/srv/irclogs.ubuntu.com/2021/10/23/#snappy.txt

georgiosi see in snap-store that all my apps are not confined. however apparmor is installed and blocks hello-world.evil as expected. so what is the truth?14:26
georgiosin practice, firefox for example, follows the rules  that i set14:29
* zyga-mbp georgios which OS are you on?15:12
zyga-mbptry15:12
zyga-mbpsnap debug confinement15:12
zyga-mbpyou can also try thi:15:13
zyga-mbpsnap debug sandbox-features15:13
georgioshi zyga. i am on archlinux16:43
zyga-mbpgeorgios hi16:50
zyga-mbpwhat did the two debug command say?16:50
georgios[root@wizy ~]# snap debug confinement16:54
georgiospartial16:54
georgios[root@wizy ~]# snap debug sandbox-features16:54
georgiosapparmor:             kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:partial16:54
georgiosconfinement-options:  classic devmode16:54
georgiosdbus:                 mediated-bus-access16:54
georgioskmod:                 mediated-modprobe16:54
georgiosmount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation16:54
georgiosseccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif16:54
georgiosudev:                 tagging16:54
georgiosoooooooooooooops16:54
georgiosi was going to paste this 16:54
georgios[root@wizy ~]# snap debug confinement16:54
georgiospartial16:54
georgios[root@wizy ~]# snap debug sandbox-features16:54
georgiosapparmor:             kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:partial16:54
georgiosconfinement-options:  classic devmode16:54
georgiosdbus:                 mediated-bus-access16:54
georgioskmod:                 mediated-modprobe16:54
georgiosmount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation16:54
georgiosseccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif16:54
georgiosudev:                 tagging16:54
georgiosWTF16:54
georgiosi am very sorry for polluting the channel16:55
georgioshttp://paste.debian.net/1216498/16:55
georgiosthis is what i intended to paste16:55
georgioslet me see if my client has anti-spam protection16:55
georgiosok, set17:00
zyga-mbpno worries17:06
zyga-mbpgeorgios this tells you that confinement is partial, many things are supported but some things are not17:07
zyga-mbpmost notably, I beileve, your kernel doesn't have apparmor unix mediation, so dbus is not protected 17:07
zyga-mbpdbus is confusing here because there are two parts of snapd that interact with it17:07
zyga-mbpdbus as in host's dbus configuration (that's always supported)17:08
zyga-mbpand apparmor's parsing of unix socket messages on dbus17:08
zyga-mbpthat's not universally supported yet AFAIK17:08
zyga-mbpthat's that17:08
georgiosis it tewakable by rebuilding?17:08
georgiosi wanted to rebuild the kernel anyway17:10
zyga-mbpgeorgios perhaps, but I'm not an expert on Arch17:37
zyga-mbpyou may want to ask mborzecki next week, he is running arch17:37
georgiosit has been some years that i am not building my own kernels. it feels nice to do it once again!18:02
georgiosit seems a patch is needed19:14
georgiosi shall wait19:14

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!