Unsafe Browser is not accessible
In Tails 1.0.1 and 1.1 RC1, the unsafe browser is fully inaccessible, probably because it’s launched in chroot mode, and the variable “DBUS_SESSION_BUS_ADDRESS” isn’t set.
|Related to Tails - Bug #9767: IBus input methods cannot be used in the chrooted browsers||Confirmed||2015-07-19|
|Related to Tails - Bug #11755: Dogtail does not work for X applications running as non-amnesia users||In Progress||2016-08-31|
|Related to Tails - Bug #7503: The Persistent Volume Assistant is not readable by Orca||Confirmed||2014-07-06|
|Related to Tails - Bug #9051: Tor Launcher is not accessible||Confirmed||2015-03-14|
|Related to Tails - Feature #12213: Wayland in Tails 5.0 (Bullseye)||In Progress||2017-09-02|
#6 Updated by BitingBird 2015-04-10 20:26:19
- Subject changed from Unsafe browser is not accessible to Browsers are not accessible
All browsers are now confined -> enlarging the ticket (no sense in making one for each browser, since the solution for one will likely solve the problems for the others).
#7 Updated by intrigeri 2015-04-11 10:13:30
- Subject changed from Browsers are not accessible to Chrooted browsers are not accessible
> All browsers are now confined -> enlarging the ticket
Well, I’m almost certain I’ve made sure that Tor Browser’s confinement didn’t break at least the screen reader. If I’m wrong on that one, then feel free to revert to the more generic title you’ve set. Let’s not state that things are broken before double-checking that they are.
#8 Updated by sajolida 2015-04-14 16:46:37
I’m pretty sure that Orca wasn’t working in Tor Browser before AppArmor confinement, and that it kept on not working (not reading what’s on the web pages).
On the other hand, I understand that chrooted browsers and apparmor-confined and two different kind of beast that might require two different solutions, so I agree with intrigeri on keeping a more specific name about chrooting.
#11 Updated by sajolida 2015-04-18 20:44:22
Yes, Orca doesn’t see Tor Browser at all if Tor Browser is started before Orca.
If Tor Browser is started after Orca, the screen is read somehow but I made Tor Browser crash many times.
#14 Updated by intrigeri 2015-08-25 11:05:54
Thanks for the report!
> Meh. Just tested Tails/Jessie and Orca reads the alerts for the Unsafe Browser,
Not surprising, the warning dialog runs as the amnesia user.
> but does not read the contents of the Browser screen at all…
Not very surprising either (we did nothing to fix that in feature/jessie AFAIK).
#15 Updated by anonym 2016-05-31 18:31:38
While the chroot part might make this case harder, it is actually the case that any process running as a different user than amnesia is not “accessible” (poor wording, btw), e.g. Tails Upgrader. Beyond the obvious, i.e. that this is bad for people in need of a screen reader, it is also bad for our automated test suite, given that dogtail uses the same interface.
I’m tempted to change the subject of this title to “GUI applications running as non-amnesia lack accessibility support”.
Some related docs:
#16 Updated by anonym 2016-06-02 15:45:05
In related news (copy-pasted from
It’s worth noting that despite the fact that
synaptic runs as root, dogtail can deal with it! Wow! Is this due to
/usr/bin/synaptic-pkexec? It would be amazing if that is the case, and we can use that for the chroot browsers and other applications run as non-
amnesia in the X session.
I tried this, which started the Unsafe Browser, but still no accessibility support:
pkexec \ env DISPLAY=$DISPLAY \ XAUTHORITY=$XAUTHORITY \ SUDO_USER=$USER \ PATH=$PATH:/usr/local/sbin:/sbin:/usr/sbin \ /usr/local/sbin/unsafe-browser
/usr/share/polkit-1/actions/com.tails.pkexec.unsafe-browser.policy (which is an adapted copy of
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd"> <policyconfig> <action id="com.tails.pkexec.unsafe-browser.policy"> <message>Authentication is required to run the Synaptic Package Manager</message> <icon_name>unsafe-browser</icon_name> <defaults> <allow_any>auth_admin</allow_any> <allow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin</allow_active> </defaults> <annotate key="org.freedesktop.policykit.exec.path">/usr/local/sbin/unsafe-browser</annotate> <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate> </action> </policyconfig>
But it didn’t yield accessibility. Perhaps the chroot further complicates things? Also, I’m admittedly completely ignorant of PolicyKit.
#17 Updated by anonym 2016-06-02 16:23:48
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
It seems that any process run as root can get accessibility via something like:
pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit
I suspect that is because
[...] <!-- Allow root to connect --> <allow user="root"/> [...]
because if I add
[...] <allow user="clearnet"/> [...]
(and restart GNOME, so we get new dbus sessions and that file is read and applied again, I suppose) and then run:
xhost + pkexec --user clearnet env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit
then it works! E.g. dogtail’s
sniff tool can see
So, if we find it acceptable to grant access to the AT-SPI bus to other users (aren’t we already assuming that these users has full access to the X session state?), then I guess we can get at least get
tails-upgrade-frontend to support accessibility/dogtail, and possibly also the chroot browsers, although we probably have to be more clever (i.e. make more stuff available in the chroot, perhaps
/var/run/gdm3 due to
I’m calling this progress! But I’m not sure I feel comfortable being the assignee, since I indeed am very ignorant of these things.
#18 Updated by intrigeri 2016-06-03 10:39:47
> So, if we find it acceptable to grant access to the AT-SPI bus to other users (aren’t we already assuming that these users has full access to the X session state?),
At first glance, I think we can indeed do that.
> then I guess we can get at least get
tails-upgrade-frontend to support accessibility/dogtail, and possibly also the chroot browsers, […] I’m calling this progress!
> But I’m not sure I feel comfortable being the assignee, since I indeed am very ignorant of these things.
Understood. But the thing is, AFAIK nobody on our team is less ignorant of them..