[00:18] <amurray> bandali: no, it just needs to be reviewed by the reviewers - I'll take a look this morning and cast my vote at least to keep it ticking along
[00:40] <mup> PR snapd#10202 closed: tests: new buckets for snapd-spread project on gce <Simple 😃> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/10202>
[02:01] <mup> PR snapd#10204 opened: o/servicestate/quota_control.go: introduce basic group manipulation methods <quota> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/10204>
[02:48] <bandali> amurray, gotcha, and thank you :-)
[03:34] <jamesh> amurray: when you've got some time, could you give some feedback on https://forum.snapcraft.io/t/proposal-add-polkit-and-polkit-agent-interfaces-to-snapd/23876?u=jamesh ?
[03:35] <jamesh> amurray: this is a proposal for a pair of interfaces to allow snaps to use polkit
[04:09] <amurray> jamesh: I'm just looking now :)
[04:10] <jamesh> thanks!
[04:28] <amurray> re the unix process subject type - as you said the base policy already allows `@{PROC}/@{pid}/stat r,` so this grants any snap the ability to read the start time of any other process on the system (assuming traditional DAC checks allow it) - so I think that this would be good to try and cover this use-case as well
[04:30] <jamesh> That allows a process to read its own information (i.e. through the /proc/self symlink)
[04:30] <jamesh> For servers using the unix process subject type, they would need to read that data for arbitrary processes
[04:32] <amurray> yes it does - there is no owner restriction on that rule and @{pid} is just a clumsy regex to match against any pid - so it should allow to read any processes start time
[04:32] <jamesh> hmm.  I thought it was a special token to match the current pid
[04:34] <amurray> unfortunately not - that would be nice if it was though - much more principle-of-least-privilege if it were
[04:34] <jamesh> okay, that makes things a bit simpler
[04:35] <jamesh> so a lot of the AppArmor rules in system_observe duplicate the base template
[04:36] <amurray> hmm I wonder if perhaps the base template has grown over time...
[04:37] <jamesh> but you're right: I can e.g. read /proc/1/stat from "snap run --shell chromium"
[04:38] <amurray> how do polkit rules files differ from policy? where/how is one used over the other?
[04:40] <jamesh> the XML .policy files can specify one of 6 default canned policies.  Anything more complicated than those policies needs to be specified via pkla files (Ubuntu/Debian) or Javascript rules files (most other distros)
[04:42] <jamesh> The implication of using the "yes" default policy (always allow) is that polkitd will always tell the server application that the client is authorised.
[04:43] <jamesh> If the actions are provided by the same package as the server, then this doesn't meaningfully reduce security: the server could just as easily have not used polkit
[04:47] <amurray> ok, so I am wondering whether either pkla files or rules allow to express anything more (in terms of authority) than the default policy? I am guessing this is "no" which means we are more worried about the js rules as an attack surface for the js parser itself etc rather than them allowing to specify outcomes that grant more authority than would otherwise be authorised - is that a fair characterisation?
[04:50] <jamesh> yes.  I can create a pkla file saying that only users who are members of a particular group are allowed to invoke a particular set of actions
[04:51] <jamesh> you've got a limited version of that in .policy files via "auth_admin" (where polkit is configured to consider some users to be administrators).  But if you wanted to use different group membership to gate different actions, you'd need to use pkla files or JS
[04:52] <jamesh> In general, it wasn't common for packages to provide pkla policy files.
[04:53] <jamesh> There's been more use of shipping default JavaScript policy files (look in /usr/share/polkit-1/rules.d on your system)
[04:54] <jamesh> But I don't even want to consider allowing snaps to be able to provide JS to be run by an unconfined system daemon
[04:54] <jamesh> (even if it wouldn't ever run on current Ubuntu releases)
[04:55] <amurray> yeah I noticed that - but I assume this is ignored as we don't ship the js backend in policykit
[04:56] <amurray> given we don't allow snaps to install man pages due to fears over untrusted input (personally I think the usability benefits outweigh any perceived security risk here) then it would be crazy to let them ship js policy
[04:57] <amurray> i'd be all for man pages in snaps being symlinked out to /usr/share/man or similar... lots of snaps ship them but they are not readily available...
[04:59] <jamesh> right.  That's why I thought it'd be better to ignore these more advanced policy configuration options: they won't work consistently across all distros, and it's harder to convince ourselves that they are safe
[05:05] <amurray> yep, that can be a problem for another day :)
[05:20] <jamesh> amurray: reading over /etc/apparmor.d/tunables/kernelvars, it sounds like @{pid} is intended to represent the current process but covers all processes now due to kernel limitations
[05:21] <jamesh> that kind of explains why we might have the /@{pid}/ vs. /*/ distinction in the base template and system-observe
[05:22] <amurray> jamesh: hmm I wonder if/when that were to change how many things would break due to the semantic difference... ok I'll keep that in mind.. we may want to add a rule then just for this to the polkit plug to allow this (/proc/*/stat r,)
[05:23] <jamesh> yep.  It's quite possible that if they were to implement kernel support, it would need to have a different name in the policy language
[05:24] <jamesh> or have some way to declare a version of the policy language
[07:01] <mvo> good morning!
[07:04] <pstolowski> morning
[07:04] <mvo> good morning pstolowski
[07:07] <mborzecki> pstolowski: mvo: morning
[07:11] <mvo> hey mborzecki !
[07:22] <mup> PR snapd#10199 closed: o/servicestate/quotas: add functions for getting and setting quotas in state <quota> <Created by anonymouse64> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10199>
[07:57] <mup> PR snapd#10205 opened: cmd/snap, client: snap remove-quota command <quota> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10205>
[07:57] <pedronis> degville: hi, could you look at the help text in https://github.com/snapcore/snapd/pull/10196 when you have a moment
[07:57] <mup> PR #10196: o/devicestate,o/hookstate/ctlcmd: introduce SystemModeInfo methods and snapctl system-mode <Created by pedronis> <https://github.com/snapcore/snapd/pull/10196>
[08:20] <degville> pedronis: hello! Yes, of course.
[09:08] <pedronis> mvo: seems there's an order issue in the servicestate/quotas tests, that's why I got unit tests failures in my PR
[09:08] <pedronis> mvo: they are on master
[09:08] <pedronis> mvo: https://github.com/snapcore/snapd/pull/10196/checks?check_run_id=2455491426
[09:08] <mup> PR #10196: o/devicestate,o/hookstate/ctlcmd: introduce SystemModeInfo methods and snapctl system-mode <Created by pedronis> <https://github.com/snapcore/snapd/pull/10196>
[09:20] <mvo> pedronis: oh no! sorry for that
[09:21] <mvo> pedronis: are you on it or shall I?
[09:21] <pedronis> I'm on it
[09:22] <pedronis> mvo ^
[09:25] <mvo> ok
[09:51] <pedronis> mvo: https://github.com/snapcore/snapd/pull/10206
[09:51] <mup> PR #10206: o/servicestate: test has internal ordering issues, consider both cases <Test Robustness> <⚠ Critical> <Created by pedronis> <https://github.com/snapcore/snapd/pull/10206>
[09:52] <mup> PR snapd#10206 opened: o/servicestate: test has internal ordering issues, consider both cases <Test Robustness> <⚠ Critical> <Created by pedronis> <https://github.com/snapcore/snapd/pull/10206>
[09:59] <cjwatson> amurray: also I went to lots of effort to add apparmor and seccomp to man-db to mitigate all these (IMO overblown in this case anyway) fears about untrusted input.  Just hasn't been integrated on the snapd side yet
[10:02] <mup> PR snapd#10207 opened: vendor: bump github.com/canonical/go-tpm2 revision <Created by mvo5> <https://github.com/snapcore/snapd/pull/10207>
[10:27] <mup> PR snapd#10208 opened: daemon: implement REST API for quota groups (create / list / get) <quota> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10208>
[10:47] <pedronis> mmh. I should have set that PR to skip spread
[10:47] <mup> PR snapd#10206 closed: o/servicestate: test has internal ordering issues, consider both cases <Test Robustness> <⚠ Critical> <Created by pedronis> <Closed by pedronis> <https://github.com/snapcore/snapd/pull/10206>
[10:52] <mup> PR snapd#10206 opened: o/servicestate: test has internal ordering issues, consider both cases <Skip spread> <Test Robustness> <⚠ Critical> <Created by pedronis> <https://github.com/snapcore/snapd/pull/10206>
[11:02] <pedronis> ijohnson: pstolowski: what's the next PRs in order I should review or re-review? there are quite a few
[11:05] <pstolowski> pedronis: #10197, then #10208
[11:05] <mup> Bug #10197: folder widget text entry loves to crash evo <evolution (Ubuntu):Fix Released by seb128> <https://launchpad.net/bugs/10197>
[11:05] <mup> PR #10197: cmd/snap: introduce 'snap quota' command <Needs Samuele review> <quota> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10197>
[11:05] <mup> Bug #10208: Needs rebuild with new libneon <openoffice.org (Ubuntu):Invalid by doko> <openoffice.org (Debian):Fix Released> <https://launchpad.net/bugs/10208>
[11:05] <mup> PR #10208: daemon: implement REST API for quota groups (create / list / get) <quota> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10208>
[11:12] <pedronis> pstolowski: thx
[11:18] <pstolowski> i see quotas_test.go:43: servicestateQuotasSuite.TestQuotas test failure due to ordering, but i think it's fixed in on of Ian's PRs
[11:22] <mup> PR snapd#10206 closed: o/servicestate: test has internal ordering issues, consider both cases <Skip spread> <Test Robustness> <⚠ Critical> <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/10206>
[11:24] <pedronis> pstolowski: I fixed independently given that it broke master and Ian's PR don't have enough +1 yet
[11:24] <pedronis> a possible fix is now merged
[11:27] <pstolowski> thanks
[11:28] <pstolowski> pedronis: i think i pulled the trigger too fast on API PR, i now see ServiceManager methods that I should probably be using instead of servicestate
[11:28] <pstolowski> i'm marking it blocked and need to rework some bits
[11:32] <mup> PR snapd#10088 closed: o/configstate/configcore/picfg.go: use ubuntu-seed config.txt in uc20 run mode <Bug> <Needs Samuele review> <UC20> <Created by anonymouse64> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10088>
[11:53] <pstolowski> pedronis: what output do we want from 'snap quotas'?
[12:02] <mup> PR snapd#10209 opened: add dm-crypt interface to support external storage encryption <Needs Samuele review> <Created by kubiko> <https://github.com/snapcore/snapd/pull/10209>
[12:03] <pedronis> pstolowski: we don't have anything like it so far I suppose
[12:05] <pstolowski> pedronis: not really... closest is probably debug timings (as far as nesting is depicted in tabular output)
[12:05] <pedronis> yea
[12:40] <amurray> cjwatson: nice - ok I'll try follow-up with the snapd folks then :)
[13:17] <ogra> hmm ... having a daemon with "install-mode: disable" and a "timer:" entry still seems to start the timer on install it seems ... is that a bug or expected behaviour (the doc doesnt say anything about combining the two)
[13:36] <mup> Bug #1926442 opened: cannot execute 'netplan generate' from within a snap <Snappy:New> <https://launchpad.net/bugs/1926442>
[14:26] <pstolowski> pedronis: for 'snap quotas', what do you think about tabular output with just "Name Parent Memory Limit" columns (and otherwise the details can be inspected with snap quota <group>)?
[14:27] <pedronis> "Quota Parent Max-Memory" ?
[14:27] <pstolowski> pedronis: ok, sure
[14:27] <pedronis> let's start there
[14:27] <pstolowski> ok
[14:27] <pstolowski> to be clear the api has all the details so we can extend
[14:28] <pedronis> it's maybe obvious but we should sort them by hierarchy
[14:28] <pedronis> and otherwise by name
[14:31] <pstolowski> makes sense
[15:25] <pstolowski> mvo: will you find time to do 2nd review of https://github.com/snapcore/snapd/pull/10197 ?
[15:25] <mup> PR #10197: cmd/snap: introduce 'snap quota' command <Needs Samuele review> <quota> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10197>
[15:25] <mvo> pstolowski: yeah, happy to do right after my current meeting
[15:25] <pstolowski> mvo: thanks!
[15:35] <ijohnson> pstolowski: pedronis I updated https://github.com/snapcore/snapd/pull/10198
[15:35] <mup> PR #10198: snap/quotas: followups from previous PR <quota> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/10198>
[15:35] <pedronis> ijohnson: thx
[15:37] <pstolowski> ijohnson: ack, thanks, i'll review
[15:37] <ijohnson> ogra: that sounds like a bug re install-mode and timer, can you file a LP bug please?
[15:38] <ogra> yep
[15:38] <ijohnson> thanks
[15:43] <ogra> ijohnson, https://bugs.launchpad.net/snapd/+bug/1926474
[15:43] <mup> Bug #1926474: combining timer and "install-mode: disabled" for a daemon seems not respected <snapd:New> <https://launchpad.net/bugs/1926474>
[15:43] <ijohnson> great thank you
[15:55] <pstolowski> ijohnson: a few small comments
[15:58] <ijohnson> pstolowski: thanks I asked a question there
[16:08] <pedronis> ijohnson: I actually put that TODO there, so I clarified what I meant in a couple of comments
[16:08] <ijohnson> ok, sorry I pushed right as you left your review
[16:08] <mup> PR snapd#10197 closed: cmd/snap: introduce 'snap quota' command <Needs Samuele review> <quota> <Created by stolowski> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10197>
[16:11] <pedronis> ijohnson: my main point was: https://github.com/snapcore/snapd/pull/10198#discussion_r622326464, which is not really about this PR but higher levels
[16:11] <mup> PR #10198: snap/quotas: followups from previous PR <quota> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/10198>
[16:11] <mvo> pstolowski: will you merge master into 10205 or shall I (I realize it's late for you)
[16:11] <ijohnson> pedronis: I guess my main question is should I make further changes to that PR or are we happy with that PR
[16:13] <pstolowski> mvo: i'll merge (i didn't realize you just landed the previous PR, thanks!)
[16:13] <mvo> pstolowski: \o/ thank you
[16:14] <pedronis> ijohnson: +1 from me, but do consider that question and also my last small remark that probably can be covered in one of the follow-ups
[16:15] <pedronis> I mean do consider the question in the higher levels
[16:15] <pstolowski> mvo: done
[16:18] <ijohnson> ok, I left some TODOs I think it is ready to land after the spread tests run
[16:18]  * ijohnson moves on to the other changes
[16:19] <pstolowski> ijohnson: +1
[16:26] <pedronis> ijohnson: thx
[16:39]  * cachio lunch
[18:04] <mup> PR snapd#10198 closed: snap/quotas: followups from previous PR <quota> <Created by anonymouse64> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10198>
[19:21] <mup> PR snapcraft#3515 opened: Use snapd-spread gce project instead of computeengine project <Created by sergiocazzolato> <https://github.com/snapcore/snapcraft/pull/3515>
[20:45] <jdstrand> jamesh and amurray: you're right that @{pid} is supposed to mean your own pid, hence the distinction between base template and system-observe of @{pid} vs * (ie, trying to have a reasonable experience if we get the kernelvar support). so yeah there is overlap. it's also possible we have duplicated rules (as opposed to overlapping) which imho we could remove from the interfaces if they are in the default
[20:45] <jdstrand> template (where @{pid} and * are overlapping, not duplicate of course)
[20:47] <jdstrand> jamesh and amurray: but like you said, I imagine whenever kernel support landed, there would be stuff that would break since they all of a sudden might need system-observe (or changes to the base template). that would have to be a careful rollout
[20:50] <jdstrand> amurray: cjwatson is right. the man page thing is fixable now. someone needs to do the work. though, with man pages, the idea was that we'd allow any snap to install a man page. that might be different than with policykit files (I certainly like the idea of restricing js as mentioned; it is also possible to make the interface restricted with some sort of vetting procedure like with other stuff (I didn't
[20:50] <jdstrand> read all backscroll or through the PR carefully, so forgive me if that was discussed. I'm just tossing out a couple of ideas))
[20:52] <jdstrand> I'd love to see the man pages work picked up (on the snapd side)
[20:59] <mup> PR snapd#10153 closed: wrappers, quota: implement quota groups slice generation <Squash-merge> <quota> <Created by anonymouse64> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10153>
[21:11] <mup> PR snapcraft#3516 opened: github: update workflows that to use pull_request_target <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/3516>
[23:10] <amurray> jdstrand: hey :) - yeah I would also love to see man pages surfaced by snapd so hopefully we can make that happen