Feature #14522: Make Tails usable for blind users
Unsafe Browser is not accessible
In Tails 1.0.1 and 1.1 RC1, the unsafe browser is fully inaccessible, probably because it's launched in chroot mode, and the variable "DBUS_SESSION_BUS_ADDRESS" isn't set.
#7 Updated by intrigeri over 4 years ago
- Subject changed from Browsers are not accessible to Chrooted browsers are not accessible
All browsers are now confined -> enlarging the ticket
Well, I'm almost certain I've made sure that Tor Browser's confinement didn't break at least the screen reader. If I'm wrong on that one, then feel free to revert to the more generic title you've set. Let's not state that things are broken before double-checking that they are.
#8 Updated by sajolida over 4 years ago
I'm pretty sure that Orca wasn't working in Tor Browser before AppArmor confinement, and that it kept on not working (not reading what's on the web pages).
On the other hand, I understand that chrooted browsers and apparmor-confined and two different kind of beast that might require two different solutions, so I agree with intrigeri on keeping a more specific name about chrooting.
#14 Updated by intrigeri over 4 years ago
Thanks for the report!
Meh. Just tested Tails/Jessie and Orca reads the alerts for the Unsafe Browser,
Not surprising, the warning dialog runs as the amnesia user.
but does not read the contents of the Browser screen at all...
Not very surprising either (we did nothing to fix that in feature/jessie AFAIK).
#15 Updated by anonym over 3 years ago
While the chroot part might make this case harder, it is actually the case that any process running as a different user than amnesia is not "accessible" (poor wording, btw), e.g. Tails Upgrader. Beyond the obvious, i.e. that this is bad for people in need of a screen reader, it is also bad for our automated test suite, given that dogtail uses the same interface.
I'm tempted to change the subject of this title to "GUI applications running as non-amnesia lack accessibility support".Some related docs:
#16 Updated by anonym over 3 years ago
In related news (copy-pasted from #10900#note-8):
It's worth noting that despite the fact that
synaptic runs as root, dogtail can deal with it! Wow! Is this due to
/usr/bin/synaptic-pkexec? It would be amazing if that is the case, and we can use that for the chroot browsers and other applications run as non-
amnesia in the X session.
I tried this, which started the Unsafe Browser, but still no accessibility support:
pkexec \ env DISPLAY=$DISPLAY \ XAUTHORITY=$XAUTHORITY \ SUDO_USER=$USER \ PATH=$PATH:/usr/local/sbin:/sbin:/usr/sbin \ /usr/local/sbin/unsafe-browser
/usr/share/polkit-1/actions/com.tails.pkexec.unsafe-browser.policy(which is an adapted copy of
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN" "http://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd"> <policyconfig> <action id="com.tails.pkexec.unsafe-browser.policy"> <message>Authentication is required to run the Synaptic Package Manager</message> <icon_name>unsafe-browser</icon_name> <defaults> <allow_any>auth_admin</allow_any> <allow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin</allow_active> </defaults> <annotate key="org.freedesktop.policykit.exec.path">/usr/local/sbin/unsafe-browser</annotate> <annotate key="org.freedesktop.policykit.exec.allow_gui">true</annotate> </action> </policyconfig>
But it didn't yield accessibility. Perhaps the chroot further complicates things? Also, I'm admittedly completely ignorant of PolicyKit.
#17 Updated by anonym over 3 years ago
- Status changed from Confirmed to In Progress
- % Done changed from 0 to 10
It seems that any process run as root can get accessibility via something like:
pkexec env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit
I suspect that is because
[...] <!-- Allow root to connect --> <allow user="root"/> [...]
because if I add
[...] <allow user="clearnet"/> [...]
(and restart GNOME, so we get new dbus sessions and that file is read and applied again, I suppose) and then run:
xhost + pkexec --user clearnet env DISPLAY=$DISPLAY XAUTHORITY=$XAUTHORITY gedit
then it works! E.g. dogtail's
snifftool can see
So, if we find it acceptable to grant access to the AT-SPI bus to other users (aren't we already assuming that these users has full access to the X session state?), then I guess we can get at least get
tails-upgrade-frontend to support accessibility/dogtail, and possibly also the chroot browsers, although we probably have to be more clever (i.e. make more stuff available in the chroot, perhaps
/var/run/gdm3 due to
I'm calling this progress! But I'm not sure I feel comfortable being the assignee, since I indeed am very ignorant of these things.
#18 Updated by intrigeri over 3 years ago
So, if we find it acceptable to grant access to the AT-SPI bus to other users (aren't we already assuming that these users has full access to the X session state?),
At first glance, I think we can indeed do that.
then I guess we can get at least get
tails-upgrade-frontendto support accessibility/dogtail, and possibly also the chroot browsers, [...] I'm calling this progress!
But I'm not sure I feel comfortable being the assignee, since I indeed am very ignorant of these things.
Understood. But the thing is, AFAIK nobody on our team is less ignorant of them..