← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1580463] Re: Snap blocks access to system input methods (ibus, fcitx, ...)

 

This bug was fixed in the package snapd - 2.11+16.10

---------------
snapd (2.11+16.10) yakkety; urgency=medium

  * New upstream release: LP: #1605303
    - increase version number to reflect the nature of the update
      better
    - store, daemon, client, cmd/snap, docs/rest.md: adieu search
      grammar
    - debian: move snapd.refresh.timer into timers.target
    - snapstate: add daemon-reload to fix autopkgtest on yakkety
    - Interfaces: hardware-observe
    - snap: rework the output after a snap operation
    - daemon, cmd/snap: refresh --devmode
    - store, daemon, client, cmd/snap: implement `snap find --private`
    - tests: add network-observe interface spread test
    - interfaces/builtin: allow getsockopt for connected x11 plugs
    - osutil: check for nogrup instead of adm
    - store: small cleanups (more needed)
    - snap/squashfs: fix test not to hardcode snap size
    - client,cmd/snap: cleanup cmd/snap test suite, add extra args
      testThis cleans up the cmd/snap test suite:
    - wrappers: map "never" restart condition to "no."
    - wrappers: run update-desktop-database after add/remove of desktop
      files
    - release: work around elementary mistake
    - many: remove all traces of channel from the buying codepath
    - store: kill setUbuntuStoreHeaders
    - docs: add payment methods documentation
    - many: present user with a choice of payment backends
    - asserts: add cross checks for snap asserts
    - cmd/snap,cmd/snap-exec: support running hooks via snap-exec.
    - tests: improve snap run symlink tests
    - tests: add content sharing interface spread test
    - store & many: a mechanical branch shortening store names
    - snappy: remove old snappy pkg
    - overlord/snapstate: kill flagscompat
    - overlord/snapstate, daemon, client, cmd/snap: devmode override
      (aka confined)
    - tests: extend refresh test to talk to the staging and production
      stores
    - asserts,daemon: cross checks for account and account-key
      assertions
    - client: existing JSON fixtures uses tabs for indentation
    - snap-exec: add proper integration test for snap-exec
    - spread.yaml, tests: replace hello-world with test-snapd-tools
    - tests: add locale-control interface spread test
    - tests: add mount-observe interface spread test
    - tests: add system-observe interface spread test
    - many: add AuthContext to mediate user updates to the state
    - store/auth: add helper for the macaroon refresh endpoint
    - cmd: add buy command
    - overlord: switch snapstate.Update to use ListRefresh (aka
      /snaps/metadata)
    - snap-exec: fix silly off-by-one error
    - tests: stop using hello-world.echo in the tests
    - tests: add env command to test-snapd-tools
    - classic: remove (most of) "classic" mode, this is implemented as a
      snap now
    - many: remove snapstate.Candidate and other cleanups
    - many: removed authenticator, store gets a user instead
    - asserts: fix minor doc comment typo
    - snap: ensure unknown arguments to `snap run` are ignored
    - overlord/auth: add Device/SetDevice to persist device identity in
      state
    - overlord: make SyncBoot work again
    - tests: add -y flag to apt autoremove command in unity task restore
    - many: migrate SnapSetup and SideInfo to use RealName
    - daemon: drop auther()
    - client: improve error from client.do() on json decode failures
    - tests: readd the fake store tests
    - many: allow removal of broken snaps, add spread test
    - overlord: implement &Retry{After: duration} support for handlers
    - interface: add new interfaces.all.SecurityBackends
    - integration-tests: remove login tests
    - cmd,interfaces,snap: implement hook whitelist.
    - daemon,overlord/auth,store: update macaroon authentication to use
      the new endpoints
    - daemon, overlord: add buy endpoint to REST API
    - tests: use systemd-run for starting and stopping the unity app
    - tests, integration-tests: port systemd service check test to
      spread
    - store: switch search to new snap-specific endpoint
    - store, many: start using the new details endpoint
    - tests, integration-tests: port unity test to spread
    - tests: add spread test for tried snaps removal
    - tests, integration-tests: port auth errors test to spread
    - snapstate: rename OfficialName to RealName in the new tests
    - many: rename SideInfo.OfficialName to SideInfo.RealName
    - snapstate: use snapstate.Type in backend.RemoveSnapFiles
    - many: add `snap enable/disable` commands
    - tests, integration-tests: port refresh all test to spread
    - snap: add `snap run --shell`
    - tests: set yaml indentation to 4 spaces
    - snapstate: cleanup downloaded temp snap files
    - overlord: make patch1_test more robust
    - debian: add snapd.postrm that purges
    - integration-tests: drop already covered refresh app test
    - many: add concept of "broken" snaps
    - tests, integration-tests: port remove errors tests to spread
    - tests, integration-tests: port revert test to spread
    - debian: fix snapbuild path
    - overlord: fix access to the state without lock in firstboot.go and
      add test
    - snapstate: add very simple garbage collection on upgrade
    - asserts: introduce assertstest with helpers to test code involving
      assertions
    - tests, integration tests: port undone failed install test to
      spread
    - snap,store: switch to the new snaps/metadata endpoint, introduce
      and start capturing DeveloperID
    - tests, integration-tests: port the op remove retry test to spread
    - po: remove snappy.pot from git, it will be generated at build time
    - many: add some missing tests, clarify some things and nitpicks as
      follow up to `snap revert`
    - snapstate: when doing snapsate.Update|Install, talk to the store
      early
    - tests, integration-tests: port the op remove test to spread
    - interfaces: allow /usr/bin/locale in default policy
    - many: add `snap revert`
    - overlord/auth,store: add macaroon serialization/deserialization
      helpers
    - many: embed main store trusted assertions in snapd, way to have
      test ones, spread tests for ack and known
    - overlord/snapstate,daemon: clarify active vs current, add
      SnapState.HasCurrent,CurrentInfo
    - tests: do not search for a specific snap (we hit 100 items) and
      pagination kicks in
    - tests: use printf instead of echo where we need portability
    - tests: rename and generalize basic-binaries to test-snapd-tools

 -- Michael Vogt <michael.vogt@xxxxxxxxxx>  Tue, 26 Jul 2016 15:49:04
+0200

** Changed in: snapd (Ubuntu Yakkety)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1580463

Title:
  Snap blocks access to system input methods (ibus, fcitx, ...)

Status in apparmor package in Ubuntu:
  In Progress
Status in im-config package in Ubuntu:
  Fix Released
Status in snapd package in Ubuntu:
  Fix Released
Status in apparmor source package in Xenial:
  Triaged
Status in im-config source package in Xenial:
  In Progress
Status in snapd source package in Xenial:
  Fix Released
Status in apparmor source package in Yakkety:
  In Progress
Status in im-config source package in Yakkety:
  Fix Released
Status in snapd source package in Yakkety:
  Fix Released

Bug description:
  = SRU im-config =
  [Impact]
  ibus-daemon by default uses a unix socket name of /tmp/dbus-... that is indistinguishable from dbus-daemon abstract sockets. While dbus-daemon has AppArmor mediation, ibus-daemon does not so it is important that its abstract socket not be confused with dbus-daemon's. By modifying ibus-daemon's start arguments to use "--address 'unix:tmpdir=/tmp/ibus'" AppArmor can continue mediating DBus abstract sockets like normal and also mediate access to the ibus-daemon-specific abstract socket via unix rules. This also tidies up the abstract socket paths so that it is clear which are for ibus-daemon, which for dbus-daemon, etc.

  The upload simply adjusts 21_ibus.rc to start ibus-daemon with "--
  address 'unix:tmpdir=/tmp/ibus'" and adds a comment. No compiled code
  changes are required.

  [Test Case]
  1. start a unity session before updating to the package in -proposed

  2. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 
  IBUS_ADDRESS=unix:abstract=/tmp/dbus-Vyx8fGFA,guid=28e8e7e89f902c8d4e9d77c5557add76

  3. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
  ibus-daem 2973 jamie    8u     unix 0x0000000000000000      0t0   29606 @/tmp/dbus-oxKYpN30 type=STREAM

  4. update the package in -proposed and perform '2' and '3'. The
  IBUS_ADDRESSES should be the same as before

  5. logout of unity, then log back in

  6. $ grep IBUS_ADDRESS ~/.config/ibus/bus/*-unix-0 
  IBUS_ADDRESS=unix:abstract=/tmp/ibus/dbus-SpxOl8Fc,guid=06d4bbeb07614c6dffbf221c57473f4e

  (notice '/tmp/ibus/' in the path)

  7. $ lsof -p $(pidof ibus-daemon) | grep '/dbus'
  ibus-daem 3471 jamie    8u     unix 0x0000000000000000      0t0  26107 @/tmp/ibus/dbus-SpxOl8Fc type=STREAM
  ...

  (notice '@/tmp/ibus/' in the path)

  In addition to the above, you can test for regressions by opening
  'System Settings' under the 'gear' icon in the panel and selecting
  'Text Entry'. From there, add an input source on the right, make sure
  'Show current input source in the menu bar' is checked, then use the
  input source panel indicator to change input sources.

  [Regression Potential]

  The regression potential is considered low because there are no
  compiled code changes and because the changes only occur after ibus-
  daemon is restarted, which is upon session start, not package upgrade.
  When it is restarted, the files in ~/.config/ibus/bus/*-unix-0 are
  updated accordingly for other applications to pick up.

  This change intentionally requires a change to the unity7 snapd
  interface, which is in progress. Currently the change should not
  regress snapdsbehavior due to other issues surrounding using ibus
  unrelated to security policy.

  = Original description =
  Currently snaps can't access ibus/fcitx from the system, do we need a interface for input methods there?

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/1580463/+subscriptions