No snap applications respond to keyboard input on clean install of XUbuntu 22.04 LTS

jason0x21 · October 30, 2022, 6:11pm

So I had a problem a few months ago where snap applications wouldn’t respond to keyboard input on an upgraded version of Ubuntu. Since there were other problems I was having that were proving difficult to fix, I just did a clean install to try and clear out all the nonsense.

That seemed to work, until today.

This is a HP Z840 tower system running Xubuntu 22.04 LTS, which means I’m running a pretty basic XFCE environment.

Now no snap applications (I’ve tried gedit and firefox) want to respond to keyboard input.

When I run gedit from the command line and try to type, I get this…

$ gedit

(gedit:4726): dconf-WARNING **: 13:48:51.569: failed to commit changes to dconf: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.86" (uid=1000 pid=4726 comm="/snap/gedit/653/usr/bin/gedit " label="snap.gedit.gedit (enforce)") interface="ca.desrt.dconf.Writer" member="Change" error name="(unset)" requested_reply="0" destination="ca.desrt.dconf" (bus)

(gedit:4726): dconf-WARNING **: 13:48:51.574: failed to commit changes to dconf: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.86" (uid=1000 pid=4726 comm="/snap/gedit/653/usr/bin/gedit " label="snap.gedit.gedit (enforce)") interface="ca.desrt.dconf.Writer" member="Change" error name="(unset)" requested_reply="0" destination="ca.desrt.dconf" (bus)

(gedit:4726): GLib-GIO-WARNING **: 13:48:51.660: Error creating IO channel for /proc/self/mountinfo: Permission denied (g-file-error-quark, 2)

(gedit:4726): dconf-WARNING **: 13:48:51.829: failed to commit changes to dconf: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.86" (uid=1000 pid=4726 comm="/snap/gedit/653/usr/bin/gedit " label="snap.gedit.gedit (enforce)") interface="ca.desrt.dconf.Writer" member="Change" error name="(unset)" requested_reply="0" destination="ca.desrt.dconf" (bus)

(gedit:4726): dconf-WARNING **: 13:48:51.829: failed to commit changes to dconf: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: An AppArmor policy prevents this sender from sending this message to this recipient; type="method_call", sender=":1.86" (uid=1000 pid=4726 comm="/snap/gedit/653/usr/bin/gedit " label="snap.gedit.gedit (enforce)") interface="ca.desrt.dconf.Writer" member="Change" error name="(unset)" requested_reply="0" destination="ca.desrt.dconf" (bus)

(gedit:4726): IBUS-WARNING **: 13:48:51.853: Unable to connect to ibus: Could not connect: Permission denied

(gedit:4726): IBUS-WARNING **: 13:48:55.542: Events queue growing too big, will start to drop.

(gedit:4726): IBUS-WARNING **: 13:48:55.605: Events queue growing too big, will start to drop.

(gedit:4726): IBUS-WARNING **: 13:48:55.686: Events queue growing too big, will start to drop.

(gedit:4726): IBUS-WARNING **: 13:48:55.750: Events queue growing too big, will start to drop.

(gedit:4726): IBUS-WARNING **: 13:48:55.838: Events queue growing too big, will start to drop.

(gedit:4726): IBUS-WARNING **: 13:48:55.902: Events queue growing too big, will start to drop.

(gedit:4726): IBUS-WARNING **: 13:48:55.974: Events queue growing too big, will start to drop.

(gedit:4726): IBUS-WARNING **: 13:48:56.062: Events queue growing too big, will start to drop.

(gedit:4726): IBUS-WARNING **: 13:48:56.142: Events queue growing too big, will start to drop.

Firefox seems to do the same thing wrt IBUS here. More information that was requested last time I had this problem.

$ snap version
snap    2.57.5+22.04
snapd   2.57.5+22.04
series  16
ubuntu  22.04
kernel  5.17.0-1020-oem

$ snap info snapd gnome-3-38-2004 firefox
name:      snapd
summary:   Daemon and tooling that enable snap packages
publisher: Canonical✓
store-url: https://snapcraft.io/snapd
license:   GPL-3.0
description: |
  Install, configure, refresh and remove snap packages. Snaps are
  'universal' packages that work across many different Linux systems,
  enabling secure distribution of the latest apps and utilities for
  cloud, servers, desktops and the internet of things.
  
  Start with 'snap list' to see installed snaps.
type:         snapd
snap-id:      PMrrV4ml8uWuEUDBT8dSGnKUYbevVhc4
tracking:     latest/stable
refresh-date: 11 days ago, at 04:07 EDT
channels:
  latest/stable:    2.57.4                 2022-10-19 (17336) 50MB -
  latest/candidate: 2.57.5                 2022-10-27 (17576) 52MB -
  latest/beta:      2.57.5                 2022-10-17 (17576) 52MB -
  latest/edge:      2.57.5+git885.g3c05e53 2022-10-25 (17642) 52MB -
installed:          2.57.4                            (17336) 50MB snapd
---
name:      gnome-3-38-2004
summary:   Shared GNOME 3.38 Ubuntu stack
publisher: Canonical✓
store-url: https://snapcraft.io/gnome-3-38-2004
license:   unset
description: |
  This snap includes a GNOME 3.38 stack (the base libraries and desktop
  integration components) and shares it through the content interface.
snap-id:      rw36mkAjdIKl13dzfwyxP87cejpyIcct
tracking:     latest/stable/ubuntu-22.04
refresh-date: 30 days ago, at 17:32 EDT
channels:
  latest/stable:    0+git.6f39565 2022-09-30 (119) 363MB -
  latest/candidate: 0+git.6f39565 2022-09-01 (119) 363MB -
  latest/beta:      ↑                                    
  latest/edge:      0+git.6ed44b3 2022-05-13 (105) 266MB -
installed:          0+git.6f39565            (119) 363MB -
---
name:      firefox
summary:   Mozilla Firefox web browser
publisher: Mozilla✓
store-url: https://snapcraft.io/firefox
contact:   https://support.mozilla.org/kb/file-bug-report-or-feature-request-mozilla
license:   unset
description: |
  Firefox is a powerful, extensible web browser with support for modern web application
  technologies.
commands:
  - firefox
  - firefox.geckodriver
snap-id:      3wdHCAVyZEmYsCMFDE9qt92UV8rC8Wdk
tracking:     latest/stable/ubuntu-22.04
refresh-date: 4 days ago, at 15:32 EDT
channels:
  latest/stable:    106.0.2-1    2022-10-26 (2015) 250MB -
  latest/candidate: 106.0.3-1    2022-10-30 (2042) 250MB -
  latest/beta:      107.0b7-1    2022-10-29 (2038) 187MB -
  latest/edge:      108.0a1      2022-10-30 (2041) 192MB -
  esr/stable:       102.4.0esr-1 2022-10-18 (1967) 183MB -
  esr/candidate:    102.4.0esr-1 2022-10-27 (2027) 183MB -
  esr/beta:         ↑                                    
  esr/edge:         102.2.0esr-2 2022-09-02 (1793) 182MB -
installed:          106.0.2-1               (2015) 250MB -



   $ snap connections firefox
    Interface                 Plug                            Slot                             Notes
    audio-playback            firefox:audio-playback          :audio-playback                  -
    audio-record              firefox:audio-record            :audio-record                    -
    avahi-observe             firefox:avahi-observe           :avahi-observe                   -
    browser-support           firefox:browser-sandbox         :browser-support                 -
    camera                    firefox:camera                  :camera                          -
    content[gnome-3-38-2004]  firefox:gnome-3-38-2004         gnome-3-38-2004:gnome-3-38-2004  -
    content[gtk-3-themes]     firefox:gtk-3-themes            gtk-common-themes:gtk-3-themes   -
    content[icon-themes]      firefox:icon-themes             gtk-common-themes:icon-themes    -
    content[sound-themes]     firefox:sound-themes            gtk-common-themes:sound-themes   -
    cups-control              firefox:cups-control            :cups-control                    -
    dbus                      -                               firefox:dbus-daemon              -
    desktop                   firefox:desktop                 :desktop                         -
    desktop-legacy            firefox:desktop-legacy          :desktop-legacy                  -
    gsettings                 firefox:gsettings               :gsettings                       -
    hardware-observe          firefox:hardware-observe        :hardware-observe                -
    home                      firefox:home                    :home                            -
    joystick                  firefox:joystick                :joystick                        -
    mount-control             firefox:host-hunspell           :mount-control                   -
    mpris                     -                               firefox:mpris                    -
    network                   firefox:network                 :network                         -
    network-bind              firefox:network-bind            :network-bind                    -
    network-observe           firefox:network-observe         -                                -
    opengl                    firefox:opengl                  :opengl                          -
    personal-files            firefox:dot-mozilla-firefox     :personal-files                  -
    removable-media           firefox:removable-media         :removable-media                 -
    screen-inhibit-control    firefox:screen-inhibit-control  :screen-inhibit-control          -
    system-files              firefox:etc-firefox-policies    :system-files                    -
    system-packages-doc       firefox:system-packages-doc     :system-packages-doc             -
    u2f-devices               firefox:u2f-devices             :u2f-devices                     -
    unity7                    firefox:unity7                  :unity7                          -
    upower-observe            firefox:upower-observe          :upower-observe                  -
    wayland                   firefox:wayland                 :wayland                         -
    x11                       firefox:x11                     :x11                             -

$ locale
LANG=en_US.UTF-8
LANGUAGE=en_US
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE=C
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=

jason0x21 · October 30, 2022, 6:19pm

I also created a plain user from scratch, to see if there was any cruft in my user directory. Same results.

jason0x21 · October 30, 2022, 7:38pm

And I’ve rebooted a couple of times, just for good measure. Same results.

kenvandine · October 31, 2022, 7:14am

@jamesh any thoughts on this?

jamesh · October 31, 2022, 10:43am

Most likely, it is a problem with the location of the ibus socket. There is code in the desktop-legacy interface to grant access to the ibus socket, but presumably none of them are matching what’s happening on Xubuntu 22.04:

github.com

snapcore/snapd/blob/3c05e535e5cff4b64e4427e38494795fbbfd5122/interfaces/builtin/desktop_legacy.go#L130-L149


# ibus
# subset of ibus abstraction
/usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
owner @{HOME}/.config/ibus/      r,
owner @{HOME}/.config/ibus/bus/  r,
owner @{HOME}/.config/ibus/bus/* r,
# allow communicating with ibus-daemon (this allows sniffing key events)
unix (connect, receive, send)
    type=stream
    peer=(addr="@/tmp/ibus/dbus-*"),
# abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)
# This should use this, but due to LP: #1856738 we cannot
#unix (connect, receive, send)
#    type=stream
#    peer=(addr="@@{HOME}/.cache/ibus/dbus-*"),
unix (connect, receive, send)
     type=stream
     peer=(addr="@/home/*/.cache/ibus/dbus-*"),

It’s possible we just need to add one more rule for whatever path ibus is using on this system.

Longer term, I think we want to get snaps using ibus-portal. As well as having more predictable IPC, it restricts applications from accessing input contexts created by other applications. Which means that it would meet the security expectations of the desktop interface. Enabling that would involve:

Add rules to desktop to allow communication with org.freedesktop.portal.IBus on the session bus.
Get ibus input module in snaps to use portal mode. At present, this would require setting IBUS_USE_PORTAL=1 in the environment. Alternatively we could submit changes upstream to enable automatically:

github.com

ibus/ibus/blob/00a78d6d0bc1d964cdd50959bcc37f340678dab4/src/ibusbus.c#L489-L494


static gboolean
ibus_bus_should_connect_portal (IBusBus *bus)
{
    return bus->priv->client_only &&
        (is_in_flatpak () || g_getenv ("IBUS_USE_PORTAL") != NULL);
}

Either way, we could probably get this working automatically for snaps using the gnome-42-2204 platform snap pretty easily once the snapd changes are in.

jamesh · November 1, 2022, 9:21am

@jason0x21: to help debug what’s going on on your system, it’d be helpful to see how the ibus bus is configured on your system. There should be a text file in ~/.config/ibus/bus/ that is used to find where the socket is located. It should start with a comment like “This file is created by ibus-daemon”.

Could you provide the contents of this file in a reply here? The file doesn’t contain any sensitive information.

jason0x21 · November 1, 2022, 1:01pm

Sure can. I’ll note that user directories on my machine are under /home/users/<username> as opposed to /home/<username>. I had to edit /etc/apparmor.d/tunables/home.d/site.local to allow for this, but firefox has worked with this configuration before.

There are a few files in ~/.config/ibus/bus, but I just chose the most recent one here.

$ ls -l ~/.config/ibus/bus/
total 12
-rw-rw-r-- 1 jason jason 168 May  9  2015 722b9664f984d5ee8fbe12870000001d-unix-0
-rw-rw-r-- 1 jason jason 385 Sep  5 10:01 bf29b38f3f9015073c6d376a554ea933-unix-0
-rw-rw-r-- 1 jason jason 385 Oct 30 14:18 f592716d9966471e86abf56f1ab69e75-unix-0
$ cat ~/.config/ibus/bus/f592716d9966471e86abf56f1ab69e75-unix-0
# This file is created by ibus-daemon, please do not modify it.
# This file allows processes on the machine to find the
# ibus session bus with the below address.
# If the IBUS_ADDRESS environment variable is set, it will
# be used rather than this file.
IBUS_ADDRESS=unix:abstract=/home/users/jason/.cache/ibus/dbus-phWnYlgW,guid=0b011ca965bb369c6b0ec3d9635ebffc
IBUS_DAEMON_PID=8446

This seems weird, though.

$ ls -las /home/users/jason/.cache/ibus/dbus-phWnYlgW,guid=0b011ca965bb369c6b0ec3d9635ebffc
ls: cannot access '/home/users/jason/.cache/ibus/dbus-phWnYlgW,guid=0b011ca965bb369c6b0ec3d9635ebffc': No such file or directory
jason@red-hughes:~/Downloads$ ps -ef | grep 8446
jason       8446       1  0 Oct30 ?        00:01:17 /usr/bin/ibus-daemon --daemonize --xim
jason       8459    8446  0 Oct30 ?        00:00:00 /usr/libexec/ibus-memconf
jason       8460    8446  0 Oct30 ?        00:00:25 /usr/libexec/ibus-ui-gtk3
jason       8461    8446  0 Oct30 ?        00:00:22 /usr/libexec/ibus-extension-gtk3
jason       8500    8446  0 Oct30 ?        00:00:17 /usr/libexec/ibus-engine-simple
jason     301016    8771  0 09:00 pts/8    00:00:00 grep 8446

jamesh · November 1, 2022, 2:57pm

It’s normal that the you can’t see the file. It’s an “abstract namespace socket”, so is not part of the regular file system.

Usually access to this socket would be granted by the following rule:

github.com

snapcore/snapd/blob/3c05e535e5cff4b64e4427e38494795fbbfd5122/interfaces/builtin/desktop_legacy.go#L147-L149


unix (connect, receive, send)
     type=stream
     peer=(addr="@/home/*/.cache/ibus/dbus-*"),

… but /home/*/.cache/ibus/dbus-* does not match /home/users/jason/.cache/ibus/dbus-phWnYlgW due to the extra /users/ path component. We’d usually use the @{HOME} AppArmor tunable, but it doesn’t work properly in this part of a rule. So I’m not sure there is a simple fix.

Switching to ibus-portal would avoid the problem though, since communication with the input method just happens over the regular session bus.

jason0x21 · November 1, 2022, 3:08pm

I guess my question there is: Why did it ever work in the first place?

jamesh · November 1, 2022, 3:24pm

Did you have ibus configured as your input method before?

It looks like these rules were last touched in February 2020, so I don’t think there’s been anything recent that’s changed on the snap side that would have made this break.

jason0x21 · November 1, 2022, 4:21pm

After I installed from scratch in September and changed the AppAmor tunable, I didn’t do anything with ibus (that I know of), and it was working fine up until this past weekend.

jason0x21 · November 5, 2022, 2:28pm

Also way does it say “Permission Denied” instead of “File Not Found” or something similar?

goldstar611 · November 6, 2022, 3:43pm

The program received a permission denied error because the AppArmor policy is checked before the file is checked by the linux kernel.

jason0x21 · November 6, 2022, 3:51pm

That makes it sound like there’s something else I need to adjust in AppAmor besides just the $HOME location.

goldstar611 · November 6, 2022, 4:54pm

It’s probably not directly related but I think this gtk-2.0 AppArmor rule isn’t correct, specifically the [0-9] part because the file path has periods if you inspect the filenames of the package

github.com

canonical/snapd/blob/3c05e535e5cff4b64e4427e38494795fbbfd5122/interfaces/builtin/desktop_legacy.go#L132


      
          dbus (send)
              bus=accessibility
              path="/org/a11y/atspi/cache"
              interface="org.a11y.atspi.Cache"
              member="{Add,Remove}Accessible"
              peer=(name=org.freedesktop.DBus, label=unconfined),
          
          
          # ibus
          # subset of ibus abstraction
          /usr/lib/@{multiarch}/gtk-2.0/[0-9]*/immodules/im-ibus.so mr,
          owner @{HOME}/.config/ibus/      r,
          owner @{HOME}/.config/ibus/bus/  r,
          owner @{HOME}/.config/ibus/bus/* r,
          
          # allow communicating with ibus-daemon (this allows sniffing key events)
          unix (connect, receive, send)
              type=stream
              peer=(addr="@/tmp/ibus/dbus-*"),
          
          # abstract path in ibus >= 1.5.22 uses $XDG_CACHE_HOME (ie, @{HOME}/.cache)

https://packages.ubuntu.com/jammy/amd64/ibus-gtk/filelist

FWIW I found noibus text file on a clean XUbuntu 22.04 installation. I was not able to follow along in a newly set up VM.

goldstar611 · November 6, 2022, 4:55pm

I did spot a chance to add in a custom ibus rule. I spotted #include <abstractions/dbus-session-strict> and inside that apparmor profile is include if exists <abstractions/dbus-session-strict.d>

I suppose you could add in a new file there to include ibus directories for the non-standard home directories.

jason0x21 · November 6, 2022, 5:24pm

Are you saying something like this on the command line should work for me?

$ env IBUS_USE_PORTAL=1 firefox

jamesh · November 8, 2022, 8:45am

Note that AppArmor patterns are closer to shell globs than regular expressions. So [0-9]* matches a digit followed by zero or more of any character. It’s not zero or more digits.

kaddkaka · September 13, 2023, 6:37am

Has this bug been resolved yet?

I have this same problem on a fresh install of Ubuntu 22.04 with xfce. Snap programs dont react to text input (I tried snapstore, chromium and firefox).

jamesh · September 13, 2023, 9:16am

The problem mentioned in the initial comment is down to a non-standard home directory location. If that doesn’t match your setup, then you’ve probably encountered something different.

It’s hard to say more without more details about your setup:

what input method are you using?
Does the application print any error messages to the console when input fails?
Are there any denial errors in the dmesg log that look relevant?