[06:45] <mborzecki> morning
[06:57] <mardy> mborzecki: hi!
[07:03] <mborzecki> mardy: heya
[07:04] <pstolowski> morning
[07:15] <mborzecki> mardy: i've pinged pedronis about the apparmor feature name, maybe we should use cap-audit-read, cap-bpf, or something else as long as it's consistent
[07:18] <mborzecki> https://github.com/snapcore/snapd/pull/10952 needs 2nd review and is super simple
[07:18] <mup> PR #10952: tests/lib/pkgdb: install strace on Debian 11 and Sid <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10952>
[07:19] <mborzecki> pstolowski: can you take a look? ^^
[07:19] <pstolowski> +1
[07:20] <mborzecki> thanks!
[07:33] <mup> PR snapd#10954 closed: tests: update the ubuntu-image channel to candidate <⚠ Critical> <Simple 😃> <Created by sergiocazzolato> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/10954>
[07:44] <mborzecki> https://github.com/snapcore/snapd/pull/10947 needs a 2nd review too
[07:44] <mup> PR #10947: tests: run spread tests on debian 11 <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/10947>
[08:25] <mardy> mborzecki: yes, cap-audit-read might be more clear
[08:25] <mardy> pstolowski: 'morning!
[08:28] <pstolowski> hey mardy 
[09:33] <mborzecki> mardy: ok, so cap-bpf and cap-audit-read then?
[09:33] <mup> PR snapd#10955 opened: tests/main/snapd-snap: restore debian symlink <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10955>
[09:48] <mardy> mborzecki: did you see amurray comment (https://github.com/snapcore/snapd/pull/10938#issuecomment-948109370)? Unless we have a reason to use hyphens, I'd use underscores
[09:48] <mup> PR #10938: interfaces: skip connection of netlink interface on older systems <Needs Samuele review> <Created by mardy> <https://github.com/snapcore/snapd/pull/10938>
[09:48] <mup> PR snapd#10956 opened: o/snapstate: migrate to hidden dir on refresh <Created by MiguelPires> <https://github.com/snapcore/snapd/pull/10956>
[09:50] <mborzecki> mardy: yeah, i pinged pedronis for his input, in the meantime i renamed it to cap-bpf in a separate branch
[10:49] <mup> PR snapd#10937 closed: interfaces/u2f-devices: add Nitrokey 3 <Simple 😃> <Created by robin-nitrokey> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/10937>
[10:59] <mup> PR snapd#10949 closed: tests: ensure systemd-timesyncd is installed on debian <Simple 😃> <Created by bboozzoo> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/10949>
[10:59] <mup> PR snapd#10952 closed: tests/lib/pkgdb: install strace on Debian 11 and Sid <Simple 😃> <Created by bboozzoo> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/10952>
[11:09] <mup> PR snapd#10955 closed: tests/main/snapd-snap: restore debian symlink <Simple 😃> <Created by bboozzoo> <Closed by bboozzoo> <https://github.com/snapcore/snapd/pull/10955>
[11:14] <mup> PR snapd#10957 opened: build-aux: ensure that debian packaging matches build-base <Created by xnox> <https://github.com/snapcore/snapd/pull/10957>
[11:48] <mardy> mborzecki: are you aware of any AppArmor limitations in opensuse, as far as mount rules are concerned?
[11:48] <mardy> the spread test for the mount-control interface fails under opensuse: https://github.com/snapcore/snapd/pull/10739/checks?check_run_id=3962169410
[11:48] <mup> PR #10739: mount-control: step 2 <Needs Samuele review> <Created by mardy> <https://github.com/snapcore/snapd/pull/10739>
[11:50] <mborzecki> mardy: i know that fine grained socket filtering support is missing, but i'm not aware of anything mount related
[11:50] <mborzecki> mardy: do you see a particular problem there?
[11:53] <mardy> mborzecki: yes, the generated rule is mount  options=(rw,bind) /var/tmp/** -> /var/snap/test-snapd-mount-control/common/**,
[11:53] <mardy> mborzecki: in other distros (Ubuntu), the command "test-snapd-mount-control.cmd mount -o bind,rw /var/tmp/test-snapd-mount-control /tmp" fails
[11:53] <mardy> mborzecki: in opensuse, it succeeds
[11:56] <mborzecki> mardy: have you tried on arch?
[11:57] <mardy> mborzecki: nope, let me try...
[11:58] <mardy> mborzecki: well, the spread test passes there, so it must be all right
[12:19] <mup> PR snapd#10958 opened: run-checks: remove --spread from help message <Simple 😃> <Skip spread> <Created by MiguelPires> <https://github.com/snapcore/snapd/pull/10958>
[12:26] <mardy> mborzecki: wow, under opensuse mount rules don't work at all: I added a `deny mount,`, but can still mount anything :-)
[12:39] <mup> PR snapd#10946 closed: secboot: use latest secboot with tpm legacy platform and v2 fully optional <Squash-merge> <UC20> <Run nested> <Created by pedronis> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/10946>
[12:39] <mup> PR snapd#10959 opened: tests/main/selinux-data-context: use session when performing actions as test user <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10959>
[12:49] <mup> PR snapd#10942 closed: cmd/snap-confine: die when snap process is outside of snap specific cgroup (2.53) <Created by bboozzoo> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/10942>
[13:14] <mup> PR snapd#10960 opened: spread: run lxd tests with version from latest/stable <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10960>
[13:24] <mup> PR snapd#10958 closed: run-checks: remove --spread from help message <Simple 😃> <Skip spread> <Created by MiguelPires> <Merged by MiguelPires> <https://github.com/snapcore/snapd/pull/10958>
[13:35] <mup> PR snapd#10961 opened: tests: enable lxd tests on impish system <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/10961>
[13:50] <mup> PR snapd#10962 opened: o/assertstate, snapstate, api: store the current state of validation sets tracking in a stack <Needs Samuele review> <validation-sets :white_check_mark:> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10962>
[14:17] <mardy> mborzecki: ah! https://bugzilla.opensuse.org/show_bug.cgi?id=995594
[14:32] <mborzecki> mardy: still may be worth asking jjohansen about the current status, the bug is from 2017
[14:32] <mborzecki> mardy: and if the test works on arch then relevant things must be part of the vanilla kernel & apparmor
[15:20] <mardy> mborzecki: ok, some manual tests show that mount rules are working
[15:43] <mardy> mborzecki: uh, about that opensuse issue: the snap is actually being run unconfined
[15:44] <mardy> mborzecki: the profile is loaded in the kernel, but "snap run" is not activating it
[15:46] <mardy> ijohnson[m]: any idea how that could happen (assuming Maciej is EOD)? ^
[15:50] <ijohnson[m]> mardy sorry busy ATM, will look in a bit though 
[16:15] <mup> PR snapd#10960 closed: spread: run lxd tests with version from latest/stable <Simple 😃> <Created by bboozzoo> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/10960>
[16:50] <mborzecki> mardy: hmm which opensuse? tumbleweed or 15.x?
[16:51] <mborzecki> mardy: tumbleweed is the only one we build with apparmor atm. I can look into enabling it for 15.3 too
[17:01] <mup> PR snapd#10963 opened: release: 2.53.1 <Simple 😃> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/10963>
[17:50] <mardy> mborzecki: opensuse-15.3-64
[17:50] <mardy> mborzecki: ah, that explains it :-)
[19:11] <mup> PR snapd#10963 closed: release: 2.53.1 <Simple 😃> <Created by anonymouse64> <Merged by anonymouse64> <https://github.com/snapcore/snapd/pull/10963>
[20:45] <mup> PR snapcraft#3591 closed: extensions: conditionally prepend to LIBVA_DRIVERS_PATH instead of overriding it <Created by oSoMoN> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3591>
[22:57] <mup> PR snapd#10964 opened: release-tools/repack-debian-tarball.sh: fix c-vendor dir <Simple 😃> <Skip spread> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/10964>
[23:07] <mup> PR snapd#10965 opened: packaging: merge 2.53.1 changelog back to master <Simple 😃> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/10965>