------
apparmor (2.10.95-4ubuntu4) yakkety; urgency=medium

  * debian/patches/allow-access-to-ibus-socket.patch: Adjust the ibus
    abstraction to allow access to the abstract UNIX domain socket location
    used in Ubuntu. (LP: #1580463)
  * debian/lib/apparmor/functions: Quiet the "Files ... and ... differ"
    output, during the update process, which was printed by diff. This message
    left users concerned since it mentioned md5sums files without being clear
    about what was happening. (LP: #1614215)

 -- Tyler Hicks <email address hidden> Fri, 26 Aug 2016 13:33:46 -0500

Hello Sebastien, or anyone else affected,

Accepted apparmor into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/apparmor/2.10.95-0ubuntu2.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

I'm temporarily marking this SRU bug as verification-failed so that it doesn't get let through until kernel bug 1579135 is fixed. Without the kernel bug fix for bug 1579135, this SRU has the potential for oopsing the kernel of some users. Lets sit on this SRU until the Xenial kernel currently in -proposed has been released for ~1 week to give users some time to upgrade and reboot.

Swapping verification-failed for verification-needed now that bug 1579135 has been fixed for ~1 week.

im-config 0.29-1ubuntu12.2 is uploaded to xenial-proposed and ensures the newer apparmor is installed. Please see the updated description for im-config in Test Case and Regression Potential for details.

Hello Sebastien, or anyone else affected,

Accepted im-config into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/im-config/0.29-1ubuntu12.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-needed to verification-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

FYI, im-config is verification-done. I didn't do full SRU testing for AppArmor. Tyler, when you are done with the SRU testing, feel free to mark this as verification-done.

Just for clarity, I did both the main test case and the extended test case for im-config. I also noticed that when installing im-config, it correctly required the updated apparmor.

I've completed the AppArmor test plan:

  https://wiki.ubuntu.com/Process/Merges/TestPlans/AppArmor

I've also manually verified the AppArmor portion of this SRU.

This bug was fixed in the package apparmor - 2.10.95-0ubuntu2.5

---------------
apparmor (2.10.95-0ubuntu2.5) xenial; urgency=medium

  * debian/lib/apparmor/functions, debian/apparmor.init,
    debian/apparmor.service, debian/apparmor.upstart,
    debian/lib/apparmor/profile-load: Adjust the checks that previously kept
    AppArmor policy from being loaded while booting a container. Now we
    attempt to load policy if we're in a LXD or LXC managed container that is
    using profile stacking inside of a policy namespace. (LP: #1628285)
  * Fix regression tests for stacking so that the kernel SRU process is not
    interrupted by failing tests whenever the AppArmor stacking features are
    backported from the 16.10 kernel or when the 16.04 LTS Enablement Stack
    receives a 4.8 or newer kernel
    - debian/patches/r3509-tests-fix-exec_stack-errors-1.patch: Fix the
      exec_stack.sh test when running on 4.8 or newer kernels (LP: #1628745)
    - debian/patches/r3558-tests-fix-exec_stack-errors-2.patch: Adjust the
      exec_stack.sh fix mentioned above to more accurately test kernels older
      than 4.8 (LP: #1630069)
    - debian/patches/allow-stacking-tests-to-use-system.patch: Apply this
      patch earlier in the series, as to match when it was committed upstream,
      so that the above two patches can be cherry-picked from lp:apparmor

 -- Tyler Hicks <email address hidden> Fri, 07 Oct 2016 05:21:44 +0000

This bug was fixed in the package im-config - 0.29-1ubuntu12.2

---------------
im-config (0.29-1ubuntu12.2) xenial-proposed; urgency=medium

  * debian/patches/use-distinguishable-abstract-address.patch: adjust
    ibus-daemon args to include "--address 'unix:tmpdir=/tmp/ibus'" so it has
    a mediatable abstract socket path (LP: #1580463)
  * debian/control: Breaks on apparmor << 2.10.95-0ubuntu2.3 since that
    adjusts the ibus abstraction to allow applications to communicate with an
    ibus-daemon started with "--address 'unix:tmpdir=/tmp/ibus'"

 -- Jamie Strandboge <email address hidden> Fri, 07 Oct 2016 11:37:31 +0000

The verification of the Stable Release Update for im-config has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

IBus is not always launched via im-config when GNOME is involved. In Ubuntu 19.10 im-config will be disabled by default in Wayland sessions. So to achieve a consistent address of ibus daemon, it's better to change the default in ibus itself. Attached please find a debdiff with a proposed fix.

Once this change is in the archive, the equivalent im-config patch can be dropped.

This bug was fixed in the package ibus - 1.5.19-1ubuntu3

---------------
ibus (1.5.19-1ubuntu3) eoan; urgency=medium

  * ubuntu-use-distinguishable-abstract-address.patch:
    Change the default address of ibus daemon to 'unix:tmpdir=/tmp/ibus'
    so it has a mediatable abstract socket path (LP: #1580463)

 -- Gunnar Hjalmarsson <email address hidden> Thu, 25 Apr 2019 19:01:00 +0200

Reopening the ibus (ubuntu) task.

Background:
The change in ibus 1.5.19-1ubuntu3, which set the abstract socket path to 'unix:tmpdir=/tmp/ibus', was upstreamed and is now included in the 1.5.21 source. However, the path proved to not work well on BSD systems:

https://github.com/ibus/ibus/issues/2116

That resulted in a new upstream approach to make the path indistinguishable, and to make a long story short, the path is about to be changed in 1.5.22 to 'unix:tmpdir=$XDG_CACHE_HOME/ibus'. To prevent yet another change in this respect in the ff cycle, I propose that we change it in eoan again and add two upstream commits so Ubuntu 19.10 is released with the new (final?) path.

Proposed upload in this PPA:

https://launchpad.net/~gunnarhj/+archive/ubuntu/ibus

@Tyler, @Jamie: When reviewing the proposal in comment #37, Sebastien pointed at a possible need to also change /etc/apparmor.d/abstractions/ibus. Can you please consider that?

Also, in Ubuntu 17.10 - 19.04 the im-config change of the abstract socket path has not been effective in Ubuntu, since we have let GDM start ibus. Which implications, if any, has that had?

@Gunnar - I am preparing the focal upload now, though there is a parser bug (bug 1856738) which means I cannot use @{HOME} in the rule and instead hardcode /home/*/. This will cover all typical situations (ie, not the atypical /root/.cache/ibus...) except when the user updates /etc/apparmor.d/tunables/home.d/ to add a different directory for home. With snaps (this bug) we don't support alternate locations for /home just yet, so this is not a regression.

We plan to fix that parser bug for 20.04. You may want to hold off on a 1.5.22 upload (or revert the XDG patch) until this is updated to avoid regression non-snap, ibus abstraction apparmor users with non-default home.

@Jamie: The code, which changes the abstract socket path from 'unix:tmpdir=/tmp/ibus' to 'unix:tmpdir=$XDG_CACHE_HOME/ibus', was uploaded to focal via ibus 1.5.21-5ubuntu1 (unix-socket-path.patch). Mentioned it on bug #1856738 too.

Closing the ibus (ubuntu) task on this bug.

This is *not* fixed. I still see this issue in a recent install of Ubuntu 20.04, where $XDG_CACHE_HOME is set.
We have home dirs mounted via network, so user caches were moved to local storage to sanitize network load. The right and perfectly valid way of doing so is setting $XDG_CACHE_HOME.
Snapd honors this variable, from what I get from related bug reports.
However, it appears that snaps are still not allowed access to the direcrory configured in this environment variable.

This is a production environment for 800+ users who rely on chromium and Ubuntu. I *really, honestly* need this fixed ASOP.

Our $XDG_CACHE_HOME points to /var/cache/usercache/<uid>/
I tried adding /var/cache/usercache/ to @{HOMEDIRS} in apparmor, but it did not work. How do I tell my snaps that user caches are in /var/cache/usercache/ ??

Test case: chromium snap with $XDG_CACHE_HOME set.

This will affect many installs, notably in professional multi user environments. It is absurd assuming that $XDG_CACHE_HOME is unset (any installation with a few hundred users will have homes on a network share and consequently caches moved elsewhere).

We are talking about recent Ubuntu focal, thst is: Ubuntu 20.04.1. This is deemed safe for LTS upgrade! It is not! It will make petfectly working installs of 18.04 LTS unusable without any warning.

@Rüdiger: Quite some water has passed under the bridge since the submission of this bug. It mostly came to be about the method for achieving a distinguishable abstract path for IBus, and is now closed.

I would suggest that you file a new bug about the issue you now encounter. It sounds like an apparmor issue to me, and bug #1856738 is possibly related.

I agree that a new bug should be filed. When doing so, please attach any relevant policy violations from journalctl to the bug.

Agreed. I'll be referencing this issue there. And I'll have a look into the journal, thanks.

For your reference: Bug #1890905