How do I enable access to AT-SPI in my snap?

ianmjones · April 26, 2019, 8:42am

Is there doc that I’m failing to find that shows what I need to do to enable access to services such as AT-SPI?

My app/snap relies on access to the accessibility features of AT-SPI to both read and write data, such as monitor when the current application has changed, look for accessible editable controls, and depending text entered change the contents when the user triggers the action.

With a .deb this is working fine for native apps that support the atspi2 framework, even LibreOffice when using the fully GTK3 enabled variant.

However, I’m getting lots of AppArmor “DENIED” when using the snap, for example this is the kind of stuff I get when just starting the app.

Apr 26 09:13:43 ubuntu-vm audit[2055]: AVC apparmor="DENIED" operation="connect" profile="snap.snippetpixie.snippetpixie" name="/run/user/1000/at-spi2-KWDZ0Z/socket" pid=2055 comm="com.github.byte" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000
Apr 26 09:13:43 ubuntu-vm kernel: audit: type=1400 audit(1556266423.291:76): apparmor="DENIED" operation="connect" profile="snap.snippetpixie.snippetpixie" name="/run/user/1000/at-spi2-KWDZ0Z/socket" pid=2055 comm="com.github.byte" requested_mask="wr" denied_mask="wr" fsuid=1000 ouid=1000

When LibreOffice Writer becomes the active app, I get lots of stuff like the following…

Apr 26 09:14:26 ubuntu-vm dbus-daemon[1226]: apparmor="DENIED" operation="dbus_method_call"  bus="accessibility" path="/org/a11y/atspi/accessible/root" interface="org.a11y.atspi.Application" member="GetApplicationBusAddress" mask="send" name=":1.27" pid=2055 label="snap.snippetpixie.snippetpixie" peer_pid=2179 peer_label="libreoffice-soffice"
Apr 26 09:14:26 ubuntu-vm dbus-daemon[1226]: apparmor="DENIED" operation="dbus_method_call"  bus="accessibility" path="/org/a11y/atspi/cache" interface="org.a11y.atspi.Cache" member="GetItems" mask="send" name=":1.27" pid=2055 label="snap.snippetpixie.snippetpixie" peer_pid=2179 peer_label="libreoffice-soffice"
Apr 26 09:14:27 ubuntu-vm dbus-daemon[1226]: apparmor="DENIED" operation="dbus_signal"  bus="accessibility" path="/org/a11y/atspi/accessible/1" interface="org.a11y.atspi.Event.Object" member="StateChanged" name=":1.27" mask="receive" pid=2055 label="snap.snippetpixie.snippetpixie" peer_pid=2179 peer_label="libreoffice-soffice"

I’m using the following plugs in my snap…

  - desktop
  - desktop-legacy
  - gsettings
  - unity7
  - wayland
  - home

I’ve tried adding the following two, but get exact same behaviour…

  - x11
  - spi

spi was a bit of a long shot for sure!

Testing on Ubunut 18.04.2.

Any help very much appreciated!

jdstrand · April 26, 2019, 9:00pm

Is desktop-legacy connected?

ianmjones · April 26, 2019, 9:47pm

Thanks for the response.

I’m using desktop-legacy as one of my plugs, and it says it auto connect in the docs, but is there something else I should do?

snap connections shows snippetpixie:desktop-legacy in the list.

I have the following as the command for the app.

command: desktop-launch $SNAP/usr/bin/com.github.bytepixie.snippetpixie

Anything I should do or could check?

github.com

bytepixie/snippetpixie/blob/develop/snapcraft.yaml

name: snippetpixie
base: core20
version: 1.5.1
summary: Your little expandable text snippet helper
description: |
  Save your often used text snippets and then expand them whenever you type their abbreviation.

  For example:- "spr`" expands to "Snippet Pixie rules!"

  For non-accessible applications such as browsers and Electron apps, there's a shortcut (default is Ctrl+`) for opening a search window that pastes the selected snippet.

  Supports placeholders:-

  * Date/Time: Insert the current or calculated date/time with configurable format.
  * Clipboard: Insert the text contents of the clipboard.
  * Snippets: Insert snippets in your snippets!
  * Cursor: Set where the cursor should end up after the snippet has expanded.

  All placeholders are delimited (wrapped) by "$$", with the placeholder name starting with an "@" symbol.
  For example, today's date can be inserted with "$$@date$$".

This file has been truncated. show original

jamesh · April 30, 2019, 2:41am

From the look of it, the desktop-legacy interface does not support this at present: while it does let you connect to the a11y bus, it looks like it is mainly there to allow the application to be controlled by accessibility tools on the host system.

It doesn’t look like it is intended to support confined accessibility tools, let alone a confined accessibility tool controlling a second confined application. And while you might not be using the snap version of LibreOffice, the .deb version is also running under AppArmor confinement.

At this point, maybe the best option is to distribute your application as a classic confinement snap. It’s not the worst thing in the world that our strict confinement policies interfere with a keylogging API.

ianmjones · April 30, 2019, 8:07am

Thanks for taking a look at this and confirming that classic confinement is a requirement @jamesh, much appreciated.

I’ll reconfigure the snap for classic, test, and then submit a classic confinement request.

Thanks again.