Snap confined applications cannot connect to a11y bus
The changes in MR !51 (merged) broke access to the a11y bus for snap confined applications. Previously snap applications could access the abstract namespace socket, with access control being handled through AppArmor policies. Having a regular unix socket in /tmp
is difficult to handle due to the snap sandbox providing a private version of that directory.
Also, it's difficult to make AppArmor access decisions with a socket file name using the same naming pattern as e.g. non-systemd launched D-Bus session buses.
One option would be easier to handle would be a path under $XDG_RUNTIME_DIR
, preferably in a subdirectory. If handling multiple a11y buses is not important, then perhaps $XDG_RUNTIME_DIR/at-spi/bus
would be appropriate. If supporting multiple buses is still desirable (e.g. for testing), then randomised file names under that directory might work.
Would there be interest in accepting a patch to make this change if it was proposed?