New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to use iBus (input method) #675
Comments
There is no 'supposed' way for this. |
Not only that, we also need to expose the host ibus in a safe way. I guess the clients talk to it using dbus? Is the apis safe for sandboxed use? |
I will look at this |
Not only iBus, but also other input method engine such as scim, fcitx, ... |
Here is the org.freedesktop.IBus interface: https://github.com/ibus/ibus/blob/master/bus/ibusimpl.c#L180 The client-side im module calls CreateInputContext to create the object that it then works with. Here is the org.freedesktop.IBus.InputContext interface: https://github.com/ibus/ibus/blob/master/bus/inputcontext.c#L216 I haven't looked through this in detail yet |
CC @fujiwarat |
There's not much of any parameter validation in the input context code, that probably needs some improvements. Eg bus_input_context_set_capabilities passes the client-provided capabilities on to the engine without filtering out any extra bits that might be set. Same for the arguments of ProcessKeyEvent and SetCursorLocation. It is not clear to me that the InputContext.SetEngine method is called from the client-side code. If it is not needed, maybe it shouldn't be exposed. |
Sounds good to me.
I think an idea of a parameter likes |
I think maybe good to share the ibus-daemon for the sandbox and native apps. |
I don't think that makes much sense, tbh. Would we run one ibus-daemon for sandboxed apps in 'secure' mode, and another one for the rest of the desktop ? If the 'secure' mode is good enough for all of the desktop, then why have the insecure mode at all ? Just drop the apis that are not needed, or add a smaller interface that we can safely expose to sandboxed apps |
IIUC, only "CreateInputContext" method of "org.freedesktop.IBus" interface is allowed in the sandbox. Also I think "BecomeMonitor" method of "org.freedesktop.DBus" interface should be disallowed. |
What do you mean ? Are you saying ibus already has special code to handle being inside a sandbox ? where is that code ? |
Sorry, I just try to summarize my understanding, and made a spelling mistake, corrected it now. |
Probably we will keep ibus_input_context_set_engine() and InputContext.SetEngine() until the version is bumped. Currently we have no plan to update the IBus version to 1.6 for a while. |
I mean
I think he put his idea not to allow CreateInputContext beyond that in the sandbox since "BecomeMonitor" method is used by dbus-monitor. |
Here is a concern that alex mentioned on irc: clients probably get a path to the context object, and can easily guess other clients context paths - what happens if they make calls there ? |
I was misstating things a bit, I think. We actually need to use a separate unique bus name to prevent the client from talking to other, 'unsafe' interfaces. So, the suggestion is have a separate bus connection, take a different well-known name, and expose limited, safe interfaces on that name. And strictly validate that clients only make calls on 'their' objects. |
Here is how the context object paths get created: src/ibusshare.h:#define IBUS_PATH_INPUT_CONTEXT "/org/freedesktop/IBus/InputContext_%d" bus/inputcontext.c: gchar *path = g_strdup_printf (IBUS_PATH_INPUT_CONTEXT, ++id); |
And I can't find any validation that would check that Inputcontext calls are coming from the owner of the context. |
An extra complication here is that ibus is using not just its own bus but its own daemon implementation which may or may not cause us extra problems when proxying - d-feet certainly has issues talking to it. |
For d-feet, we filed a bug before and write a draft patch for it. |
CC'ing @phuang |
That d-feet patch seems wrong. Instead of making d-feet connect to unsupported addresses, why not make ibus provide a supported one ? Or, if that is hard, make gio support the address in question. You can already get d-feet to connect to ibus by doing DBUS_SESSION_BUS_ADDRESS=$IBUS_ADDRESS d-feet That is how I did my initial investigation of ibus protocol. |
From irc: alexlarsson> mclasen: honestly, the right way would probably to use a per-client connection instead of a separate bus |
A longer-term perspective for wayland is that this should really move to the compositor, and use the text protocol. That would solve the sandboxing issues for good. |
To clarify some of the last comments: We want: one peer-to-peer connection per client (ie per application), not one per context (it turns out that clients generally use many contexts (one per text field)). |
I tried to get a dbus address per client with the following way:
But the packet is still readable by dbus-monitor with the shared dbus address. |
I just read the comments of dbus-proxy recently. Is it not secure to expose non-well-known names |
I don't know how to use dbus-proxy. I guess g_dbus_connection_add_filter() does not help to avoid dbus-monitor.
Right. But primarily I'm thinking to access by client. |
I tried Is it a good example to test flatpak-dbus-monitor? Is it a expected result that dbus-monitor can observe the most packets of ibus? |
This adds a dbus service called org.freedesktop.portal.IBus on the session bus. It is a very limited service that only implements CreateInputContext and the InputContext interface (and Service.Destroy for lifetime access). It uses gdbus code generation for demarshalling the method calls which means it will verify that all arguments have the right type. Additionally all method calls to the input context object have to be from the client that created it, so each client is isolated. BUG=flatpak/flatpak#675 R=Shawn.P.Huang@gmail.com Review URL: https://codereview.appspot.com/326350043 Patch from Alexander Larsson <alexl@redhat.com>.
This adds a new way to create an IbusBus, ibus_bus_new_async_client(). This returns an object that is not guarantee to handle any calls that are not needed by a client, meaning CreateInputContext and handling the input context. If you are running in a flatpak, or if IBUS_USE_PORTAL is set, then instead of talking to the regular ibus bus we connect to org.freedesktop.portal.IBus on the session bus and use the limited org.freedesktop.IBus.Portal interface instead of the org.freedesktop.IBus interface. This allows flatpaks (or other sandbox systems) to safely use dbus clients (apps). BUG=flatpak/flatpak#675 Review URL: https://codereview.appspot.com/328410043 Patch from Alexander Larsson <alexl@redhat.com>.
I built the gtk3 im-module into the freedesktop runtime now. I guess we should add the gtk2 one to the gnome runtime also. |
Yes. Also /usr/libexec/ibus-x11 and /usr/lib64/qt5/plugins/platforminputcontexts/libibusplatforminputcontextplugin.so too. |
Test with: flatpak-builder --force-clean app org.test.IBus.json flatpak-builder --run --nofilesystem=host app org.test.IBus.json zenity --entry BUG=flatpak/flatpak#675 R=Shawn.P.Huang@gmail.com Review URL: https://codereview.appspot.com/329090043 Patch from Alexander Larsson <alexl@redhat.com>.
When ibus-daemon restarts, ibus-portal exits with on_name_lost() and the clients wait for portal_name_appeared() until ibus-poral restarts. Now the clients can connect to ibus-daemon with this way and also they don't have to activate ibus-portal. BUG=flatpak/flatpak#675 R=Shawn.P.Huang@gmail.com Review URL: https://codereview.appspot.com/321530043
What exactly does ibus-x11 do? |
ibus-x11 communicates with X clients and ibus-daemon for the key events with XIM and IBus protocols. |
Now Fedora IBus RPM includes ibus-portal. |
The very latest runtimes should have ibus support, yes. |
Thank you. I forgot to copy ibusimcontext.c to client/gtk3 in fedora build. |
Which are the first flatpak and ibus releases that support this? |
@juhp Ibus 1.5.17, and it is independent on the flatpak version, but needs a recent flatpak runtime with the ibus version in it (should be ok with e.g. freedesktop.org 1.6 runtimes and gnome >= 3.24 runtimes). |
Hello, I still can't use ibus in Slack flatpak app, I think both ibus and Slack flat app are latest version:
There Slack ibus/bus directory was created Update: I can use ibus in org.gnome.gedit flat app. Can someone give me some advice about this issue? |
This bug has been closed for a year, and there's a link about Electron apps just above your comment. Following that link would be a good first step. File a separate bug if your issue is a separate problem. |
Why is it closed, I still can't input Chinese in the flatpak version of OBS Studio, Steam, whatever else. |
It's closed because the IBus support got mrged. If you have further problems, file a bug. I'm guessing that in this case, you should file an issue against your distribution, as IBus input works on other distributions. |
Having the same issue as well, on Fedora 29. |
Let's move discussion on the Electron apps issue to #1671. |
The IBus portal restricts access to IBusContexts to their owner: when using using CreateInputContext() from the org.freedesktop.IBus.Portal DBus interface, the owner of the portal context is tracked such that any other DBus API accesses to IBus require a matching context. Furthermore, IBusContext signals are sent to their context owner (as opposed to broadcast to all listeners). Lastly, IBus's non-portal communications use a separate socket connection from the insecure API. All combined, this is designed to prevent snaps interfering with each other or the session. References: https://launchpad.net/bugs/1881232 flatpak/flatpak#675 https://github.com/ibus/ibus/blob/master/portal/portal.c#L354-L370 https://github.com/ibus/ibus/blob/master/portal/portal.c#L408-L414
The IBus portal restricts access to IBusContexts to their owner: when using using CreateInputContext() from the org.freedesktop.IBus.Portal DBus interface, the owner of the portal context is tracked such that any other DBus API accesses to IBus require a matching context. Furthermore, IBusContext signals are sent to their context owner (as opposed to broadcast to all listeners). Lastly, IBus's non-portal communications use a separate socket connection from the insecure API. All combined, this is designed to prevent snaps interfering with each other or the session. References: https://launchpad.net/bugs/1881232 flatpak/flatpak#675 https://github.com/ibus/ibus/blob/master/portal/portal.c#L354-L370 https://github.com/ibus/ibus/blob/master/portal/portal.c#L408-L414
The IBus portal restricts access to IBusContexts to their owner: when using using CreateInputContext() from the org.freedesktop.IBus.Portal DBus interface, the owner of the portal context is tracked such that any other DBus API accesses to IBus require a matching context. Furthermore, IBusContext signals are sent to their context owner (as opposed to broadcast to all listeners). Lastly, IBus's non-portal communications use a separate socket connection from the insecure API. All combined, this is designed to prevent snaps interfering with each other or the session. References: https://launchpad.net/bugs/1881232 flatpak/flatpak#675 https://github.com/ibus/ibus/blob/master/portal/portal.c#L354-L370 https://github.com/ibus/ibus/blob/master/portal/portal.c#L408-L414
Is this simply because the GNOME runtime currently doesn't include
im-ibus.so
? If so, how are Flatpak apps supposed to work with the IM on the host system in general, considering that different people use different IMs?The text was updated successfully, but these errors were encountered: