[05:49] <zyga> good morning
[08:00] <morphis> zyga: ping
[08:00] <zyga> morphis: hey, good morning
[08:00] <morphis> zyga: morning!
[08:01] <morphis> zyga: wondering if you tested the bluez interface changes at runtime as I am getting invalid apparmor profiles with those changes
[08:01] <zyga> morphis: hmm, no I did not
[08:01] <morphis> doesn't seem to like peer=(label=snap.bluez.{bluez,obex}),
[08:02] <zyga> morphis: can you pastebin what you're getting?
[08:02] <zyga> hmmm
[08:02] <zyga> I see, thanks, jdstrand suggested those nad I assumed it would be digested
[08:02] <morphis> zyga: https://paste.ubuntu.com/16186420/
[08:03] <zyga> ok, let me look
[08:03]  * zyga curses at 2fa
[08:03] <zyga> why does it need to auth me for a f.... pastebin
[08:04] <zyga> Plain form not available for deep linking.
[08:08] <zyga> morphis: odd, for me it complains at line 241
[08:08] <zyga> AppArmor parser error for test.aa in test.aa at line 241: syntax error, unexpected TOK_ID, expecting TOK_CONDID or TOK_END_OF_RULE
[08:08] <zyga> and that is:   # for 'udevadm trigger --verbose --dry-run --tag-match=snappy-assign'$
[08:08] <zyga> ??
[08:09] <zyga> I think line numbers are broken
[08:09] <zyga> it really complains about   signal peer=snap.@{SNAP_NAME}.*,$
[08:09]  * zyga experiments
[08:11] <zyga> morphis: it's clear that something is quite not right
[08:11] <zyga> morphis: can we wait till jdstrand or tyler shows up?
[08:14] <morphis> sure
[08:14] <morphis> zyga: reworking the network-manager interface now
[08:15] <slvn> hello ! got some issue with my snap. Running "snap-review mysnap" says "checksums do not match.". I can't upload it to the store because of that. I have tested the "opencv" example and it worked.
[08:16] <slvn> I have also tested the command lines "snapcraft snap <DIR>" or "mksquashfs <dir> ..". But it failed also the checksum test.
[08:20] <zyga> slvn: we know that, at least on pi2, mksquashfs is not really deterministic
[08:20] <zyga> maybe it affects other arches
[08:21] <zyga> slvn: for now I'd report a bug and try to investigate
[08:24] <slvn> zyga, could you (quickly) double-check with the SDL2 package that it also fail on your side ? I am on amd64, and build for amd64
[08:24] <zyga> slvn: I'm somewhat busy but if you run it 100 times and collect the distribution of the hashes that would make a fantastic bug report
[08:25] <zyga> slvn: note, run mksquashfs only
[08:25] <slvn> ok why not ...
[08:25] <slvn> how can I get the hash ? checksun mysnap.snap ?
[08:26] <zyga> slvn: sha512sum
[08:26]  * zyga explores how to refactor snapenv
[08:26] <slvn> and you say, I only need to re-do "snapcraft snap" ?
[08:27] <zyga> I'd just re-do the squashfs command but snapcraft snap is close enough
[08:31] <slvn> zyga, I get something like : http://paste.ubuntu.com/16186526/
[08:31] <zyga> hmm
[08:31] <zyga> perhaps snapcraft snap is not enough
[08:32] <zyga> as in, it does changes to snap/ files
[08:32] <zyga> kyrofa, sergiusens: ^^
[08:33] <slvn> zyga, something like "mksquashfs <dir> <snap> -noappend -comp xz -all-root -no-xattrs" ??
[08:33] <zyga> yes
[08:36] <slvn> same randomness ..
[08:36] <zyga> slvn: report that as a bug on squashfstools please
[08:36] <zyga> definitely worth investigating
[08:37] <slvn> ok
[08:37] <zyga> slvn: can you also check if it is the same if you use something to turn of paralell compression?
[08:37] <slvn> zyga, I was about to test that. But I haven't find the option
[08:38] <slvn> op yes -processors
[08:38] <slvn> I try
[08:38] <zyga> slvn: -processors 1
[08:39] <slvn> also failing :/
[08:39] <slvn> I will do the bug report !
[08:40] <morphis> zyga: I will most likely write the snap label replacement code you wrote for the plug side also for the slot side
[08:41] <zyga> sure
[08:41] <zyga> morphis: if you figure out why apparmor doesn't accept the file you sent me feel free to fix the shared function too
[08:41] <zyga> morphis: and note that for me it also failed on line mid-file
[08:41] <zyga> morphis: on all-up-to-date xenial
[08:41] <morphis> ok
[08:42] <morphis> zyga: https://github.com/ubuntu-core/snappy/pull/1036#discussion_r60144002 is what I am currently looking into
[08:43] <morphis> but trying first to rework the rules a bit
[08:43] <zyga> morphis: keep this in mind: https://github.com/ubuntu-core/snappy/pull/1036#issuecomment-215841904
[08:44] <zyga> morphis: the 'works on the desktop' aspect
[08:44] <morphis> zyga: so how can I test that?
[08:44] <zyga> morphis: snap nmcli separately perhaps?
[08:44] <morphis> and how do I say that the ubuntu-core snap provides the interface?
[08:45] <zyga> morphis: you want to look at snap/implicit.go
[08:45] <morphis> ok
[08:45] <zyga> morphis: but you'll have to bite the bullet and make it dependant on being on the desktop (say dpkg/info exists)
[08:45] <morphis> hm
[08:45] <zyga> but don't worry
[08:46] <zyga> there's similar code in ubuntu-core-launcher
[08:46] <pedronis> zyga: we really need to talk (with mvo etc) about what's the official way to detect desktop vs not
[08:46] <pedronis> we need an official helper somewhere for that
[08:46] <morphis> zyga: my only fear is this will bringup another lengthy discussion
[08:46] <morphis> so I would like to do that after the first PR
[08:46] <morphis> or let you guys do it properly
[08:48] <zyga> morphis: no worries, I'll help you out
[08:48] <morphis> zyga: sure but I want to get a first version merged soon, this is already pending for too long
[08:52] <morphis> zyga: also I am getting
[08:52] <morphis> peer=(label=snap.network-manager.networkmanager),
[08:52] <morphis> in the plug apparmor file
[08:52] <morphis> with your method from utils.go, shouldn't that be snap.network-manager.nmcli?
[08:53] <zyga> hmm
[08:53] <zyga> yes, let's see what I did there
[08:55] <zyga> is networkmanager an app name?
[08:57] <slvn> zyga, I haven't reported the bug yet because my testcase was passing the checksum test :)... so I found out something: adding a line "stage-packages: [ .. ]" solve the issue ...
[08:59] <zyga> slvn: curious
[08:59] <slvn> yep, I add a stage-package line in my "real" package, and it worked also. I will report that ...
[09:00] <morphis> zyga: it is
[09:00] <zyga> morphis: so that is correct, the plug can talk to the slot
[09:00] <morphis> ok
[09:03] <morphis> zyga: however I am wondering if its ok to include the client app name in the permanent slot apparmor policy, propably not
[09:03] <zyga> hmm, why?
[09:03] <zyga> client app name in permanent slot?
[09:04] <zyga> isn't that what per-connection snippet should do
[09:04] <morphis> zyga: https://paste.ubuntu.com/16186665/
[09:05] <zyga> morphis: is nmcli connected to nm?
[09:05] <zyga> morphis: it seems to be the same as bluez and bluetoothctl
[09:05] <morphis> yes
[09:05] <morphis> zyga: see https://github.com/ubuntu-core/snappy/pull/1036#discussion_r60144002
[09:05] <morphis> that is what I had before
[09:05] <morphis> but jdstrand said we should use proper snap.* names too
[09:06] <morphis> for bluez we didn't do that
[09:06] <zyga> wasn't that what my earlier patch (now broken apparently) did?
[09:06] <morphis> https://github.com/ubuntu-core/snappy/blob/master/interfaces/builtin/bluez.go#L74
[09:07] <zyga> ah, I see
[09:07] <zyga> I'm somewhat confused though
[09:07] <zyga> do we need this on both slot and plug ends?
[09:08] <zyga> if the slot side permission didn't exist
[09:08] <zyga> would the plug-side connection permission suffice?
[09:08] <morphis> zyga: not sure too
[09:09] <morphis> playing a bit with more generic rules right now
[09:12] <slvn> https://bugs.launchpad.net/snapcraft/+bug/1577333
[09:27] <morphis> zyga: ok, I have a simpler version working now which pretty much looks the same as the bluez one
[09:41] <ogra_> mvo, looks like your latest u-d-f is broken, mind rolling it back (or do we need to update the gadgets ? ... looks more like squashfs-tools to me though)
[09:45] <zyga> ogra_: see the bug reported by slvn above
[09:45] <zyga> it seems that mksquashfs is the new willy wonka
[09:46] <ogra_> http://people.canonical.com/~ogra/snappy/all-snaps/ubuntu-device-flash is the last working one btw
[09:46]  * ogra_ has backups ;)
[09:46] <zyga> the last one standing ;)
[09:46] <ogra_> :)
[09:50] <morphis> zyga: https://github.com/ubuntu-core/snappy/pull/1036#issuecomment-216181284
[09:51] <zyga> morphis: thanks
[09:51] <morphis> zyga: can you give this a last review round?
[09:51] <morphis> niemeyer, jdstrand: ^^
[09:52] <zyga> morphis: in a sec
[09:52] <morphis> zyga: btw. should I have AutoConnect() { return true }?
[09:54] <zyga> morphis: that won't do much on non-desktop
[09:54] <zyga> auto-connect only connects to stuff on the OS snap
[09:54] <zyga> (today0
[09:54] <morphis> so you be false?
[09:54] <zyga> yeah, leave it as false and add a note
[09:54] <morphis> ok
[09:56] <morphis> zyga: btw. if you want to test the bluez snap we have prebuilt ones at https://code.launchpad.net/~snappy-hwe-team/+snap/bluez
[09:56] <zyga> morphis: oh, that's useful, thank you
[09:56] <zyga> morphis: I'll get to testing this shortly, I'm mid-way in another branch
[09:57] <morphis> sure, take your time :-)
[10:40] <zzarr> hello! is there a snappy image for dragonboard 410c yet?
[10:42] <ogra_> zzarr, build one yourself ...
[10:42] <ogra_> http://people.canonical.com/~ogra/snappy/all-snaps/ubuntu-device-flash should be the last working ubuntu-device-flash
[10:43] <zzarr> nice, thanks ogra_
[10:43] <ogra_> http://people.canonical.com/~ogra/snappy/all-snaps/dragonboard/README has the runes you need
[10:45] <zzarr> thanks ogra_
[10:47] <ogra_> (do not use the mvo u-d-f, it is currently broken)
[10:48] <zzarr> mvo?
[10:48] <ogra_> the one mentioned in the readme
[10:48] <zzarr> okey
[10:48] <mvo> ogra_: almost ready again
[10:49] <ogra_> good :)
[10:49] <zzarr> I use the one you have ogra_
[10:49] <ogra_> yeah, thats fine then
[10:50] <zzarr> it's done (it was quick)
[10:54] <zzarr> 100/100 internet connection ssd and a quad core i7... I don't ever have to wait :)
[10:54] <mvo> zzarr, ogra_: new u-d-f is up
[10:54] <zzarr> nice
[10:55] <zzarr> mvo, what are the benefits with it?
[10:55] <zzarr> (over ogra_'s binary?)
[10:56] <mvo> zzarr: I don't know what ogra_ binary is doing, sorry so I can't answer
[10:56] <zzarr> okey, no problem, maybe ogra_ can tell
[10:57] <zzarr> thanks for helping me, both of you mvo and ogra_ :D
[10:57] <zyga> morphis: I'm adding some inline comments to n-m
[10:57] <morphis> zyga: aye
[10:58] <zyga> morphis: quick side question: what's the dichotomy of apparmor doing some checks and dbus.xml doing what looks like the same checks again
[10:59] <morphis> zyga: a more fundamental question we could solve with snappy but for now we want to stick to what upstream does + apparmor on top
[10:59] <zyga> morphis: I see, thanks
[11:28] <ogra_> mvo: my binary is simply the one from brefore it broke :)
[11:28] <ogra_> *before
[11:43] <mvo> ogra_: heh, clever!
[12:12] <kyrofa> Good morning
[12:25] <zyga> jdstrand: around?
[12:29] <jdstrand> zyga: hey, I am now
[12:29] <zyga> jdstrand: hey! :)
[12:30] <zyga> jdstrand: I hope you had a good weekend
[12:30] <zyga> jdstrand: we found some issues with apparmor and the {app1,app2} label syntax
[12:30] <jdstrand> yes, thank you
[12:30] <jdstrand> zyga: you too
[12:30] <zyga> jdstrand: check the backlog with morphis above for details
[12:30] <zyga> jdstrand: other than that there are some commends on the network-manager interface
[12:30] <zyga> jdstrand: and otherwise we're looking good :)
[12:30] <morphis> zyga: looking at them now ..
[12:30] <jdstrand> zyga: can I see the generated policy?
[12:31] <zyga> s/commends/comments/
[12:31] <zyga> jdstrand: one sec
[12:32] <zyga> jdstrand: https://paste.ubuntu.com/16186420/
[12:32] <zyga> that's the same pastebin as above
[12:32] <zyga> I tried it and I also had an error mid-file about signal and a glob there
[12:32] <zyga> not sure what to make of it
[12:33] <jdstrand> zyga: use peer=(label="snap.bluez.{bluez,obex}")
[12:34] <jdstrand> zyga: ie, put it in quotes
[12:34] <zyga> ah, so just " "
[12:34] <zyga> morphis: ^^ :)
[12:34] <jdstrand> yeah
[12:34] <zyga> thanks! :D
[12:34] <zyga> jdstrand: did you try to compile it?
[12:34] <jdstrand> and you can do that for "snap.bluez.*"
[12:34] <zyga> I also got an error with signal mid way
[12:34] <jdstrand> zyga: yes
[12:34] <zyga> ah ok
[12:35] <jdstrand> and "snap.bluez.app1"
[12:36] <jdstrand> zyga: as for signal, no issues here. are you compiling on an old kernel?
[12:36] <zyga> jdstrand: on 4.4.0-21
[12:36] <jdstrand> it works fine here
[12:36] <zyga> if no issues let's disergard that, I'll re-check after this is patched
[12:37] <zyga> disregard*
[12:37]  * zyga cannot type 
[12:39] <morphis> jdstrand: when you have some time, could you look at the reworked apparmor policy of the network-manager inteface?
[12:39] <morphis> jdstrand: tried to keep the same things as we already have in the bluez interface definition
[12:39] <jdstrand> yes
[12:40] <morphis> thanks
[12:44] <jdstrand> morphis: as for question or client name in permanent slot, no, we should not do that. We could/should do that in connected slot though
[12:44] <morphis> jdstrand: ok
[12:44] <jdstrand> s/or client/on client/
[12:44] <kyrofa> zyga, `snapcraft snap` on its own will regenerate the meta/ directory. If you want to essentually only have it call mksquashfs you need to use `snapcraft snap <dir>`
[12:44] <zyga> kyrofa: ah, thanks
[12:45] <kyrofa> zyga, it does that so it picks up on YAML changes like changing the snap name, etc.
[12:52] <urm8> hello!
[12:52] <urm8> Hi people
[12:53] <urm8> where do I get newest info about Snappy, including forum discussions on building and stuff like that?
[12:53] <zyga> urm8: hey, right here is one spot, I know that many people also use ask ubuntu
[12:54] <zyga> urm8: I'd recommend snappy-app-devel maliling list as well
[12:54] <urm8> that mailing list looks like the one.
[12:54] <urm8> Thanks
[12:54] <zyga> urm8: there's also snappy-devel as well
[12:55] <urm8> I wanted to pack OpenFoam, but the learning curve to deb packing seem though, so I thought maybe giving the Snappy way a try!
[12:55] <urm8> brb
[12:58] <kgunn> zyga: thot you'd be off today, but hey...after some discussion late friday with jdstrand, i think i really am stuck
[12:58] <kgunn> i've got nil nil returning for everything but aa/seccomp on perm slot
[12:59] <zyga> kgunn: hey? why is that?
[12:59] <kgunn> but when i try to install my snap, it complains about dbus?
[12:59] <kgunn> and i don't even have dbus or any need for it
[12:59] <zyga> can you be more specific please?
[12:59] <kgunn> yep one sec
[13:01] <ogra_> asac, http://people.canonical.com/~ogra/snappy/all-snaps/canonical-pi2_3.3_all.snap in case you want to help testing :)
[13:06] <kgunn> zyga: will get back to you in a minute with some pastebins...first have to clean up an experiment i ran late friday
[13:07] <zyga> kgunn: ok, I'm in a metting now, happy to work with you after
[13:16] <urm8> Hi people, is there a begginer guide to snappy too?
[13:18] <sborovkov> Hello, which interface should I use to allow shared memory access? (peration="mknod" profile="snap.screenly-client.viewer" name="/dev/shm/WK2SharedMemory.907069164" pid=1006 comm="ld-linux-armhf." requested_mask="c" denied_mask="c" fsuid=0 ouid=0)
[13:26] <zyga> sborovkov: ask jdstrand, perhaps none, in that case please file a bug on snappy (on launchpad)
[13:27] <sborovkov> zyga: ok, got it
[13:27] <sborovkov> jdstrand: Hello, is there an interface to allow shared memory access?
[13:27] <zyga> sborovkov: to be clear, there's no specific interface, apps should have *some* shm access today
[13:27] <zyga> perhaps the some value needs tweaking
[13:28] <jdstrand> sborovkov: looking at your denial you need to adjust your app to use /{dev,run}/shm/snap/@{SNAP_NAME}/@{SNAP_REVISION}/
[13:28] <jdstrand> tbh, I never understood why that directory had revision in the path
[13:29] <jdstrand> I mean I sorta understood, but for what people use it for, it isn't needed imho
[13:30] <zyga> jdstrand: the revision part is problematic, I think
[13:30] <zyga> jdstrand: snaps hardly know that (they do but not really easy)
[13:30] <jdstrand> I'm totally fine to remove it
[13:30] <sborovkov> jdstrand: ok, understood, now just gotta find where it's used in webkit's code.
[13:30] <zyga> jdstrand: if it's not a security issue I'd drop revision for sure
[13:30] <jdstrand> zyga: SNAP_REVISION is in the env
[13:30] <zyga> jdstrand: yes, I know but hardly anyone patches code to use it
[13:33] <jdstrand> sborovkov: you might be interested in this historical bug: bug #1197060
[13:37] <sborovkov> jdstrand: Hmm, looks like this was resolved by using 0xide whatever that is. We are using our own build of webkit unfortunately for now so that won't help I guess. I don't understand if with new security I could still use apparmor to tweak this for my app somehow? Or should I just go the route of tweaking paths it accesses
[13:38] <ogra_> uh, webkit ... why do you get yourself into such a security nightmare ? :)
[13:41] <sborovkov> ogra_: We had that part written long time ago to display web pages in QML. It also allows nice things like stopping animations, and some other low level stuff which is nice for performance on RPI. Now Qt moved to web engine but I have no idea if anyone even tried porting it to RPI
[13:42] <ogra_> well, oxide definitely runs on armhf devices ... and is well integrated with qml
[13:42] <ogra_> (and fully security maintained in ubuntu)
[13:44] <sborovkov> ogra_: I will look at it, I was not aware about it before even. We are moving from raspbian to snappy currently. And have a beta soon, just need to port everything to new security (well once /dev/vchiq can be accessed with it). But need to get out beta for now :-)
[13:56] <jdstrand> sborovkov: is there a bug on /dev/vchiq? if not, can you file it describing what the device is and why you need it? please add the 'snapd-interface' bug tag
[13:57] <kgunn> zyga: hmmm....ok i made some progress, interesting stumbling block, i'd mod'd your refresh-bits to build off my fork of ubuntu-core/snappy (kgunnfront/snappy)...that seemed to be an issue
[13:57] <kgunn> at any rate.. i can install mir-snap now
[13:58] <kgunn> https://pastebin.canonical.com/155618/
[13:58] <kgunn> jdstrand: ^ i've not been so excited in quite a while ;)
[13:59] <jdstrand> slvn: is your issue one of bug #1576763 or bug #1555305 ?
[13:59] <zyga> kgunn: hmm
[13:59] <zyga> kgunn: you cannot change the package name
[13:59] <zyga> kgunn: you have to move your fork of snappy into $GOROOT/src/github.com/ubuntu-core/snappy
[13:59] <zyga> kgunn: otherwise it will never ever do anything
[13:59] <sborovkov> jdstrand: there is one, it has high priority now
[13:59] <jdstrand> slvn: if so, please comment in those bugs with any relevant info. otherwise, please file a new bug and let me know the bug number
[13:59] <kgunn> zyga: yep...i just copied over my mod'd files to ubuntu-core dir and it worked
[14:00] <kgunn> zyga: tools are getting too smart these days :)
[14:00] <jdstrand> sborovkov: what is the bug number?
[14:00] <zyga> kgunn: glad to hear you are progressing :)
[14:00] <sborovkov> jdstrand: https://bugs.launchpad.net/snappy/+bug/1533265
[14:01] <jdstrand> kgunn: woohoo! :)
[14:01] <kgunn> i know minor victory
[14:02] <ogra_> jdstrand: we need the re-defined kernel snaps for thsi bug i fear
[14:02] <ogra_> *this
[14:02] <zyga> ogra_: why?
[14:02] <ogra_> because we cant ship any udev roles today
[14:02] <ogra_> *rules
[14:03] <zyga> ogra_: you can, via interfaces :)
[14:03] <zyga> ogra_: interfaces create udev rules
[14:03] <jdstrand> it is more than just udev
[14:03] <ogra_> inside the kernel snap ?
[14:03] <ogra_> where would they end up ?
[14:03] <zyga> ogra_: inside /lib/udev/rules.d
[14:03] <ogra_> there is no bind mounting or anything for the location they would need
[14:03] <jdstrand> zyga: those rules don't do DAC permissions
[14:03] <ogra_> zyga: that would just be ignored at snap install time
[14:03] <jdstrand> zyga: the interface udev rules are only for tagging
[14:03] <zyga> ogra_: oh, I didn't knowthat
[14:04] <jdstrand> I suspect this is a device that won't be covered by the existing implementation
[14:04] <jdstrand> I asked for more information in the bug
[14:04] <zyga> jdstrand: hmmm, it depends on what we need to do
[14:04] <zyga> jdstrand: how is this different from /dev/ic2-1
[14:04] <zyga> jdstrand: (which worked okay)
[14:04] <ogra_> zyga: like you cant ship the kernel config in /boot/config-$uname today ...
[14:04] <zyga> (roughly 2/3 months ago)
[14:04] <jdstrand> but I suspect /dev/vchiq is something like all the android specific devices on Touch and simply needs to be granted to all apps somehow. we'll see
[14:05] <zyga> jdstrand: AFAIR /dev/vchiq is pi specific but perhaps I just know wrong
[14:05] <ogra_> jdstrand: it is a rpi only device afaik
[14:05] <jdstrand> zyga: if you read the bug, the bug says a) they used hw-assign (it is gone) and b) after using hw-assign, the perms are 600
[14:05] <zyga> ogra_: I used interfaces to "hw-assign" /dev/i2c-1 to my snap
[14:05] <jdstrand> 'a' would need to be solved with interfaces. 'b' cannot currently
[14:05] <ogra_> zyga: and thats fine
[14:05] <sborovkov> jdstrand: I am not sure what it does exactly, but it's needed for h/w decoding on RPI
[14:06] <zyga> jdstrand: that's my earlier bug, remember when I said non-background apps should have a chmodded /dev/*
[14:06] <zyga> jdstrand: it works if you are a service
[14:06] <zyga> jdstrand: (you run as root, the tagging does the rest)
[14:06]  * ogra_ still thinks that needs solving on a kernel level first
[14:06] <jdstrand> we can't just chmod stuff
[14:06] <zyga> jdstrand: I argued that we should chmod the device to 666 if it's tagged
[14:06] <zyga> (in the cgroup)
[14:06] <jdstrand> I know you did
[14:06] <jdstrand> that isn't the right solution
[14:06] <jdstrand> it is too simple
[14:06] <ogra_> why not use udev-acl here ?
[14:07] <ogra_> and ship a udev rule for ti
[14:07] <zyga> jdstrand: too simple and thus too open or what?
[14:07] <jdstrand> it might be ok for this device, but it might not be for another device
[14:07] <ogra_> *it
[14:07] <zyga> jdstrand: if there's no tagging there's no cgroup, no chmod
[14:07] <zyga> jdstrand: if there's tagging it is precisely because we want to allow access to the device
[14:07] <jdstrand> I know, but just because it is tagged doesn't mean non-root should have access
[14:07] <jdstrand> maybe it should. maybe it shouldn't
[14:07] <zyga> jdstrand: plus remember that we can always apparmor-away all bits we don't want
[14:07] <zyga> jdstrand: I remember the discussion, I know it's still an open question
[14:08] <zyga> jdstrand: but it somewhat feels like policykit discussion we had with gustavo a while aog
[14:08] <zyga> ago*
[14:08] <zyga> jdstrand: when it's granted, it should be just allowed
[14:08] <zyga> jdstrand: still, that's my 0.02
[14:08] <jdstrand> and I maintain my objection to the simplistic approach
[14:09] <jdstrand> we captured this in that doc a while ago. we can pick it up at another time
[14:09] <zyga> jdstrand: given that if we say you cannot open without root, anyone can just ship a service that exposes it
[14:09] <zyga> jdstrand: so I'd say it's not security but obfuscation at some level
[14:09] <zyga> jdstrand: sounds good
[14:09] <jdstrand> only if you assign it to the root service
[14:10] <zyga> jdstrand: you assign it to a snap, what the snap author does is not something we control
[14:10] <jdstrand> there's a lot of things to consider
[14:10] <zyga> jdstrand: if it is assigned to a non-root cli tool then it's still under our control via the cgroup
[14:10] <jdstrand> I understand what you are saying
[14:11] <jdstrand> but the security policy is something that uses DAC as well as our sandbox
[14:11] <zyga> sorry, I'm not trying to convince you, I'm just arguing because I think there's no extra security in this mode and I'm hoping you will show me I'm wrong :)
[14:11] <jdstrand> we need to be extremely careful
[14:11] <zyga> agreed
[14:12] <jdstrand> especially when moving forward with multi-user, Ubuntu Personal and if we ever do opt-in per-app UIDs
[14:12] <jdstrand> there is a lot to consider
[14:12] <jdstrand> anyway, I can't consider all of this right this second-- I have meetings to attend to and PRs to review
[14:12] <jdstrand> :)
[14:12] <zyga> sure, no worries
[14:18] <sborovkov> Alright guys, I am gonna come back in few days and ask you again about this. If there is no solution in sight I can use custom kernel snap/whatever I guess - though it would be very nice if it's possible to upgrade in the future to stock ones without reflashing SD cards
[14:32] <dragly> Has there been any updates on accessing OpenGL in snaps? Last week I forgot to issue a bug report after I last talked on this channel about the trouble I had with Snapcraft+Qt+OpenGL on Nvidia hardware.
[14:35] <dragly> I tried the ubuntu-clock-app example now, and I still get the "Unrecognized OpenGL version" error when running it after installation. Should I file a bug report or is this already fixed in a newer version of snapcraft? I'm using 2.8.4.
[14:37] <zyga> dragly: there were no changes on the desktop that are released yet, we are working on the first SRU now
[14:37] <zyga> dragly: though I'm not sure if that particular bug is fixed there already (it might be)
[14:39] <dragly> anything in "proposed", or do I need to clone the repo to see if it has been fixed?
[14:42] <kgunn> here's a bug link to track that
[14:42] <kgunn> https://bugs.launchpad.net/snappy/+bug/1574851
[14:46] <sergiusens> jdstrand hello! Can I inject raw apparmor to test something out somehow? hint, relate to /dev/shm
[14:46] <zyga> sergiusens: maybe
[14:46] <zyga> sergiusens: I can help you out
[14:46] <zyga> sergiusens: do the connection and all the other stuff you want
[14:47] <zyga> sergiusens: then edit /var/lib/snapd/apparmor/profiles/*
[14:47] <sergiusens> zyga k, thanks
[14:47] <zyga> sergiusens: then run apparmor_parser -r /path/to/that/file
[14:47] <zyga> sergiusens: that should do the trick
[14:47] <zyga> sergiusens: just keep in mind that various operations will erase that change
[14:48] <sergiusens> zyga do I need to run anything after editing?
[14:49] <kgunn> ok, i'm stuck with https://pastebin.canonical.com/155621/
[14:49] <zyga> sergiusens: apparmor_parser -r
[14:49] <zyga> sergiusens: on the file
[14:49] <zyga> sergiusens: to actually load it
[14:49] <kgunn> basically says it can't find mir-server when it's clearly part of the smae
[14:49] <kgunn> *snap
[14:50] <sergiusens> zyga says already loaded, how do I unload?
[14:50] <kgunn> and this used to "just work"
[14:50] <zyga> sergiusens: -r reloads it
[14:51] <zyga> technically -r is replace
[14:51] <zyga> so just -r :)
[14:53] <dragly> kgunn: Thanks! I'll subscribe to the bug.
[14:55] <kgunn> sergiusens: mvo i feel like this might be more in your wheelhouse, my mir-server.snap used to work & unchanged, i add mir i/f to builtin, mir snap installs...i see mir-server:mir in plug list
[14:55] <kgunn> but then it fails with https://pastebin.canonical.com/155621/
[14:56] <kgunn> saying it can't find mir-server which i can very well navigate to the current snap and see it there
[14:56] <kgunn> did some pathing assumptions possibly change?
[14:57] <asac> ogra_: whats that image?
[14:58] <morphis> jdstrand: what about leaving the discussion to make that network-manager interface working on desktop up to another PR?
[14:58] <ogra_> asac, THATS A GADGET WITH WROKING SERIAL
[14:58] <asac> ogra_: ah... well, i cant use udf still :/
[14:58] <ogra_> EEEK
[14:58] <asac> need full blown images
[14:58] <asac> hehe
[14:58]  * ogra_ whacks his caps key
[14:58] <jdstrand> morphis: I'm fine with that so long as there is a note in the PR about it (or even in the policy)
[14:58]  * jdstrand was just going be what niemeyer asked for
[14:59] <jdstrand> s/be/by/
[14:59] <kgunn> so, using $SNAP_APP_PATH in my files, is that correct? or did it change to something like $SNAP
[14:59] <morphis> jdstrand: yeah, commented for him on the PR about that
[14:59] <jdstrand> kgunn: those changed
[14:59] <morphis> niemeyer: would that be ok for you?
[14:59] <jdstrand> kgunn: SNAP is install, SNAP_DATA is /var, SNAP_USER_DATA is /home
[14:59] <kgunn> jdstrand: thanks
[15:00] <jdstrand> kgunn: I often find myself using 'hello-world.env|grep SNAP' :)
[15:00] <kgunn> jdstrand: i presume that's on a wiki somewhere and i just got lulled into previous glory/success :)
[15:00] <sergiusens> kgunn its just $SNAP
[15:00] <kgunn> thanks guys
[15:00] <jdstrand> kgunn: I'm not sure of that. the docs are in the process of being updated. dpm may have more details
[15:04] <dpm> jdstrand, kgunn, I'm missing some context on what you're trying to do, but that might help in the meantime: http://askubuntu.com/questions/762354/where-can-ubuntu-snaps-write-data/762405#762405
[15:04] <kgunn> dpm: thanks...was just sharing i was lost :)
[15:04] <kgunn> i was still using snap_app_path
[15:05] <kgunn> didn't realize it changed
[15:05] <jdstrand> dpm: we were talking about the status of the docs wrt 16 changes (of which env vars is one part)
[15:05] <asac> kgunn: hello-world.env is your friend :)
[15:06] <asac> oh that was already suggested
[15:06] <asac> hehe
[15:07] <kgunn> asac: that's ok, it helps me to be told more than once :-P
[15:10] <asac> lol
[15:11] <qengho> kgunn: I wish the Lint tool warned about using deprecated environment variables.
[15:11] <asac> kgunn: also hello-world.sh is neat... you end up in a shell inside the app sandbox, so you get a live feel what it means to live in a box :)
[15:11]  * asac hopes kgunn learned at least something on top now :)
[15:18] <mvo> kgunn: sorry, was in a meeting. I think the error you see is fixed in master but not yet in the distro, we want to sru this RSN but it is not done yet
[15:19] <didrocks1> ogra_: stupid questions, but where are the fresh vm images for ubuntu core series 16?
[15:29] <sergiusens> jdstrand hey, I wrote an email to the list, mostly intended for you; maybe I am just too ignorant on many things I mention but wanted to get the ball rolling
[15:30] <sergiusens> kgunn I've been adding an app to my apps called "shell" with the same plugs as the ones I want to test
[15:32] <didrocks1> mvo: hey, do we have any equivalent of snappy list -u/-v ?
[15:33] <mvo> didrocks1: not yet, but please file a bug and we prioritize it
[15:34] <didrocks> mvo: ok, I think it's the same for rollback and such, isn't it? (I remember there was a set-versions or whatsoever)
[15:35] <mvo> didrocks: yes
[15:36] <didrocks> ricmm: that's going to make our script about rollback for FTF harder ^ :p
[15:39] <didrocks> mvo: bug #1577439 and bug #1577441 (trying to point the next important show we have in it, but I know the timeline is short)
[15:47] <slvn> jdstrand, the two bugs are https://bugs.launchpad.net/snapcraft/+bug/1575582 and https://bugs.launchpad.net/snapcraft/+bug/1577333
[15:54] <ogra_> didrocks, onyl kvm currently (with the normal amd64 image) for vbox you would have to convert yourself ...
[15:58] <didrocks> ogra_: do you have any link?
[15:58] <didrocks> I looked on cdimage, but only find the preinstalled file system
[15:58] <didrocks> no .img
[16:15] <ogra_> didrocks, nothing beyond mvo's all-snaps dir, we still have no official 16.04 snappy alpha yet
[16:15] <didrocks> ogra_: ok, that confirms it! Thanks :)
[16:16] <zyga> re
[17:27]  * zyga pushed a nice refactor branch https://github.com/ubuntu-core/snappy/pull/1114
[17:32] <zyga> morphis: I'm done with my current track, I can now look at dbus and quoting what's required
[17:33] <zyga> morphis: anything else I can help you with?
[17:44] <kyrofa> tyhicks, jdstrand https://code.launchpad.net/~kyrofa/ubuntu-core-launcher/create_user_common_data/+merge/293555 is ready for a look when you're able
[17:50] <zyga> kyrofa: some of the error messages confuse allocating memory for filesystem operation failures
[17:50] <zyga> confuse as in the error message might be confusing
[17:52] <kyrofa> zyga, well remember it results in perror
[17:52] <zyga> +	char *common_user_data = calloc(common_user_length, 1);
[17:52] <zyga> +	if (common_user_data == NULL) {
[17:52] <zyga> +		die("failed to create user common data directory");
[17:53] <zyga> + }
[17:53] <zyga> that's clearly confusing IMHO
[17:53] <zyga> that's failed to allocate memory, not create anything
[17:53] <kyrofa> zyga, the error message will actually say "failed to create user common data directory: out of memory" (or something similar)
[17:53] <zyga> hmmm
[17:53] <zyga> I see
[17:53] <kyrofa> zyga, I didn't want the message to say "unable to allocate memory: out of memory" :P
[17:54] <ogra_> needs to be prefixed with "success:"
[17:54] <kyrofa> Hahaha
[17:58]  * ogra_ sighs ... so it seems jdstrand made the german news with the ubuntu-core-launcher fix ...
[17:58] <ogra_> top story at heise.de today ... "another insecurity in snap packages"
[17:58] <jdstrand> the joys of open source :)
[17:59] <ogra_> i wish i knew why they dislike us so much recently ...
[17:59] <jdstrand> hopefully they reported that it was discovered internally and fixed within a day of discovery
[17:59] <ogra_> nope
[18:01] <ogra_> wow, google translate makes it nearly unreadable ...
[18:02] <ogra_> https://translate.google.com/translate?sl=de&tl=en&js=y&prev=_t&hl=de&ie=UTF-8&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FErnste-Sicherheitsluecke-in-Ubuntus-neuem-Paketformat-Snap-geschlossen-3195532.html&edit-text=
[18:04] <jdstrand> heh
[18:04] <jdstrand> it was fairly even until the end. then there was an axe to gring
[18:04] <jdstrand> grind
[18:05] <ogra_> Upon connection of mount points a clerical error resulted in the source code means that the launcher was placed with a correspondingly adapted package name to execute arbitrary code
[18:05] <ogra_> rrright
[18:07] <jdstrand> well, I said even, not accurate :)
[18:07] <ogra_> heh
[18:07] <jdstrand> they were pretty close
[18:08] <ogra_> yeah, the german sentence is fine there ...
[18:35] <sergiusens> jdstrand ok so I created #1577514
[18:36]  * sergiusens should probably reply to the ML as well
[18:57] <sergiusens> jdstrand ok just to add to the bucket list I've expanded https://bugs.launchpad.net/snappy/+bugs?field.tag=snapd-interface by 4
[19:11]  * zyga soft-EODs
[19:36] <jdstrand> sergiusens: thanks
[19:39] <jdstrand> sergiusens: two of those are already fixed in trunk
[19:40] <sergiusens> jdstrand sounds good; just wanted to be torough
[19:40] <jdstrand> np
[20:34] <kgunn> jdstrand: curious one, so i'm getting this denial https://pastebin.canonical.com/155642/ but i have "/run/udev/data/* r," in my slotAA
[20:41] <sergiusens> kgunn you might be hit by that snapd bug where you need to remove a snap before installing it again
[20:41] <kgunn> sergiusens: i am uninstalling my snap in between
[20:41] <kgunn> snap remove mir-server
[20:42] <kgunn> i installed with --devmode and it actually launched
[20:42] <kgunn> so now just trying to go through the aa/seccomp dance
[20:50] <palerider> well, this looks popular...
[20:53] <sergiusens> kgunn I don't know how to answer your problem except rinse and repeat
[20:54] <kgunn> right, sergiusens, i just thot that specifically having   "/run/udev/data/* r," in my slotAA would have taken care of the denials that appeared...
[20:55] <kgunn> also i had that in my aa from the beginning
[20:55] <kgunn> so wasn't like i added it
[20:55] <kgunn> to suppress those
[21:59] <jdstrand> kgunn: that should be allowed by that rule. perhaps the slot didn't connect (ie, the policy isn't in the profile in /var/lib/snapd/apparmor/profiles/...)
[22:02] <kgunn> jdstrand: so i just grepped it
[22:02] <kgunn> /var/lib/snapd/apparmor/profiles/snap.mir-server.mir-server:246:  #   /run/udev/data/* r,
[22:02] <kgunn> i presume the # is not a good sign
[22:03] <jdstrand> kgunn: no. there is a comment about it in the default policy. looks like your slot side didn't connect
[22:03] <jdstrand> for your slot side udev apparmor rule
[22:04] <jdstrand> (ie, don't be confused be the comment-- your rules 'simply' didn't connect
[22:04] <jdstrand> )
[22:06] <kgunn> jdstrand: so what should i look at now?
[22:08] <jdstrand> kgunn: is the slot side configured to auto-connect?
[22:08] <jdstrand> I thihnk the bluez interface was set to autoconnect
[22:08] <jdstrand> let me look
[22:08] <kgunn> jdstrand: no i'm not autoconnect
[22:08] <jdstrand> otherwise, you could snap remove mit and then install
[22:08] <kgunn> (i think)
[22:11] <jdstrand> no, bluez isn't
[22:12] <kgunn> jdstrand: but, just thinking about it... should mir be autoconnect?
[22:12] <jdstrand> well, I'm not sure what the design is supposed to be here
[22:13] <jdstrand> I mean, to me it would make sense that the permanent slot policy would autoconnect
[22:13] <jdstrand> since it is, well, permanent
[22:14] <jdstrand> kgunn: are you still using the trick I gave about putting it in the slot connection portion of the code or is it actually in the slot permanent part?
[22:15] <jdstrand> kgunn: regardless, to unblock yourself, you can look at built/opengl.go and set autoConnect: true in your NewMirInterface() which would hopefully unblock you until zyga is back
[22:17] <kgunn> jdstrand: right, so i'm actually permanent slot atm
[22:17] <jdstrand> kgunn: ok, that's good (in that that is what it should be)
[22:17] <kgunn> exactly
[22:18] <jdstrand> try playing with autoConnect or moving it to connected slot and doing a manual connect to unblock yourself for the time being
[22:18] <kgunn> ok np
[22:18] <jdstrand> but we need zyga again
[22:18] <kgunn> i mean i can run it with --devmode, so i'm really just wanting to work through doing it the "right way"
[22:18] <kgunn> thanks again :)
[22:19]  * jdstrand nods
[22:19] <jdstrand> np
[23:51] <example6> Hello everyone. I'm trying to make a _very_ basic snap consisting of nothing but a few shell scripts. I'm using just the 'copy' plugin to put everything in place, but it doesn't seem to be creating a .snap file OR moving any of the relevant files into snap/