=== brlin_ is now known as brlin
[05:50] <mborzecki> morning
[05:59] <mardy> mborzecki: hi!
[06:00] <mardy> mborzecki: about the opensuse issue, when you said that apparmor is disabled, did you refer to the kernel or to snapd itself?
[06:01] <mardy> asking because I noticed that apparmor seems to be correctly supported by the kernel (profiles are loaded)
[06:15] <mborzecki> mardy: so for the stable releases (15.0/1/2) we had it disabled but agreed to enable it for the next stable release (15.3 in this case), which i forgot to do
[06:16] <mborzecki> mardy: but in tumbleweed which is very close to mainline kernel, we've had it enabled for a longer while
[06:19] <mborzecki> mardy: hm since we have 2.53.1 i'll enable it in the next update for 15.3 🙂
[06:20] <mborzecki> hopefully we won't break users
[06:25] <mardy> mborzecki: OK; in the meantime, is there some way to check (from within the spread tests) if it's enabled or not?
[06:27] <mborzecki> mardy: no, just switch based on $SPREAD_SYSTEM
[07:24] <pstolowski> morning
[07:25] <mardy> pstolowski, zyga-mbp: hi!
[07:25]  * zyga-mbp goood morning, happy Friday
[07:25]  * zyga-mbp brb, need to restart my client 
[07:27] <mborzecki> hmm didn't we have a mode where there was some time reference file left in writable on each boot that we then use to restore the time on systems where there is no rtc?
[07:27] <mborzecki> pstolowski: zyga-mbp hey
[07:28]  * zyga-mbp hey guys 
[07:28]  * zyga-mbp is going to be busy migrating two dozen projects between gitlab instances today
[07:28] <zyga-mbp> time to put on a worker's hard hat and get to work :)
[08:40] <mup> PR snapd#10953 closed: tests/main/snapd-sigterm: fix race conditions <Created by mardy> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/10953>
[08:45] <mup> PR snapd#10818 closed: tests: test for enforcing with prerequisites <validation-sets :white_check_mark:> <Created by stolowski> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/10818>
[08:55] <mup> PR snapd#10966 opened: packaging/opensuse: sync with openSUSE packaging, enable AppArmor on 15.3+ <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10966>
[09:00] <mup> PR snapd#10964 closed: release-tools/repack-debian-tarball.sh: fix c-vendor dir <Simple 😃> <Skip spread> <Created by anonymouse64> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/10964>
[09:33] <mborzecki> mardy: for reference on apparmor and opensuse leap releases: https://github.com/snapcore/snapd/pull/9740
[09:33] <mup> PR #9740: packaging/opensuse: enable AppArmor on Leap <Created by bboozzoo> <Closed by bboozzoo> <https://github.com/snapcore/snapd/pull/9740>
[09:35] <mup> PR snapd#10967 opened: interface/modem-manager: allow connecting to the mbim/qmi proxy <Created by alfonsosanchezbeato> <https://github.com/snapcore/snapd/pull/10967>
[10:09] <mborzecki> mardy: pstolowski: can you take a look at https://github.com/snapcore/snapd/pull/10959 ?
[10:09] <mup> PR #10959: tests/main/selinux-data-context: use session when performing actions as test user <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10959>
[10:09] <pstolowski> sure
[10:27] <mborzecki> hm i think there's a slight bug in how we handle matching devices in snap-confine
[10:27] <zyga-mbp> oh?
[10:34] <mborzecki> zyga-mbp: yeah, with current tags support we know that there were devices assigned to the snap only after we go through all the devices that matched the udev rule, so in case no devices are actually assigned to the snap, we would still set up a device filtering for the process, just with a minimal set of allowed entries, a think we said we would not do
[10:34] <zyga-mbp> hmm hmm
[10:35] <zyga-mbp> right but is that the new state after-i-left? I recall we had some quick check that did nothing in the code I remember
[10:35] <zyga-mbp> I recall we ran into this
[10:35] <zyga-mbp> and even added a test to verify it's right (AFAIR)
[10:37] <mborzecki> zyga-mbp: yeah, kind of, i think you were still around when systemd introduced CURRENT_TAGS, and TAGS became sticky, and we have to first get the list of tagged devices and then check the current tags one by one
[11:00]  * zyga-mbp I recall that change but I didn't read the details, so are you saying that we create the constrained device cgroup before checking if that's needed now?
[11:04] <mardy> I need some reviews on https://github.com/snapcore/snapd/pull/10933
[11:04] <mup> PR #10933: interfaces: suppress denial of sys_module capability <Created by mardy> <https://github.com/snapcore/snapd/pull/10933>
[11:05] <mup> PR snapd#10968 opened:  cmd/snap-confine: lazy set up of device cgroup, only when devices were assigned <Needs security review> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10968>
[11:45] <mup> PR snapd#10965 closed: packaging: merge 2.53.1 changelog back to master <Simple 😃> <Created by anonymouse64> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/10965>
[12:17] <mborzecki> zyga-mbp: when you're around: https://build.opensuse.org/request/show/926969
[12:26] <mup> PR snapd#10969 opened: o/snapstate, assertsate: validation sets/undo on partial failure <Complex> <Needs Samuele review> <validation-sets :white_check_mark:> <Created by stolowski> <https://github.com/snapcore/snapd/pull/10969>
[12:51] <mup> PR snapd#10951 closed: sandbox/apparmor, interfaces/apparmor: detect bpf capability, generate snippet for s-c <Needs Samuele review> <Security-High> <Needs security review> <Created by bboozzoo> <Merged by pedronis> <https://github.com/snapcore/snapd/pull/10951>
[12:56] <mup> PR snapd#10970 opened: cmd/snap: improve snap disconnect arg parsing and err msg <Simple 😃> <Created by MiguelPires> <https://github.com/snapcore/snapd/pull/10970>
[12:59] <pstolowski> miguelpires: thanks for tackling this^
[13:23] <miguelpires> pstolowski: no problem, I had a bit of time :] 
[14:06] <mup> PR snapd#10971 opened: tests/main/apparmor-batch-reload: fix fake apparmor_parser to handle --preprocess <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/10971>
[14:07] <mborzecki> trivial PR ^^
[15:27] <pstolowski> miguelpires: some real failures on snap disconnect PR
[15:28] <pstolowski> unfortunately there were always dragons there... and this arg parsing and swapping was always confusing
[15:53] <miguelpires> Ah right, the snap can be empty if it's the core. It's more subtle than it looks at first  =p
[15:55] <pstolowski> miguelpires: yes.. and there is a bit of magic on the api side as well (not affecting your PR i think, but something to keep in mind when changing any of this)
[15:58] <miguelpires> pstolowski: yes, I'll read the api side to really be sure what the cmd needs to validate. Thanks for the heads-up
[16:03] <zyga-mbp> mborzecki I'll look at opensuse stuff in a moment 
[20:08] <mup> PR snapd#10972 opened: tests: skip the interfaces-openvswitch on fedora 33 <Created by sergiocazzolato> <https://github.com/snapcore/snapd/pull/10972>
=== popey6 is now known as popey
[22:46] <tokam> Hi, I have this snap installed: wine-platform-5-staging
[22:46] <tokam> where do I find the binary for it?