[05:06] <mborzecki> morning
[06:13] <mborzecki> mvo: morning, i'm working with interfaces repo now, do you know if plug/slot ordering is of importance there?
[06:17] <mvo> mborzecki: unfortunately I don't
[06:17] <mvo> mborzecki: what are we currently doing?
[06:18] <mborzecki> mvo: the Slots()/Plugs() methods of repo do sorting by plug and snap name, with instance names looking like foo_bar the plugs/slots from instance snaps are always sorted after the regular ones
[06:20] <mvo> mborzecki: aha, right. I think its fine but lets validate with zyga
[06:20] <mborzecki> mvo: ok
[06:21] <mborzecki> btw. DeepEquals tends to blow up in those repo test when there's a mismatch
[06:21] <mvo> mborzecki: blow up in what way?
[06:21] <mvo> mborzecki: isn't the new diff stuff helping?
[06:21] <mvo> mborzecki: or not good enough?
[06:21] <mborzecki> mvo: the test binary is oom killed
[06:21] <mvo> mborzecki: woah
[06:21] <mborzecki> mvo: oh, maybe it's the diff
[06:23] <mborzecki> sie 09 08:09:15 corsair kernel: Out of memory: Kill process 27003 (interfaces.test) score 685 or sacrifice child
[06:23] <mborzecki> sie 09 08:09:15 corsair kernel: Killed process 27003 (interfaces.test) total-vm:8926256kB, anon-rss:8325200kB, file-rss:4kB, shmem-rss:5400kB
[06:26] <zyga> Good morning
[06:27] <mborzecki> zyga: hey, how's flock?
[06:27] <zyga> mvo, mborzecki: how can I help?
[06:27] <zyga> mborzecki: very interesting
[06:27] <zyga> I will write my day one report after breakfast
[06:28] <mborzecki> zyga: quick question, do you know whether the ordering of results in interface repo .Plugs()/Slots() method of impotance? with instances named foo_bar they get always sorted after non instance-keyed snaps
[06:29] <zyga> It was just designed to be deterministic
[06:29] <zyga> If you want to change that please look at how the results are used
[06:29] <zyga> Some code relies on this fact
[06:59]  * zyga uploads fedora29 snap again
[06:59] <zyga> (with some workarounds)
[07:00] <zyga> ok, it just failed on type: base and some setuid root executables
[07:00] <zyga> mvo: I'll neuter all the +s flags for now
[07:00] <zyga> mvo: and re-upload
[07:01] <zyga> would you be OK acking the snap with just the type: base violation?
[07:04] <mvo> zyga: ok
[07:04] <mvo> zyga: sure, should be ifne
[07:11] <zyga> mvo: https://dashboard.snapcraft.io/snaps/fedora29/revisions/3/
[07:11] <zyga> mvo: I don't know how to request manual review otherwise
[07:12] <mvo> zyga: its in
[07:12] <zyga> awesome, thank you!
[07:17] <pstolowski> mornings
[07:19] <mborzecki> pstolowski: heya
[07:32] <sil2100> mvo: hey! Can you upload the pi3 image somewhere for me to look at? Need to confirm something
[07:32] <sil2100> mvo: a fresh pi3 image at best
[07:32] <sil2100> (unconfigured yet)
[07:41] <mvo> sil2100: sure, let me look at this
[07:45] <zyga> mvo: hey,
[07:46] <zyga> mvo_: can you please do a small test for me
[07:46] <zyga> mvo_: would you mind trying the fedora29 snap (--edge) and then hello-fedora snap (stable) to see if it works on your system
[07:50] <mvo> zyga: http://paste.ubuntu.com/p/97KmYZft6S/
[07:50] <zyga> woah, interesting
[07:50] <mvo> sil2100: uploading
[07:50] <zyga> thank you, I need to think about this now
[07:51] <zyga> mvo: did you have any magic environment set up, LD_PRELOAD for instance?
[07:51] <mvo> zyga: I'm not aware of any, there is a defualt LD_PRELOAD for some window decration stuff but that is harmless
[07:52] <zyga> aha
[07:52] <Son_Goku> yay, the first time when we have incompatible ABI signatures :D
[07:52] <zyga> the path is interesting
[07:52] <mvo> zyga: I think if you symlink /var/lib/snapd/snap to /snap in the fedora base things will work
[07:52] <zyga> why: /var/lib/snapd/snap/hello-fedora/4/meta/snap.yaml
[07:52] <mvo> zyga: because snap-exec detects its inside fedora
[07:52] <mvo> zyga: and it expects the fedora layout
[07:52] <Son_Goku> mvo, that shouldn't be necessary, though?
[07:53] <zyga> hmm
[07:53] <mvo> zyga: thats my guess at least
[07:53] <Son_Goku> zyga: mvo is actually correct
[07:53]  * zyga explores
[07:53] <Son_Goku> we actually discovered this the first time I was working on this last year
[07:53] <Son_Goku> that's why mvo sent me a patch for my tool to actually add that
[07:53] <mvo> Son_Goku: I did? woah, I don't even remember
[07:53] <Son_Goku> yeah
[07:54] <zyga> I'm not sure that's really the case yet
[07:54] <Son_Goku> the one and only time you've ever sent me a patch ;)
[07:54] <mvo> *cough*
[07:54]  * mvo hugs Son_Goku 
[07:54] <sil2100> mvo: thank you!
[07:54] <zyga> mvo: does snap run --shell hello-fedora also fail?
[07:54] <Son_Goku> mvo, this was all you: https://gitlab.com/Conan_Kudo/snapcore-mkrpmdistcoresnap/blob/master/mkrpmdistcoresnap#L122-132 ;)
[07:54] <mvo> zyga: yes, in the same way
[07:54] <zyga> ok, thank you
[07:54]  * zyga tries something
[07:55] <mvo> sil2100: please try http://people.canonical.com/~mvo/tmp/pi-kiosk.img
[07:57] <zyga> it's a bug in snap-confine
[07:57] <zyga> I will work around it for now
[07:58] <zyga> uh
[07:59] <zyga> not easy
[07:59]  * zyga needs to think
[08:06] <mborzecki> zyga: isn't that the same thing that we had on amazon?
[08:10] <mborzecki> zyga: fwiw 'Hello Fedora!' here on arch
[08:14] <mborzecki> pstolowski: https://github.com/snapcore/snapd/pull/5614
[08:16] <pstolowski> mborzecki: will do
[08:17] <zyga> mborzecki: thank you :)
[08:17] <zyga> mborzecki: I think there are issues when we mis-identify things in snap-confine
[08:17] <zyga> my preference is that all bases agree that /snap exists
[08:17] <zyga> not as a symlink
[08:17] <zyga> and snaps are mounted there
[08:18] <zyga> oh well
[08:18] <zyga> I need to move now, I'll check back soon
[08:19] <mborzecki> zyga: sounds like we could teach s-c a new trick
[08:32] <zyga> What is on your mind mborzecki ?
[09:08] <mborzecki> 2018-08-09 09:04:40 Cannot allocate google:ubuntu-16.04-32: cannot perform Google request: Get https://www.googleapis.com/compute/v1/projects/computeengine/zones: oauth2: cannot fetch token: Post https://accounts.google.com/o/oauth2/token: net/http: TLS handshake timeout
[11:10] <mvo> stgraber: hey, if you are around, is there a way to set "lxc.aa_profile=unconfinged" with lxd 3.0? trying my detection code currently and my machines are all bionic already
[11:24] <mborzecki> pstolowski: https://github.com/snapcore/snapd/pull/5616 ifacestate fix
[11:24] <pstolowski> looking
[11:27] <pstolowski> +1
[11:37] <zyga> o/
[11:38]  * Son_Goku waves
[11:57] <mborzecki> another simple review https://github.com/snapcore/snapd/pull/5619 (cc pstolowski )
[11:59] <pstolowski> mborzecki: on it, does it pass all unit tests?
[12:01] <mborzecki> pstolowski: yes
[12:01] <pstolowski> awesome
[12:01] <pstolowski> i was afarid we accidently relied on it somewhere :/
[12:02] <mborzecki> heh, i hope not :)
[12:25] <zyga> mborzecki: hey
[12:26] <mborzecki> zyga: hm?
[12:26] <zyga> I have a patch coming up, just fighting github auth
[12:26] <zyga> one moment :)
[12:26] <zyga> t's the fix we were talking about
[12:26] <mborzecki> ah, ok
[12:38] <zyga> mborzecki: https://github.com/snapcore/snapd/pull/5620
[12:38] <zyga> have a look
[12:38] <zyga> with this the hello-fedora snap should work on ubuntu
[12:44] <mborzecki> zyga: yeah, +1 as far as I'm concerned
[12:51] <zyga> I'm adding a spread test
[12:51] <zyga> and one more patch
[12:56] <zyga> mborzecki: I pushed two more patches
[12:56] <zyga> can you sanity check them please
[13:27] <zyga> niemeyer: once you have some time it would be good to update spread snap, it's out of date and cannot even parse our spread.yaml now
[13:49] <mborzecki> pstolowski: spread test for interfaces https://paste.ubuntu.com/p/PmJdPvR2hp/ (amazingly this all works locally, even with the content provider)
[13:50] <pstolowski> mborzecki: nice, will take a look, ty
[13:52] <zyga> mborzecki: really nice :D
[13:52] <zyga> can someone manually run tests against https://github.com/snapcore/snapd/pull/5620
[13:53] <zyga> for some ballpark works/doesn't qualification
[13:53] <zyga> ubuntu + fedora + that one new test
[13:56] <zyga> I don't have a working spread setup here
[13:56] <zyga> I'll check back later in case anyone does o/
[13:57] <mvo> zyga: /proc/self/attr/current is "unconfined" in my container when it can't load apparmor profiles with apparmor_parser -a
[13:58] <mvo> zyga: I will use a workaround and prepare a pr
[13:58] <stgraber> mvo: lxc.apparmor.profile=unconfined
[14:00] <mvo> stgraber: thank you!
[14:02] <mborzecki> zyga: running on ubuntu 18.04, fedora & arch
[14:03] <zyga> mborzecki: thank you
[14:04] <zyga> mvo: interesting
[14:04] <zyga> mvo: and when you load a profile, what happens?
[14:04] <zyga> what is the error you get
[14:04] <zyga> mvo: and what is the profile of snapd from _outside_
[14:04] <zyga> or profile of bash inside a container
[14:05] <zyga> stgraber: does that also disable stacking or is stacking controlled with a separate knob?
[14:07] <stgraber> zyga: that also disables stacking
[14:08] <zyga> stgraber: I see
[14:08] <zyga> stgraber: does lxd use something other than apparmor?
[14:08] <zyga> seccomp?
[14:08] <stgraber> zyga: so in that case, you're not confined but also don't have mac_admin/mac_override so can't affect the host apparmor namespace
[14:08] <zyga> ah
[14:08] <zyga> I see
[14:08] <stgraber> zyga: we have seccomp too, yeah, and caps
[14:08] <zyga> and libcap cannot tell that?
[14:08] <zyga> I mean, can we ask the kernel about our caps/
[14:08] <zyga> instead of loading a profile
[14:08] <mvo> zyga: hm, from outside it is also unconfined afaict
[14:09] <zyga> mvo: yes, that's consistent and expected based on what stgraber said
[14:12] <mborzecki> zyga: 2018-08-09 16:12:05 Successful tasks: 3
[14:21] <zyga> mborzecki: thank you!
[14:21] <zyga> mvo: another data point: gconv translation functions for fringe encodings are huge
[14:22] <zyga> and I suspect we need at most 2-3
[14:31] <mborzecki> pstolowski: i've pushed the spread to the integration branch right here https://github.com/snapcore/snapd/pull/5596/commits/f846ea192d89f98c4b8c8b4036a935ef47589e53
[14:37] <zyga> mvo: can you please ensure that the patch I sent is in 2.35
[14:37] <zyga> it's pretty essential for now
[14:39] <kyrofa> Hey mvo, did you manage to make any progress on discovering apparmor capabilities in snapd?
[14:40] <mvo> kyrofa: yes
[14:40] <mvo> kyrofa: I have a reproducer and work on code now
[14:44] <kyrofa> mvo, ah, wonderful!!
[15:32] <zyga> Chipaca: fun bug: snap refresh --jailmode doesn't
[15:32] <zyga> it's not switching it
[15:32] <Chipaca> zyga: fun bug: neither does --devmode nor --classic
[15:32] <Chipaca> zyga: you  could almost say it might not be a bug :-D
[15:32] <zyga> Chipaca: snap install --jailmode foo refuses to work when foo is classic!
[15:32] <Chipaca> zyga: (OTOH if we don't do anything maybe we should error or sth)
[15:33] <Chipaca> zyga: at your request iirc
[15:33] <zyga> Chipaca: just dropping a note in case I forget, live feedback from flock
[15:33] <Chipaca> :-) nice
[15:33] <Chipaca> zyga: keep 'em coming
[15:36] <sil2100> mvo: hmmm, would you be able to somehow get on a pi3 core18 running system and find me all the .yaml files that are on there? Since something's really fishy around here
[15:38] <sil2100> mvo: I unpacked and checked the image you gave me and found nothing suspicious - the only way console-conf could put the 'set-name' into the config is by copying it over from the source configs
[15:38] <sil2100> mvo: and there's just one source config on the squashfs that I see and it's correct
[15:38] <sil2100> hmm, let me try one more thing though
[15:39] <mvo> sil2100: this bug prevents logging in so its slightly tricky, what I did was pulling out the sd card and mount it after I interacted with the system. does that work or are there still no files in there if you do that?
[15:40] <sil2100> mvo: wait one more moment, I'll get back to you once I check something else out on the filesystem
[15:41] <zyga> kyrofa: hey
[15:42] <zyga> kyrofa: can you please try building github.com/davdunc/aws-cli-snap please
[15:42] <zyga> kyrofa: we're hitting an issue where apt fails on lack of --allow-unauthenticated
[15:42] <zyga> kyrofa: is there a cache with a choot container or something
[15:43] <zyga> kyrofa: can we clean something on the host
[15:43] <zyga> kyrofa: to "maybe" fix it?
[15:50] <jdstrand> mvo: hi! are you planning a 2.34.4? this is in 2.34 branch, but not 2.34.3 snap/deb: https://github.com/snapcore/snapd/pull/5579
[15:55] <mvo> jdstrand: the plan is to have a beta of 2.35 soon (today or tomorrow moring). no further plans for 2.34 unless something critical somes up
[15:55] <jdstrand> well, that works too
[15:56] <mvo> cachio: the lxd test currently only runs on 16.04-32 - can we enable it again on more arches?
[15:56] <jdstrand> mvo: I've got some profile updates that I'd like in 2.35. when do you need them by?
[15:56] <jdstrand> mvo: early next week is best for me, but if required, I can do it sooner
[15:56] <mvo> jdstrand: the first beta goes out this week but profile updates are fine until it hits candidate so at least a week
[15:56] <mvo> jdstrand: next week is fine
[15:57] <jdstrand> ok, perfect
[15:57] <jdstrand> mvo: thanks!
[15:57] <mvo> jdstrand: we will just need to cherry-pick them
[15:57] <mvo> jdstrand: thank you
[15:57] <mvo> kyrofa: fix is ready I'm just working on the spread test now but manual testing looked good
[16:01] <jdstrand> mvo: that socketcall PR. should I target it to 2.35 too? it isn't pressing to me personally so long as it gets into trunk, but not sure of the relationship between 2.35 and core18 images
[16:03] <mvo> jdstrand: please target it
[16:04] <jdstrand> mvo: ok
[16:04] <kyrofa> mvo, that's great! Let me know if I can help
[16:05] <mvo> jdstrand: what apparmor permissions are needed for doing "aa_kernel_interface_new()"?
[16:08] <cachio> mvo, I forgot to share the errors
[16:08] <cachio> https://paste.ubuntu.com/p/JRt3rkPTgY/
[16:08] <mvo> cachio: ta
[16:09] <cachio> mvo, I am working in other set based on test fails
[16:10]  * Chipaca kicks travis
[16:11] <Chipaca> ok, i'm off to the shops, I'll be back later to see if it's progressed
[16:11] <Chipaca> ttfn
[16:20] <jdstrand> mvo: otoh, I don't know. the minimal most restricted set of rules on a 4.15 kernel is: https://paste.ubuntu.com/p/FjSxZ5pbwb/
[16:20] <jdstrand> mvo: you could reduce the /sys/kernel/security/apparmor/... down to '/sys/kernel/security/apparmor/{,**} r,'
[16:21] <jdstrand> but I did it that way to see all the accesses
[16:21] <mvo> jdstrand: thanks, I will push a PR shortly and will ask for advice
[16:22] <jdstrand> mvo: now, that is a simple 'run apparmor_parser under apparmor' test
[16:22] <mvo> jdstrand: https://github.com/snapcore/snapd/pull/5621 <- is where I need it, hope this all makes sense. and also I wonder if there is a better way
[16:23] <jdstrand> mvo: DAC and profile stacking are going to be involved for more complicated things
[16:23] <mvo> jdstrand: maybe I can use aa-status instead of apparmor_parser in the go code, that seems to be less noisy
[16:24] <mvo> jdstrand: yeah, this is really just so that we can detect if all looks well but in fact its not
[16:25] <jdstrand> mvo: aa-status is definitely recommended, cause it will be updated to support new things. do note, it is python3
[16:25] <mvo> jdstrand: yeah, thats downside, I could create a small helper c-binary around aa_kernel_interface_new()
[16:25] <jdstrand> it is interestingly bi-lingual and will run under py2. but that is neither here nor there and just fun trivia
[16:25] <mvo> jdstrand: :)
[16:27] <jdstrand> mvo: aa-status is not actually terribly smart. does it return non-zero in the case you are looking at?
[16:28] <jdstrand> mvo: I ask, cause you could implement its dumb test in Go I suspect (though again, you'd take on the maintenance burden of that)
[16:30] <sil2100> mvo: sucks that I don't have a raspi3 - I know that's probably a lot to ask, especially because of the size, but you think it would be possible for you to tar up the contents of the filesystem from the SD card after the invalid config is up and share it somewhere? Might make things easier for me to debug
[16:32] <ogra> sil2100, you should really get one and expense the 30€ :)
[16:32] <sil2100> ogra: I think I'll just do that indeed, not the first time I'm poking on the raspi3
[16:32] <sil2100> hmmm
[16:33]  * sil2100 goes check on that
[16:33] <ogra> its not like it is super expensive or so
[16:35] <mvo> jdstrand: thanks, I will think a bit about it
[16:36] <mvo> sil2100: lets debug that tomorrow then, I can help. plus buying/expensing one is probably fine
[16:36] <mvo> kyrofa: pr#5621 but its a bit of a can of worms, so not sure if this will not need some more iterations
[16:37] <jdstrand> mvo: is it only that you don't have mac_admin?
[16:37] <ogra> they probably only gave him pc_admin :P
[16:38] <ogra> (SCNR .... the heat and such)
[16:55] <jdstrand> mvo: see my comments in the PR and this: https://paste.ubuntu.com/p/cTTqxwJpqf/
[16:56] <kyrofa> jdstrand, this brief conversation might be helpful for reference: https://irclogs.ubuntu.com/2018/08/08/%23ubuntu-devel.html#t14:35
[16:57] <kyrofa> (regarding mac_admin)
[17:01] <mvo> jdstrand: I'm not sure this is observable from inside the container
[17:01] <zyga> Hey
[17:02] <mvo> jdstrand: I tried looking at /proc/self/status and CapEff in there and AFAICT I have the right bits
[17:02]  * zyga is resting after a very hot and busy day
[17:02] <jdstrand> mvo: you mean the kernel is telling you that you have mac_admin but you do not?
[17:03] <mvo> jdstrand: correct, again with the caveat that I'm not an expert on this (yet)
[17:03] <mvo> jdstrand: I have not used pscap for this, just the status file in proc but let me check with pscap
[17:03] <jdstrand> mvo: well, I'm not either, but that sounds wrong...
[17:03] <mvo> jdstrand: note this is inside an lxd container
[17:03]  * zyga tunes in
[17:04] <mvo> jdstrand: and lxd itself restricts this cap (again AIUI)
[17:04] <jdstrand> tyhicks: hi! would it surprise you if inside a container, it reports having mac_admin but in reality, it does not?
[17:04] <zyga> Kernel bugs, you tiny little kernel bugs, where are you? ;-)
[17:04] <jdstrand> tyhicks: (see backscroll for context)
[17:06] <mvo> jdstrand: I just ran pscap and mac_admin is availalbe for everything. yet when I try to load a profile (empty) I get permission denied
[17:06] <mvo> jdstrand: see the PR for how to construct such a test case, but its pretty simple
[17:06] <jdstrand> tyhicks: mvo's observance sounds like a bug ^. is it?
[17:07] <jdstrand> observation*
[17:08] <jdstrand> mvo: so, loading a profile is certanly one way to do it, but that will spam the logs
[17:08] <jdstrand> mvo: I suspect there is an easier way
[17:09] <mvo> jdstrand: (very) open for ideas
[17:09] <jdstrand> let me try some things
[17:10] <jdstrand> I could see having mac_admin in the container and the wrapping apparmor profile denying it, but I thought the container was unconfined... maybe I misread somethign
[17:10] <jdstrand> tyhicks: fyi ^
[17:11] <mvo> jdstrand: the container is unconfined
[17:11] <jdstrand> mvo: is this a new issue or are you trying to enable some tests that never ran/always failed before
[17:11] <mvo> jdstrand: aiui lxd will take away (drop) cap_mac_admin (and override) in this case when running things
[17:11] <mvo> jdstrand: this is an old bug but we never tried to fix it
[17:11] <mvo> jdstrand: it was not even understood
[17:11] <jdstrand> oh, yeah, well, that would explain it I guess
[17:12] <mvo> jdstrand: we got reports about this from various people but never looked into it until recently when iirc mborzecki and kyrofa  at the same time came up with this failure
[17:12] <kyrofa> Yeah, this is an unprivileged lxc container with apparmor disabled, lxc doesn't want to make the host apparmor available
[17:13] <kyrofa> Which makes sense given that it's still unprivileged
[17:16] <jdstrand> tyhicks: nm
[17:49] <jdstrand> mvo: I think if you open() /sys/kernel/security/apparmor/.remove, then write something valid (eg, "profile canary-blah {}"), then close the fd, you'll get permission denied
[17:50] <jdstrand> mvo: ie, use lowlevel calls to perform an atomic write on a profile that isn't loaded in the kernel
[17:51] <jdstrand> mvo: err, ie, use lowlevel calls to perform an atomic write on the .remove file to try to remove a profile that isn't loaded in the kernel
[17:54] <jdstrand> mvo: with mac_admin, you'd get ENOENT
[17:56] <jdstrand> mvo: eg:
[17:56] <zyga> Mvo: I would suggest to use a profile name like snap.system.canary
[17:56] <jdstrand> $ sudo bash -c "echo canary >/sys/kernel/security/apparmor/.remove"
[17:57] <jdstrand> bash: line 0: echo: write error: No such file or directory
[17:57] <jdstrand> [1]
[17:57] <jdstrand> $ sudo aa-exec -p test -- bash -c "echo canary >/sys/kernel/security/apparmor/.remove"
[17:57] <jdstrand> bash: line 0: echo: write error: Permission denied
[17:57] <jdstrand> [1]
[17:57] <zyga> Because we “own” that namespace
[17:57] <jdstrand> zyga: do we own the 'system' snap?
[17:58] <jdstrand> zyga: I mean, maybe snap.core.canary
[17:58] <zyga> Yes
[17:58] <zyga> We reserved system
[17:58] <jdstrand> well, whatever, so long as it doesn't accidentally remove something
[18:01]  * zyga cannot stand the weather today
[18:01] <zyga> It’s 8PM but the temperature outside is the same as at noon
[18:02] <kyrofa> zyga, tail end of summer, hang on
[18:02] <kyrofa> Almost through
[18:02] <kyrofa> I hate it, too
[18:11] <cachio> zyga, hey
[18:11] <cachio> I see a weird error on core18
[18:11] <cachio> some tests
[18:11] <mvo> jdstrand: thanks for your suggestion in the PR - should I do the loading in the C code as well or just in the go code?
[18:12] <cachio> fail when we do MATCH 'xxx' < file
[18:12] <cachio> zyga, but if we do cat file | MATCH 'xxxx'
[18:12] <cachio> works
[18:12] <cachio> zyga, any idea which could be the reason?
[18:12] <mvo> cachio: that sounds like the subshell issue we found some days ago
[18:13] <mvo> cachio: https://github.com/snapcore/spread/pull/67 maybe?
[18:13] <cachio> mvo, ahhhh
[18:13] <jdstrand> mvo: actually, I just found something even simpler
[18:13] <jdstrand> https://github.com/snapcore/snapd/pull/5621/comment#issuecomment-411848548
[18:13] <cachio> mvo, let me test it, I already have the spread with your change
[18:13] <jdstrand> mvo: ^
[18:14] <mvo> jdstrand: nice!
[18:14] <mvo> jdstrand: thats easy enough from both C and go
[18:14] <kyrofa> jdstrand, nice find
[18:16] <jdstrand> mvo: yes. what is interesting is that a mac_admin denial is not triggered by that (you don't need mac_admin to read that file)
[18:16] <jdstrand> mvo: but you do need to be root
[18:16] <jdstrand> mvo: (even though the perms are listed as 444)
[18:16] <cachio> mvo, this fix the issue
[18:16] <cachio> thanks
[18:17] <mvo> jdstrand: interessting. is this a reliable test. you write that you don't need mac_admin to read that file?
[18:17] <jdstrand> mvo: so this is DAC that is preventing it. while I'm root in the container, the container is running as non-root. non-root can't access the file
[18:18] <mvo> jdstrand: my tst container runs as root - or are you saying it drops root at some point?
[18:18] <kyrofa> jdstrand, does that test pass in a normal, unpriv container?
[18:18] <kyrofa> (without apparmor disabled)
[18:18] <jdstrand> kyrofa: yes
[18:19] <jdstrand> root@xenial-unconfined:~# cat /sys/kernel/security/apparmor/profiles
[18:19] <jdstrand> cat: /sys/kernel/security/apparmor/profiles: Permission denied
[18:19] <kyrofa> But you're still not root
[18:19] <jdstrand> that's true. interesting
[18:19] <jdstrand> that also feels like a bug
[18:19] <mvo> jdstrand: I like this because a) simple b) no log spam - is it reliable, i.e. I hope it won't be "fixed" at some point :)
[18:20] <mvo> jdstrand: but I would definitely like to have a way that avoids the log spam
[18:20] <jdstrand> mvo: the .remove of a non-existent profile would avoid log spam
[18:20] <jdstrand> mvo: and is a true mac_admin test
[18:21] <mvo> jdstrand: cool, then I will go with this - should I do the same in the C code?
[18:21] <mvo> jdstrand: actually I think there is no log spam there
[18:21] <jdstrand> mvo: what do you mean no log spam?
[18:21] <jdstrand> where?
[18:22] <mvo> jdstrand: will update the (go) code now to use the removal of a non-exiting profile - I will just create a random strings
[18:22] <mvo> jdstrand: I had to update snap-confine as well
[18:22] <mvo> jdstrand: to detect if apparmor is fully usable
[18:23] <mvo> jdstrand: but the C code does not log anything so that should be ok(?)
[18:23] <jdstrand> mvo: I'm confused by this conversation, but if you write a non-existent profile name to /sys/kernel/security/apparmor/.remove, you will get an ENOENT when have mac_admin, and EPERM or EACCES if you don't. in neither case will there be a log entry
[18:24] <jdstrand> (I say 'or' cause otoh I don't know which)
[18:25] <jdstrand> mvo: in your current implementation, you are successfully loading a valid profile. that will create an entry in the audit subsystem. then you remove it, and it will create a second entry for that
[18:26] <jdstrand> mvo: I was wondering why you are updating both snap-confine and go code?
[18:29] <mvo> jdstrand: sorry for the confusion. the go check is needed to ensure that snapd does not try to load the apprarmor profiles it generates into the kernel (which will fail)
[18:29] <jdstrand> and snap-confine is for change_onexec
[18:30] <mvo> jdstrand: the snap-confine code needs updating because it has its own detection for apparmor and if it detects that is has apparmor it will set aa_change_on_exec() which will fail too
[18:30] <jdstrand> since the profile isn't there
[18:30] <jdstrand> right
[18:30] <jdstrand> ok
[18:30] <mvo> jdstrand: well, even if it is it can't change it, right?
[18:30] <mvo> jdstrand: or does not not require privs?
[18:30] <mvo> jdstrand: in any case, yes, its not there as well :)
[18:30] <jdstrand> mvo: it doesn't need mac_admin to change profiles, but it can't change profiles if the profile isn't loaded
[18:31] <mvo> jdstrand: gotcha, thanks!
[18:31] <jdstrand> mvo: the .remove that you are going with (which I think is fine), is a bit of a hack. can you add a comment on why you are doing it that way?
[18:31] <mvo> jdstrand: sure
[18:31] <jdstrand> thanks
[18:41] <cachio> mvo, in core18 when we get the snap env
[18:41] <cachio> the SNAP_INSTANCE_xxx are not there
[18:41] <cachio> this is making fail the test snap-env
[18:57] <mvo> jdstrand: I pushed an update to the PR
[18:59] <mvo> jdstrand: I will read comments in the PR - thanks for all your help!
[18:59]  * mvo calls it a day
[19:31] <zyga> why is ubuntu-image crashing lately?
[19:58] <jdstrand> stgraber: hey, on a 4.15 kernel (bionic), if I have an apparmor denial in the the container's policy, where would I see that logged? journald isn't showing me what I expect
[19:59] <stgraber> jdstrand: I'd expect it to hit the kernel log which may or may not be readable by the container
[19:59] <jdstrand> ok, I was looking on the host
[20:01] <jdstrand> stgraber: otoh, with lxc.apparmor.profile=unconfined, should I see that in the container?
[20:01] <stgraber> well, with that in place you shouldn't be able to get any denial because there'd be no apparmor in place
[20:02] <jdstrand> stgraber: but there is a lxd-xenial-unconfined profile. what is that for?
[20:03] <stgraber> when you use raw.lxc you play behind LXD's back, so LXD doesn't know the profile it's generating won't be used
[20:03] <jdstrand> I see
[20:04] <jdstrand> stgraber: ok, do you have an idea why cat /sys/kernel/security/apparmor/profiles gets an EACCES with:
[20:04] <jdstrand> config:
[20:04] <jdstrand>   raw.lxc: |
[20:04] <jdstrand>     lxc.apparmor.profile=unconfined
[20:04] <jdstrand> lxc exec xenial-unconfined -- cat /sys/kernel/security/apparmor/profiles
[20:04] <jdstrand> cat: /sys/kernel/security/apparmor/profiles: Permission denied
[20:04] <stgraber> is that container unprivileged?
[20:04] <jdstrand> stgraber: yes
[20:05] <stgraber> then that's normal
[20:05] <stgraber> unprivileged users can't read that file
[20:05] <jdstrand> but they can
[20:05] <stgraber> stgraber@castiana:~$ cat /sys/kernel/security/apparmor/profiles
[20:05] <stgraber> cat: /sys/kernel/security/apparmor/profiles: Permission denied
[20:05] <jdstrand> there is something weird going on. let me paste
[20:06] <stgraber> jdstrand: if you're in a normal container, you can because an apparmor namespace is setup
[20:06] <stgraber> jdstrand: well, root in the container can
[20:06] <stgraber> but in this case, you're in an unprivileged container without an apparmor namespace, so you have as much right as a nobody user on the host
[20:07] <jdstrand> stgraber: https://paste.ubuntu.com/p/4FzwpSFs2B/
[20:08] <jdstrand> stgraber: ah, ok, that explains it then
[20:08] <jdstrand> stgraber: thanks!
[20:27] <zyga> jdstrand: hey
[20:27] <zyga> jdstrand: can you please (if possible) whitelist fedora29 as "type: base"
[20:29] <zyga> jdstrand: I pushed a pair of revisions just now
[20:29] <zyga> jdstrand: if you cannot make that permanent please at least ack those two
[20:39] <jdstrand> zyga: who is responsible for that base?
[20:39] <zyga> jdstrand: currently just me, we are working with the fedora server SIG to transfer it over and they are happy to take it
[20:39] <zyga> jdstrand: I just need it for a talk tomorrow
[20:40] <zyga> (I'm at a fedora conference this week)
[20:41] <zyga> jdstrand: it won't go to stable before the hand off
[20:41] <jdstrand> zyga: I'll approve it since you did it, but we have no process surrounding base snap reviews, so that should be discussed in the forum with niemeyer's input
[20:42] <zyga> I don't disagree, it's the first of the kind so we need to figure out the process
[20:42] <zyga> next week we should all be back
[20:42] <zyga> so we can discuss
[20:42] <jdstrand> sounds fine
[20:42] <zyga> thanks!
[20:50] <zyga> thank you, I just published both to edge
[20:50] <jdstrand> np
[20:50] <zyga> I will publish the code for making those now
[20:55] <ogra> hrm ... i wish snap find had a "by interface" search function
[20:55] <jdstrand> that would be handy
[20:55] <ogra> yeah
[20:56] <zyga> ogra: check out fedora29
[20:56] <zyga> 18M
[20:56] <ogra> ?
[20:56] <zyga> base snap :)
[20:56] <ogra> as broekn as core 18  ? like ... missing everything useful ? :P
[20:57] <ogra> (does it ship vi ? :) )
[20:57] <zyga> ogra: it doesn't ship vi, it's not a boot snap
[20:57] <zyga> it's just a base snap for apps
[20:57] <zyga> it ships a lot of locale actually
[20:57] <zyga> there's a hello-fedora snap as well but you need for a PR to land to use it
[20:57] <ogra> for what ?
[20:58] <zyga> I mean, there's a demo snap works on top of fedora29 now
[20:58] <zyga> but it is broken on ubuntu because of a bug this uncovered
[20:58] <zyga> and we need for a PR to land to fix that
[20:58] <ogra> well, congrats in any case !
[20:58] <zyga> ogra: there's more
[20:58] <zyga> opensuse is next
[20:59]  * ogra twiddles thumbs watching store downloads at 400kB/s
[20:59] <zyga> as in, we have a +1 from sysrich
[20:59] <ogra> yay
[20:59] <zyga> ogra: wanna see how it's made?
[21:00] <ogra> is there a GH tree to look at ?
[21:00] <ogra> (not right now, but i'd indeed like to take a look)
[21:00] <zyga> I'm making a new repo for it
[21:00] <zyga> though not on GH, fedora loves other places (gitlab)
[21:00] <ogra> heh, well
[21:01] <ogra> some git web UI ...
[21:01] <ogra> man ... thats so annoying
[21:02] <ogra> why is the store so super slow at times
[21:05] <ogra> booo !
[21:05]  * ogra installed qemu-git just to find it is also compiled without sdl or gtk support ... 
[21:05] <ogra> i was kind of hoping it had some advantage over the archive qemu except being newer
[21:06] <ogra> grrr ... and no -redir ...
[21:10] <zyga> ogra: do you have air conditioning at home?
[21:10] <zyga> ogra: this hotel is a bit quaint it that it ... doesn't
[21:10] <zyga> everyone is melting this week
[21:11] <ogra> nope, like most gerans i dont have air conditioning
[21:11] <ogra> *germans
[21:11] <ogra> we do have 60cm brock walls ...
[21:11] <ogra> *brick
[21:12] <zyga> ogra: yeah, same in poland
[21:12] <zyga> this summer is tough
[21:12] <ogra> they are usually good enough for 30+ C for two weeks with keeping the heat out
[21:12] <zyga> all the media markts sell AC now
[21:12] <zyga> and I'm seriously considering one
[21:12] <zyga> but first I need to get home :)
[21:13] <ogra> but this was 8 weeks without rain and constantly above 25
[21:13] <zyga> I hope my next flight through FRA won't be this interesting
[21:13] <ogra> so now, even we had big thinderstorms today and it cooled down a bit, the house now is an oven
[21:13] <ogra> fra was shut down again today
[21:14] <ogra> due to the heavy weather
[21:14] <ogra> and tomorrow ryanair pilots go on strike
[21:14] <ogra> the weekend will not be fun to fly through FRA for sure
[21:15] <ogra> zyga, when do you fly back ?
[21:15] <zyga> sunday
[21:15] <ogra> with luck it has somewhat settled then
[21:16] <ogra> the ryanair thing cancelled a few 100 flights ... people will be re-booked on other airlines ... so everything will be awfully crowded
[21:16] <ogra> and there is still the fallout from today too ...
[21:17] <ogra> ogra@acheron:~/Devel/anbox$ qemu-git.qemu-system-x86-64 -m 4096 -vga virtio /home/ogra/Devel/anbox/anbox-image.img
[21:17] <ogra> qemu-system-x86_64: -vga virtio: Could not open '/home/ogra/Devel/anbox/anbox-image.img': Permission denied
[21:17] <ogra> ARGH !
[21:17] <ogra> no home interface ...
[21:22] <ogra> ogra@acheron:~/Devel/anbox$ qemu-git.qemu-system-x86-64 -m 4096 -vga virtio /home/ogra/snap/qemu-git/current/anbox-image.img
[21:22] <ogra> ...
[21:22] <ogra> qemu: could not load PC BIOS 'bios-256k.bin'
[21:22] <ogra> GRRRRR !
[21:23]  * ogra ponders to make a proper qemu snap in the weekend 
[21:23] <ogra> how annoying
[21:23] <zyga> ogra: that would be useful :)
[21:24] <ogra> zyga, well, there is one ... even from a canonical employee it seems
[21:24] <ogra> but last touched 16 months ago and only in beta/edge
[21:24] <zyga> I was looking for JDK as a snap today
[21:24] <ogra> well, thats quickly and trivially snapped
[21:25] <ogra> just a stage-package entry and some file copying
[21:27]  * ogra goes back to battle with the deb qemu version then
[21:28] <ogra> ... i know why i prefer arm boards ... so much easier :P
[21:58] <zyga> ogra: https://gitlab.com/zygoon/fedora29
[21:59] <zyga> jdstrand: ^ FYI
[21:59] <jdstrand> cool
[22:16] <ogra> nice, pretty straightforward ...
[22:52] <zyga> jdstrand: could you re-approve fedora29 uploads please, that's the last time for today
[22:52] <zyga> jdstrand: I had to work around a bug that is present in released versions
[22:56] <zyga> jdstrand: they should now also work on Ubuntu if you want to try
[22:56] <zyga> jdstrand: (along with hello-fedora from stable or from candidate)
[23:00] <sergiusens> kenvandine: hey, when launching the simple-scan snap I get an endless loop of "cp: '/home/sergiusens/.config/user-dirs.locale' and '/home/sergiusens/.config/user-dirs.locale' are the same file
[23:00] <sergiusens> "
[23:06]  * zyga wonders if anyone apart from mvo and jdstrand can unblock store reviews