[pkg-apparmor] Bug#948142: Bug#948142: apparmor: Update abstractions/ibus socket path
Jamie Strandboge
jamie at canonical.com
Mon Jan 6 23:14:08 GMT 2020
On Sat, 04 Jan 2020, Changwoo Ryu wrote:
> Package: apparmor
> Version: 2.13.3-7
> Severity: normal
>
> In short, the ibus socket path in <abstractions/ibus> needs to be changed
> for the recent ibus versions like this:
>
> unix (connect, receive, send)
> type=stream
> peer=(addr="@{HOME}/.cache/ibus/dbus-*"),
>
> Details:
>
> This is follow-up to debian/patches/debian/allow-access-to-ibus-socket.patch.
>
> In IBus upstream 1.5.21, the upstream has changed the default socket path
> to"/tmp/ibus" to make it distinguishable. But it is not secure as a malicious
> user can create "/tmp/ibus" with restrictive permission. In IBus upstream git
> after 1.5.21, the upstream has changed the socket path to
> "$XDG_CACHE_HOME/ibus" for Linux and "/tmp" for non-Linux. (See
> https://github.com/ibus/ibus/issues/2095 and
> https://github.com/ibus/ibus/issues/2116 for more information.) AppArmor is
> Linux specific so allowing Unix socket "${HOME}.cache/ibus/dbus-*" is enough.
>
> Debian ibus 1.5.21-5 has these changes (to fix non-linux FTBFS).
>
> You can also remove the old socket path and then "ibus (<< 1.5.21-5)" should be
> added to Breaks.
FYI, this is:
https://salsa.debian.org/apparmor-team/apparmor/commit/8c11bb9f2744555cc9c79447b5adb4dedfd36d2b
I didn't upstream it yet because of the referenced bug, but there is no
reason this couldn't be included in Debian until that bug is fixed.
--
Jamie Strandboge | http://www.canonical.com
More information about the pkg-apparmor-team
mailing list