"things work even without devmode, that's probably because ibus is using a private bus between the service and the client and that's not being restricted"
Note that we have a few things in the unity7 interface already: accesses to @{HOME}/.config/ibus/bus/* and some accesses to the accessibility bus. @{HOME}/.config/ibus/bus/* contains files with information on where to find the ibus abstract socket. Eg:
$ cat ./.config/ibus/bus/9c3de18b4ba9455c74e059fe00000003-unix-0
# This file is created by ibus-daemon, please do not modify it
IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76
IBUS_DAEMON_PID=2217
We then have dbus-session-strict:
unix (connect, receive, send)
type=stream peer=(addr="@/tmp/dbus-*"),
There is a problem with this policy though; that access is not very strict at all and we should adjust the unity7 interface accordingly (and test that ibus still works).
Is ibus-daemon actually a dbus service or is it something else?
"things work even without devmode, that's probably because ibus is using a private bus between the service and the client and that's not being restricted"
Note that we have a few things in the unity7 interface already: accesses to @{HOME} /.config/ ibus/bus/ * and some accesses to the accessibility bus. @{HOME} /.config/ ibus/bus/ * contains files with information on where to find the ibus abstract socket. Eg: ibus/bus/ 9c3de18b4ba9455 c74e059fe000000 03-unix- 0 unix:abstract= /tmp/dbus- Vyx8fGFA, guid=28e8e7e89f 902c8d4e9d77c55 57add76 PID=2217
$ cat ./.config/
# This file is created by ibus-daemon, please do not modify it
IBUS_ADDRESS=
IBUS_DAEMON_
We then have dbus-session- strict:
peer=(addr= "@/tmp/ dbus-*" ),
unix (connect, receive, send)
type=stream
There is a problem with this policy though; that access is not very strict at all and we should adjust the unity7 interface accordingly (and test that ibus still works).
Is ibus-daemon actually a dbus service or is it something else?