/srv/irclogs.ubuntu.com/2018/08/09/#snappy.txt

=== amurray` is now known as amurray
mborzecki	morning	05:06
=== chihchun_afk is now known as chihchun
mborzecki	mvo: morning, i'm working with interfaces repo now, do you know if plug/slot ordering is of importance there?	06:13
mvo	mborzecki: unfortunately I don't	06:17
mvo	mborzecki: what are we currently doing?	06:17
mborzecki	mvo: the Slots()/Plugs() methods of repo do sorting by plug and snap name, with instance names looking like foo_bar the plugs/slots from instance snaps are always sorted after the regular ones	06:18
mvo	mborzecki: aha, right. I think its fine but lets validate with zyga	06:20
mborzecki	mvo: ok	06:20
mborzecki	btw. DeepEquals tends to blow up in those repo test when there's a mismatch	06:21
mvo	mborzecki: blow up in what way?	06:21
mvo	mborzecki: isn't the new diff stuff helping?	06:21
mvo	mborzecki: or not good enough?	06:21
mborzecki	mvo: the test binary is oom killed	06:21
mvo	mborzecki: woah	06:21
mborzecki	mvo: oh, maybe it's the diff	06:21
mborzecki	sie 09 08:09:15 corsair kernel: Out of memory: Kill process 27003 (interfaces.test) score 685 or sacrifice child	06:23
mborzecki	sie 09 08:09:15 corsair kernel: Killed process 27003 (interfaces.test) total-vm:8926256kB, anon-rss:8325200kB, file-rss:4kB, shmem-rss:5400kB	06:23
zyga	Good morning	06:26
mborzecki	zyga: hey, how's flock?	06:27
zyga	mvo, mborzecki: how can I help?	06:27
zyga	mborzecki: very interesting	06:27
zyga	I will write my day one report after breakfast	06:27
mborzecki	zyga: quick question, do you know whether the ordering of results in interface repo .Plugs()/Slots() method of impotance? with instances named foo_bar they get always sorted after non instance-keyed snaps	06:28
zyga	It was just designed to be deterministic	06:29
zyga	If you want to change that please look at how the results are used	06:29
zyga	Some code relies on this fact	06:29
=== iliv_ is now known as iliv
* zyga uploads fedora29 snap again		06:59
zyga	(with some workarounds)	06:59
zyga	ok, it just failed on type: base and some setuid root executables	07:00
zyga	mvo: I'll neuter all the +s flags for now	07:00
zyga	mvo: and re-upload	07:00
zyga	would you be OK acking the snap with just the type: base violation?	07:01
mvo	zyga: ok	07:04
mvo	zyga: sure, should be ifne	07:04
=== chihchun is now known as chihchun_afk
zyga	mvo: https://dashboard.snapcraft.io/snaps/fedora29/revisions/3/	07:11
zyga	mvo: I don't know how to request manual review otherwise	07:11
mvo	zyga: its in	07:12
zyga	awesome, thank you!	07:12
=== pstolowski\|afk is now known as pstolowski
pstolowski	mornings	07:17
mborzecki	pstolowski: heya	07:19
sil2100	mvo: hey! Can you upload the pi3 image somewhere for me to look at? Need to confirm something	07:32
sil2100	mvo: a fresh pi3 image at best	07:32
sil2100	(unconfigured yet)	07:32
mvo	sil2100: sure, let me look at this	07:41
zyga	mvo: hey,	07:45
zyga	mvo_: can you please do a small test for me	07:46
zyga	mvo_: would you mind trying the fedora29 snap (--edge) and then hello-fedora snap (stable) to see if it works on your system	07:46
mvo	zyga: http://paste.ubuntu.com/p/97KmYZft6S/	07:50
=== Fearful is now known as Guest30827
zyga	woah, interesting	07:50
mvo	sil2100: uploading	07:50
zyga	thank you, I need to think about this now	07:50
zyga	mvo: did you have any magic environment set up, LD_PRELOAD for instance?	07:51
mvo	zyga: I'm not aware of any, there is a defualt LD_PRELOAD for some window decration stuff but that is harmless	07:51
zyga	aha	07:52
Son_Goku	yay, the first time when we have incompatible ABI signatures :D	07:52
zyga	the path is interesting	07:52
mvo	zyga: I think if you symlink /var/lib/snapd/snap to /snap in the fedora base things will work	07:52
zyga	why: /var/lib/snapd/snap/hello-fedora/4/meta/snap.yaml	07:52
mvo	zyga: because snap-exec detects its inside fedora	07:52
mvo	zyga: and it expects the fedora layout	07:52
Son_Goku	mvo, that shouldn't be necessary, though?	07:52
zyga	hmm	07:53
mvo	zyga: thats my guess at least	07:53
Son_Goku	zyga: mvo is actually correct	07:53
* zyga explores		07:53
Son_Goku	we actually discovered this the first time I was working on this last year	07:53
Son_Goku	that's why mvo sent me a patch for my tool to actually add that	07:53
mvo	Son_Goku: I did? woah, I don't even remember	07:53
Son_Goku	yeah	07:53
zyga	I'm not sure that's really the case yet	07:54
Son_Goku	the one and only time you've ever sent me a patch ;)	07:54
mvo	cough	07:54
* mvo hugs Son_Goku		07:54
sil2100	mvo: thank you!	07:54
zyga	mvo: does snap run --shell hello-fedora also fail?	07:54
Son_Goku	mvo, this was all you: https://gitlab.com/Conan_Kudo/snapcore-mkrpmdistcoresnap/blob/master/mkrpmdistcoresnap#L122-132 ;)	07:54
mvo	zyga: yes, in the same way	07:54
zyga	ok, thank you	07:54
* zyga tries something		07:54
mvo	sil2100: please try http://people.canonical.com/~mvo/tmp/pi-kiosk.img	07:55
zyga	it's a bug in snap-confine	07:57
zyga	I will work around it for now	07:57
zyga	uh	07:58
zyga	not easy	07:59
* zyga needs to think		07:59
mborzecki	zyga: isn't that the same thing that we had on amazon?	08:06
mborzecki	zyga: fwiw 'Hello Fedora!' here on arch	08:10
mborzecki	pstolowski: https://github.com/snapcore/snapd/pull/5614	08:14
pstolowski	mborzecki: will do	08:16
zyga	mborzecki: thank you :)	08:17
zyga	mborzecki: I think there are issues when we mis-identify things in snap-confine	08:17
zyga	my preference is that all bases agree that /snap exists	08:17
zyga	not as a symlink	08:17
zyga	and snaps are mounted there	08:17
zyga	oh well	08:18
zyga	I need to move now, I'll check back soon	08:18
mborzecki	zyga: sounds like we could teach s-c a new trick	08:19
zyga	What is on your mind mborzecki ?	08:32
mborzecki	2018-08-09 09:04:40 Cannot allocate google:ubuntu-16.04-32: cannot perform Google request: Get https://www.googleapis.com/compute/v1/projects/computeengine/zones: oauth2: cannot fetch token: Post https://accounts.google.com/o/oauth2/token: net/http: TLS handshake timeout	09:08
mvo	stgraber: hey, if you are around, is there a way to set "lxc.aa_profile=unconfinged" with lxd 3.0? trying my detection code currently and my machines are all bionic already	11:10
=== Mikaela_ is now known as Mikaela
=== Mikaela_ is now known as Mikaela
mborzecki	pstolowski: https://github.com/snapcore/snapd/pull/5616 ifacestate fix	11:24
pstolowski	looking	11:24
pstolowski	+1	11:27
zyga	o/	11:37
* Son_Goku waves		11:38
mborzecki	another simple review https://github.com/snapcore/snapd/pull/5619 (cc pstolowski )	11:57
pstolowski	mborzecki: on it, does it pass all unit tests?	11:59
mborzecki	pstolowski: yes	12:01
pstolowski	awesome	12:01
pstolowski	i was afarid we accidently relied on it somewhere :/	12:01
mborzecki	heh, i hope not :)	12:02
=== pstolowski is now known as pstolowski\|lunch
zyga	mborzecki: hey	12:25
mborzecki	zyga: hm?	12:26
zyga	I have a patch coming up, just fighting github auth	12:26
zyga	one moment :)	12:26
zyga	t's the fix we were talking about	12:26
mborzecki	ah, ok	12:26
zyga	mborzecki: https://github.com/snapcore/snapd/pull/5620	12:38
zyga	have a look	12:38
zyga	with this the hello-fedora snap should work on ubuntu	12:38
mborzecki	zyga: yeah, +1 as far as I'm concerned	12:44
zyga	I'm adding a spread test	12:51
zyga	and one more patch	12:51
zyga	mborzecki: I pushed two more patches	12:56
zyga	can you sanity check them please	12:56
zyga	niemeyer: once you have some time it would be good to update spread snap, it's out of date and cannot even parse our spread.yaml now	13:27
=== pstolowski\|lunch is now known as pstolowski
mborzecki	pstolowski: spread test for interfaces https://paste.ubuntu.com/p/PmJdPvR2hp/ (amazingly this all works locally, even with the content provider)	13:49
pstolowski	mborzecki: nice, will take a look, ty	13:50
zyga	mborzecki: really nice :D	13:52
zyga	can someone manually run tests against https://github.com/snapcore/snapd/pull/5620	13:52
zyga	for some ballpark works/doesn't qualification	13:53
zyga	ubuntu + fedora + that one new test	13:53
zyga	I don't have a working spread setup here	13:56
zyga	I'll check back later in case anyone does o/	13:56
mvo	zyga: /proc/self/attr/current is "unconfined" in my container when it can't load apparmor profiles with apparmor_parser -a	13:57
mvo	zyga: I will use a workaround and prepare a pr	13:58
stgraber	mvo: lxc.apparmor.profile=unconfined	13:58
mvo	stgraber: thank you!	14:00
mborzecki	zyga: running on ubuntu 18.04, fedora & arch	14:02
zyga	mborzecki: thank you	14:03
zyga	mvo: interesting	14:04
zyga	mvo: and when you load a profile, what happens?	14:04
zyga	what is the error you get	14:04
zyga	mvo: and what is the profile of snapd from _outside_	14:04
zyga	or profile of bash inside a container	14:04
zyga	stgraber: does that also disable stacking or is stacking controlled with a separate knob?	14:05
stgraber	zyga: that also disables stacking	14:07
zyga	stgraber: I see	14:08
zyga	stgraber: does lxd use something other than apparmor?	14:08
zyga	seccomp?	14:08
stgraber	zyga: so in that case, you're not confined but also don't have mac_admin/mac_override so can't affect the host apparmor namespace	14:08
zyga	ah	14:08
zyga	I see	14:08
stgraber	zyga: we have seccomp too, yeah, and caps	14:08
zyga	and libcap cannot tell that?	14:08
zyga	I mean, can we ask the kernel about our caps/	14:08
zyga	instead of loading a profile	14:08
mvo	zyga: hm, from outside it is also unconfined afaict	14:08
zyga	mvo: yes, that's consistent and expected based on what stgraber said	14:09
mborzecki	zyga: 2018-08-09 16:12:05 Successful tasks: 3	14:12
zyga	mborzecki: thank you!	14:21
zyga	mvo: another data point: gconv translation functions for fringe encodings are huge	14:21
zyga	and I suspect we need at most 2-3	14:22
mborzecki	pstolowski: i've pushed the spread to the integration branch right here https://github.com/snapcore/snapd/pull/5596/commits/f846ea192d89f98c4b8c8b4036a935ef47589e53	14:31
zyga	mvo: can you please ensure that the patch I sent is in 2.35	14:37
zyga	it's pretty essential for now	14:37
kyrofa	Hey mvo, did you manage to make any progress on discovering apparmor capabilities in snapd?	14:39
mvo	kyrofa: yes	14:40
mvo	kyrofa: I have a reproducer and work on code now	14:40
kyrofa	mvo, ah, wonderful!!	14:44
zyga	Chipaca: fun bug: snap refresh --jailmode doesn't	15:32
zyga	it's not switching it	15:32
Chipaca	zyga: fun bug: neither does --devmode nor --classic	15:32
Chipaca	zyga: you could almost say it might not be a bug :-D	15:32
zyga	Chipaca: snap install --jailmode foo refuses to work when foo is classic!	15:32
Chipaca	zyga: (OTOH if we don't do anything maybe we should error or sth)	15:32
Chipaca	zyga: at your request iirc	15:33
zyga	Chipaca: just dropping a note in case I forget, live feedback from flock	15:33
Chipaca	:-) nice	15:33
Chipaca	zyga: keep 'em coming	15:33
sil2100	mvo: hmmm, would you be able to somehow get on a pi3 core18 running system and find me all the .yaml files that are on there? Since something's really fishy around here	15:36
sil2100	mvo: I unpacked and checked the image you gave me and found nothing suspicious - the only way console-conf could put the 'set-name' into the config is by copying it over from the source configs	15:38
sil2100	mvo: and there's just one source config on the squashfs that I see and it's correct	15:38
sil2100	hmm, let me try one more thing though	15:38
mvo	sil2100: this bug prevents logging in so its slightly tricky, what I did was pulling out the sd card and mount it after I interacted with the system. does that work or are there still no files in there if you do that?	15:39
sil2100	mvo: wait one more moment, I'll get back to you once I check something else out on the filesystem	15:40
zyga	kyrofa: hey	15:41
zyga	kyrofa: can you please try building github.com/davdunc/aws-cli-snap please	15:42
zyga	kyrofa: we're hitting an issue where apt fails on lack of --allow-unauthenticated	15:42
zyga	kyrofa: is there a cache with a choot container or something	15:42
zyga	kyrofa: can we clean something on the host	15:43
zyga	kyrofa: to "maybe" fix it?	15:43
jdstrand	mvo: hi! are you planning a 2.34.4? this is in 2.34 branch, but not 2.34.3 snap/deb: https://github.com/snapcore/snapd/pull/5579	15:50
mvo	jdstrand: the plan is to have a beta of 2.35 soon (today or tomorrow moring). no further plans for 2.34 unless something critical somes up	15:55
jdstrand	well, that works too	15:55
mvo	cachio: the lxd test currently only runs on 16.04-32 - can we enable it again on more arches?	15:56
jdstrand	mvo: I've got some profile updates that I'd like in 2.35. when do you need them by?	15:56
jdstrand	mvo: early next week is best for me, but if required, I can do it sooner	15:56
mvo	jdstrand: the first beta goes out this week but profile updates are fine until it hits candidate so at least a week	15:56
mvo	jdstrand: next week is fine	15:56
jdstrand	ok, perfect	15:57
jdstrand	mvo: thanks!	15:57
mvo	jdstrand: we will just need to cherry-pick them	15:57
mvo	jdstrand: thank you	15:57
mvo	kyrofa: fix is ready I'm just working on the spread test now but manual testing looked good	15:57
jdstrand	mvo: that socketcall PR. should I target it to 2.35 too? it isn't pressing to me personally so long as it gets into trunk, but not sure of the relationship between 2.35 and core18 images	16:01
mvo	jdstrand: please target it	16:03
jdstrand	mvo: ok	16:04
kyrofa	mvo, that's great! Let me know if I can help	16:04
mvo	jdstrand: what apparmor permissions are needed for doing "aa_kernel_interface_new()"?	16:05
cachio	mvo, I forgot to share the errors	16:08
cachio	https://paste.ubuntu.com/p/JRt3rkPTgY/	16:08
mvo	cachio: ta	16:08
cachio	mvo, I am working in other set based on test fails	16:09
=== pstolowski is now known as pstolowski\|afk
* Chipaca kicks travis		16:10
Chipaca	ok, i'm off to the shops, I'll be back later to see if it's progressed	16:11
Chipaca	ttfn	16:11
jdstrand	mvo: otoh, I don't know. the minimal most restricted set of rules on a 4.15 kernel is: https://paste.ubuntu.com/p/FjSxZ5pbwb/	16:20
jdstrand	mvo: you could reduce the /sys/kernel/security/apparmor/... down to '/sys/kernel/security/apparmor/{,**} r,'	16:20
jdstrand	but I did it that way to see all the accesses	16:21
mvo	jdstrand: thanks, I will push a PR shortly and will ask for advice	16:21
jdstrand	mvo: now, that is a simple 'run apparmor_parser under apparmor' test	16:22
mvo	jdstrand: https://github.com/snapcore/snapd/pull/5621 <- is where I need it, hope this all makes sense. and also I wonder if there is a better way	16:22
jdstrand	mvo: DAC and profile stacking are going to be involved for more complicated things	16:23
mvo	jdstrand: maybe I can use aa-status instead of apparmor_parser in the go code, that seems to be less noisy	16:23
mvo	jdstrand: yeah, this is really just so that we can detect if all looks well but in fact its not	16:24
jdstrand	mvo: aa-status is definitely recommended, cause it will be updated to support new things. do note, it is python3	16:25
mvo	jdstrand: yeah, thats downside, I could create a small helper c-binary around aa_kernel_interface_new()	16:25
jdstrand	it is interestingly bi-lingual and will run under py2. but that is neither here nor there and just fun trivia	16:25
mvo	jdstrand: :)	16:25
jdstrand	mvo: aa-status is not actually terribly smart. does it return non-zero in the case you are looking at?	16:27
jdstrand	mvo: I ask, cause you could implement its dumb test in Go I suspect (though again, you'd take on the maintenance burden of that)	16:28
sil2100	mvo: sucks that I don't have a raspi3 - I know that's probably a lot to ask, especially because of the size, but you think it would be possible for you to tar up the contents of the filesystem from the SD card after the invalid config is up and share it somewhere? Might make things easier for me to debug	16:30
ogra	sil2100, you should really get one and expense the 30€ :)	16:32
sil2100	ogra: I think I'll just do that indeed, not the first time I'm poking on the raspi3	16:32
sil2100	hmmm	16:32
* sil2100 goes check on that		16:33
ogra	its not like it is super expensive or so	16:33
mvo	jdstrand: thanks, I will think a bit about it	16:35
mvo	sil2100: lets debug that tomorrow then, I can help. plus buying/expensing one is probably fine	16:36
mvo	kyrofa: pr#5621 but its a bit of a can of worms, so not sure if this will not need some more iterations	16:36
jdstrand	mvo: is it only that you don't have mac_admin?	16:37
ogra	they probably only gave him pc_admin :P	16:37
ogra	(SCNR .... the heat and such)	16:38
jdstrand	mvo: see my comments in the PR and this: https://paste.ubuntu.com/p/cTTqxwJpqf/	16:55
kyrofa	jdstrand, this brief conversation might be helpful for reference: https://irclogs.ubuntu.com/2018/08/08/%23ubuntu-devel.html#t14:35	16:56
kyrofa	(regarding mac_admin)	16:57
mvo	jdstrand: I'm not sure this is observable from inside the container	17:01
zyga	Hey	17:01
mvo	jdstrand: I tried looking at /proc/self/status and CapEff in there and AFAICT I have the right bits	17:02
* zyga is resting after a very hot and busy day		17:02
jdstrand	mvo: you mean the kernel is telling you that you have mac_admin but you do not?	17:02
mvo	jdstrand: correct, again with the caveat that I'm not an expert on this (yet)	17:03
mvo	jdstrand: I have not used pscap for this, just the status file in proc but let me check with pscap	17:03
jdstrand	mvo: well, I'm not either, but that sounds wrong...	17:03
mvo	jdstrand: note this is inside an lxd container	17:03
* zyga tunes in		17:03
mvo	jdstrand: and lxd itself restricts this cap (again AIUI)	17:04
jdstrand	tyhicks: hi! would it surprise you if inside a container, it reports having mac_admin but in reality, it does not?	17:04
zyga	Kernel bugs, you tiny little kernel bugs, where are you? ;-)	17:04
jdstrand	tyhicks: (see backscroll for context)	17:04
mvo	jdstrand: I just ran pscap and mac_admin is availalbe for everything. yet when I try to load a profile (empty) I get permission denied	17:06
mvo	jdstrand: see the PR for how to construct such a test case, but its pretty simple	17:06
jdstrand	tyhicks: mvo's observance sounds like a bug ^. is it?	17:06
jdstrand	observation*	17:07
jdstrand	mvo: so, loading a profile is certanly one way to do it, but that will spam the logs	17:08
jdstrand	mvo: I suspect there is an easier way	17:08
mvo	jdstrand: (very) open for ideas	17:09
jdstrand	let me try some things	17:09
jdstrand	I could see having mac_admin in the container and the wrapping apparmor profile denying it, but I thought the container was unconfined... maybe I misread somethign	17:10
jdstrand	tyhicks: fyi ^	17:10
mvo	jdstrand: the container is unconfined	17:11
jdstrand	mvo: is this a new issue or are you trying to enable some tests that never ran/always failed before	17:11
mvo	jdstrand: aiui lxd will take away (drop) cap_mac_admin (and override) in this case when running things	17:11
mvo	jdstrand: this is an old bug but we never tried to fix it	17:11
mvo	jdstrand: it was not even understood	17:11
jdstrand	oh, yeah, well, that would explain it I guess	17:11
mvo	jdstrand: we got reports about this from various people but never looked into it until recently when iirc mborzecki and kyrofa at the same time came up with this failure	17:12
kyrofa	Yeah, this is an unprivileged lxc container with apparmor disabled, lxc doesn't want to make the host apparmor available	17:12
kyrofa	Which makes sense given that it's still unprivileged	17:13
jdstrand	tyhicks: nm	17:16
jdstrand	mvo: I think if you open() /sys/kernel/security/apparmor/.remove, then write something valid (eg, "profile canary-blah {}"), then close the fd, you'll get permission denied	17:49
jdstrand	mvo: ie, use lowlevel calls to perform an atomic write on a profile that isn't loaded in the kernel	17:50
jdstrand	mvo: err, ie, use lowlevel calls to perform an atomic write on the .remove file to try to remove a profile that isn't loaded in the kernel	17:51
jdstrand	mvo: with mac_admin, you'd get ENOENT	17:54
jdstrand	mvo: eg:	17:56
zyga	Mvo: I would suggest to use a profile name like snap.system.canary	17:56
jdstrand	$ sudo bash -c "echo canary >/sys/kernel/security/apparmor/.remove"	17:56
jdstrand	bash: line 0: echo: write error: No such file or directory	17:57
jdstrand	[1]	17:57
jdstrand	$ sudo aa-exec -p test -- bash -c "echo canary >/sys/kernel/security/apparmor/.remove"	17:57
jdstrand	bash: line 0: echo: write error: Permission denied	17:57
jdstrand	[1]	17:57
zyga	Because we “own” that namespace	17:57
jdstrand	zyga: do we own the 'system' snap?	17:57
jdstrand	zyga: I mean, maybe snap.core.canary	17:58
zyga	Yes	17:58
zyga	We reserved system	17:58
jdstrand	well, whatever, so long as it doesn't accidentally remove something	17:58
* zyga cannot stand the weather today		18:01
zyga	It’s 8PM but the temperature outside is the same as at noon	18:01
kyrofa	zyga, tail end of summer, hang on	18:02
kyrofa	Almost through	18:02
kyrofa	I hate it, too	18:02
cachio	zyga, hey	18:11
cachio	I see a weird error on core18	18:11
cachio	some tests	18:11
mvo	jdstrand: thanks for your suggestion in the PR - should I do the loading in the C code as well or just in the go code?	18:11
cachio	fail when we do MATCH 'xxx' < file	18:12
cachio	zyga, but if we do cat file \| MATCH 'xxxx'	18:12
cachio	works	18:12
cachio	zyga, any idea which could be the reason?	18:12
mvo	cachio: that sounds like the subshell issue we found some days ago	18:12
mvo	cachio: https://github.com/snapcore/spread/pull/67 maybe?	18:13
cachio	mvo, ahhhh	18:13
jdstrand	mvo: actually, I just found something even simpler	18:13
jdstrand	https://github.com/snapcore/snapd/pull/5621/comment#issuecomment-411848548	18:13
cachio	mvo, let me test it, I already have the spread with your change	18:13
jdstrand	mvo: ^	18:13
mvo	jdstrand: nice!	18:14
mvo	jdstrand: thats easy enough from both C and go	18:14
kyrofa	jdstrand, nice find	18:14
jdstrand	mvo: yes. what is interesting is that a mac_admin denial is not triggered by that (you don't need mac_admin to read that file)	18:16
jdstrand	mvo: but you do need to be root	18:16
jdstrand	mvo: (even though the perms are listed as 444)	18:16
cachio	mvo, this fix the issue	18:16
cachio	thanks	18:16
mvo	jdstrand: interessting. is this a reliable test. you write that you don't need mac_admin to read that file?	18:17
jdstrand	mvo: so this is DAC that is preventing it. while I'm root in the container, the container is running as non-root. non-root can't access the file	18:17
mvo	jdstrand: my tst container runs as root - or are you saying it drops root at some point?	18:18
kyrofa	jdstrand, does that test pass in a normal, unpriv container?	18:18
kyrofa	(without apparmor disabled)	18:18
jdstrand	kyrofa: yes	18:18
jdstrand	root@xenial-unconfined:~# cat /sys/kernel/security/apparmor/profiles	18:19
jdstrand	cat: /sys/kernel/security/apparmor/profiles: Permission denied	18:19
kyrofa	But you're still not root	18:19
jdstrand	that's true. interesting	18:19
jdstrand	that also feels like a bug	18:19
mvo	jdstrand: I like this because a) simple b) no log spam - is it reliable, i.e. I hope it won't be "fixed" at some point :)	18:19
mvo	jdstrand: but I would definitely like to have a way that avoids the log spam	18:20
jdstrand	mvo: the .remove of a non-existent profile would avoid log spam	18:20
jdstrand	mvo: and is a true mac_admin test	18:20
mvo	jdstrand: cool, then I will go with this - should I do the same in the C code?	18:21
mvo	jdstrand: actually I think there is no log spam there	18:21
jdstrand	mvo: what do you mean no log spam?	18:21
jdstrand	where?	18:21
mvo	jdstrand: will update the (go) code now to use the removal of a non-exiting profile - I will just create a random strings	18:22
mvo	jdstrand: I had to update snap-confine as well	18:22
mvo	jdstrand: to detect if apparmor is fully usable	18:22
mvo	jdstrand: but the C code does not log anything so that should be ok(?)	18:23
jdstrand	mvo: I'm confused by this conversation, but if you write a non-existent profile name to /sys/kernel/security/apparmor/.remove, you will get an ENOENT when have mac_admin, and EPERM or EACCES if you don't. in neither case will there be a log entry	18:23
jdstrand	(I say 'or' cause otoh I don't know which)	18:24
jdstrand	mvo: in your current implementation, you are successfully loading a valid profile. that will create an entry in the audit subsystem. then you remove it, and it will create a second entry for that	18:25
jdstrand	mvo: I was wondering why you are updating both snap-confine and go code?	18:26
mvo	jdstrand: sorry for the confusion. the go check is needed to ensure that snapd does not try to load the apprarmor profiles it generates into the kernel (which will fail)	18:29
jdstrand	and snap-confine is for change_onexec	18:29
mvo	jdstrand: the snap-confine code needs updating because it has its own detection for apparmor and if it detects that is has apparmor it will set aa_change_on_exec() which will fail too	18:30
jdstrand	since the profile isn't there	18:30
jdstrand	right	18:30
jdstrand	ok	18:30
mvo	jdstrand: well, even if it is it can't change it, right?	18:30
mvo	jdstrand: or does not not require privs?	18:30
mvo	jdstrand: in any case, yes, its not there as well :)	18:30
jdstrand	mvo: it doesn't need mac_admin to change profiles, but it can't change profiles if the profile isn't loaded	18:30
mvo	jdstrand: gotcha, thanks!	18:31
jdstrand	mvo: the .remove that you are going with (which I think is fine), is a bit of a hack. can you add a comment on why you are doing it that way?	18:31
mvo	jdstrand: sure	18:31
jdstrand	thanks	18:31
cachio	mvo, in core18 when we get the snap env	18:41
cachio	the SNAP_INSTANCE_xxx are not there	18:41
cachio	this is making fail the test snap-env	18:41
mvo	jdstrand: I pushed an update to the PR	18:57
mvo	jdstrand: I will read comments in the PR - thanks for all your help!	18:59
* mvo calls it a day		18:59
zyga	why is ubuntu-image crashing lately?	19:31
=== phillid is now known as Guest12690
jdstrand	stgraber: hey, on a 4.15 kernel (bionic), if I have an apparmor denial in the the container's policy, where would I see that logged? journald isn't showing me what I expect	19:58
stgraber	jdstrand: I'd expect it to hit the kernel log which may or may not be readable by the container	19:59
jdstrand	ok, I was looking on the host	19:59
jdstrand	stgraber: otoh, with lxc.apparmor.profile=unconfined, should I see that in the container?	20:01
stgraber	well, with that in place you shouldn't be able to get any denial because there'd be no apparmor in place	20:01
jdstrand	stgraber: but there is a lxd-xenial-unconfined profile. what is that for?	20:02
stgraber	when you use raw.lxc you play behind LXD's back, so LXD doesn't know the profile it's generating won't be used	20:03
jdstrand	I see	20:03
jdstrand	stgraber: ok, do you have an idea why cat /sys/kernel/security/apparmor/profiles gets an EACCES with:	20:04
jdstrand	config:	20:04
jdstrand	raw.lxc: \|	20:04
jdstrand	lxc.apparmor.profile=unconfined	20:04
jdstrand	lxc exec xenial-unconfined -- cat /sys/kernel/security/apparmor/profiles	20:04
jdstrand	cat: /sys/kernel/security/apparmor/profiles: Permission denied	20:04
stgraber	is that container unprivileged?	20:04
jdstrand	stgraber: yes	20:04
stgraber	then that's normal	20:05
stgraber	unprivileged users can't read that file	20:05
jdstrand	but they can	20:05
stgraber	stgraber@castiana:~$ cat /sys/kernel/security/apparmor/profiles	20:05
stgraber	cat: /sys/kernel/security/apparmor/profiles: Permission denied	20:05
jdstrand	there is something weird going on. let me paste	20:05
stgraber	jdstrand: if you're in a normal container, you can because an apparmor namespace is setup	20:06
stgraber	jdstrand: well, root in the container can	20:06
stgraber	but in this case, you're in an unprivileged container without an apparmor namespace, so you have as much right as a nobody user on the host	20:06
jdstrand	stgraber: https://paste.ubuntu.com/p/4FzwpSFs2B/	20:07
jdstrand	stgraber: ah, ok, that explains it then	20:08
jdstrand	stgraber: thanks!	20:08
zyga	jdstrand: hey	20:27
zyga	jdstrand: can you please (if possible) whitelist fedora29 as "type: base"	20:27
zyga	jdstrand: I pushed a pair of revisions just now	20:29
zyga	jdstrand: if you cannot make that permanent please at least ack those two	20:29
jdstrand	zyga: who is responsible for that base?	20:39
zyga	jdstrand: currently just me, we are working with the fedora server SIG to transfer it over and they are happy to take it	20:39
zyga	jdstrand: I just need it for a talk tomorrow	20:39
zyga	(I'm at a fedora conference this week)	20:40
zyga	jdstrand: it won't go to stable before the hand off	20:41
jdstrand	zyga: I'll approve it since you did it, but we have no process surrounding base snap reviews, so that should be discussed in the forum with niemeyer's input	20:41
zyga	I don't disagree, it's the first of the kind so we need to figure out the process	20:42
zyga	next week we should all be back	20:42
zyga	so we can discuss	20:42
jdstrand	sounds fine	20:42
zyga	thanks!	20:42
zyga	thank you, I just published both to edge	20:50
jdstrand	np	20:50
zyga	I will publish the code for making those now	20:50
ogra	hrm ... i wish snap find had a "by interface" search function	20:55
jdstrand	that would be handy	20:55
ogra	yeah	20:55
zyga	ogra: check out fedora29	20:56
zyga	18M	20:56
ogra	?	20:56
zyga	base snap :)	20:56
ogra	as broekn as core 18 ? like ... missing everything useful ? :P	20:56
ogra	(does it ship vi ? :) )	20:57
zyga	ogra: it doesn't ship vi, it's not a boot snap	20:57
zyga	it's just a base snap for apps	20:57
zyga	it ships a lot of locale actually	20:57
zyga	there's a hello-fedora snap as well but you need for a PR to land to use it	20:57
ogra	for what ?	20:57
zyga	I mean, there's a demo snap works on top of fedora29 now	20:58
zyga	but it is broken on ubuntu because of a bug this uncovered	20:58
zyga	and we need for a PR to land to fix that	20:58
ogra	well, congrats in any case !	20:58
zyga	ogra: there's more	20:58
zyga	opensuse is next	20:58
* ogra twiddles thumbs watching store downloads at 400kB/s		20:59
zyga	as in, we have a +1 from sysrich	20:59
ogra	yay	20:59
zyga	ogra: wanna see how it's made?	20:59
ogra	is there a GH tree to look at ?	21:00
ogra	(not right now, but i'd indeed like to take a look)	21:00
zyga	I'm making a new repo for it	21:00
zyga	though not on GH, fedora loves other places (gitlab)	21:00
ogra	heh, well	21:00
ogra	some git web UI ...	21:01
ogra	man ... thats so annoying	21:01
ogra	why is the store so super slow at times	21:02
ogra	booo !	21:05
* ogra installed qemu-git just to find it is also compiled without sdl or gtk support ...		21:05
ogra	i was kind of hoping it had some advantage over the archive qemu except being newer	21:05
ogra	grrr ... and no -redir ...	21:06
zyga	ogra: do you have air conditioning at home?	21:10
zyga	ogra: this hotel is a bit quaint it that it ... doesn't	21:10
zyga	everyone is melting this week	21:10
ogra	nope, like most gerans i dont have air conditioning	21:11
ogra	*germans	21:11
ogra	we do have 60cm brock walls ...	21:11
ogra	*brick	21:11
zyga	ogra: yeah, same in poland	21:12
zyga	this summer is tough	21:12
ogra	they are usually good enough for 30+ C for two weeks with keeping the heat out	21:12
zyga	all the media markts sell AC now	21:12
zyga	and I'm seriously considering one	21:12
zyga	but first I need to get home :)	21:12
ogra	but this was 8 weeks without rain and constantly above 25	21:13
zyga	I hope my next flight through FRA won't be this interesting	21:13
ogra	so now, even we had big thinderstorms today and it cooled down a bit, the house now is an oven	21:13
ogra	fra was shut down again today	21:13
ogra	due to the heavy weather	21:14
ogra	and tomorrow ryanair pilots go on strike	21:14
ogra	the weekend will not be fun to fly through FRA for sure	21:14
ogra	zyga, when do you fly back ?	21:15
zyga	sunday	21:15
ogra	with luck it has somewhat settled then	21:15
ogra	the ryanair thing cancelled a few 100 flights ... people will be re-booked on other airlines ... so everything will be awfully crowded	21:16
ogra	and there is still the fallout from today too ...	21:16
ogra	ogra@acheron:~/Devel/anbox$ qemu-git.qemu-system-x86-64 -m 4096 -vga virtio /home/ogra/Devel/anbox/anbox-image.img	21:17
ogra	qemu-system-x86_64: -vga virtio: Could not open '/home/ogra/Devel/anbox/anbox-image.img': Permission denied	21:17
ogra	ARGH !	21:17
ogra	no home interface ...	21:17
ogra	ogra@acheron:~/Devel/anbox$ qemu-git.qemu-system-x86-64 -m 4096 -vga virtio /home/ogra/snap/qemu-git/current/anbox-image.img	21:22
ogra	...	21:22
ogra	qemu: could not load PC BIOS 'bios-256k.bin'	21:22
ogra	GRRRRR !	21:22
* ogra ponders to make a proper qemu snap in the weekend		21:23
ogra	how annoying	21:23
zyga	ogra: that would be useful :)	21:23
ogra	zyga, well, there is one ... even from a canonical employee it seems	21:24
ogra	but last touched 16 months ago and only in beta/edge	21:24
zyga	I was looking for JDK as a snap today	21:24
ogra	well, thats quickly and trivially snapped	21:24
ogra	just a stage-package entry and some file copying	21:25
* ogra goes back to battle with the deb qemu version then		21:27
ogra	... i know why i prefer arm boards ... so much easier :P	21:28
zyga	ogra: https://gitlab.com/zygoon/fedora29	21:58
zyga	jdstrand: ^ FYI	21:59
jdstrand	cool	21:59
ogra	nice, pretty straightforward ...	22:16
zyga	jdstrand: could you re-approve fedora29 uploads please, that's the last time for today	22:52
zyga	jdstrand: I had to work around a bug that is present in released versions	22:52
zyga	jdstrand: they should now also work on Ubuntu if you want to try	22:56
zyga	jdstrand: (along with hello-fedora from stable or from candidate)	22:56
sergiusens	kenvandine: hey, when launching the simple-scan snap I get an endless loop of "cp: '/home/sergiusens/.config/user-dirs.locale' and '/home/sergiusens/.config/user-dirs.locale' are the same file	23:00
sergiusens	"	23:00
* zyga wonders if anyone apart from mvo and jdstrand can unblock store reviews		23:06

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!