georgios | i see in snap-store that all my apps are not confined. however apparmor is installed and blocks hello-world.evil as expected. so what is the truth? | 14:26 |
---|---|---|
georgios | in practice, firefox for example, follows the rules that i set | 14:29 |
* zyga-mbp georgios which OS are you on? | 15:12 | |
zyga-mbp | try | 15:12 |
zyga-mbp | snap debug confinement | 15:12 |
zyga-mbp | you can also try thi: | 15:13 |
zyga-mbp | snap debug sandbox-features | 15:13 |
georgios | hi zyga. i am on archlinux | 16:43 |
zyga-mbp | georgios hi | 16:50 |
zyga-mbp | what did the two debug command say? | 16:50 |
georgios | [root@wizy ~]# snap debug confinement | 16:54 |
georgios | partial | 16:54 |
georgios | [root@wizy ~]# snap debug sandbox-features | 16:54 |
georgios | apparmor: kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:partial | 16:54 |
georgios | confinement-options: classic devmode | 16:54 |
georgios | dbus: mediated-bus-access | 16:54 |
georgios | kmod: mediated-modprobe | 16:54 |
georgios | mount: layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation | 16:54 |
georgios | seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif | 16:54 |
georgios | udev: tagging | 16:54 |
georgios | oooooooooooooops | 16:54 |
georgios | i was going to paste this | 16:54 |
georgios | [root@wizy ~]# snap debug confinement | 16:54 |
georgios | partial | 16:54 |
georgios | [root@wizy ~]# snap debug sandbox-features | 16:54 |
georgios | apparmor: kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:partial | 16:54 |
georgios | confinement-options: classic devmode | 16:54 |
georgios | dbus: mediated-bus-access | 16:54 |
georgios | kmod: mediated-modprobe | 16:54 |
georgios | mount: layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation | 16:54 |
georgios | seccomp: bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif | 16:54 |
georgios | udev: tagging | 16:54 |
georgios | WTF | 16:54 |
georgios | i am very sorry for polluting the channel | 16:55 |
georgios | http://paste.debian.net/1216498/ | 16:55 |
georgios | this is what i intended to paste | 16:55 |
georgios | let me see if my client has anti-spam protection | 16:55 |
georgios | ok, set | 17:00 |
zyga-mbp | no worries | 17:06 |
zyga-mbp | georgios this tells you that confinement is partial, many things are supported but some things are not | 17:07 |
zyga-mbp | most notably, I beileve, your kernel doesn't have apparmor unix mediation, so dbus is not protected | 17:07 |
zyga-mbp | dbus is confusing here because there are two parts of snapd that interact with it | 17:07 |
zyga-mbp | dbus as in host's dbus configuration (that's always supported) | 17:08 |
zyga-mbp | and apparmor's parsing of unix socket messages on dbus | 17:08 |
zyga-mbp | that's not universally supported yet AFAIK | 17:08 |
zyga-mbp | that's that | 17:08 |
georgios | is it tewakable by rebuilding? | 17:08 |
georgios | i wanted to rebuild the kernel anyway | 17:10 |
zyga-mbp | georgios perhaps, but I'm not an expert on Arch | 17:37 |
zyga-mbp | you may want to ask mborzecki next week, he is running arch | 17:37 |
georgios | it has been some years that i am not building my own kernels. it feels nice to do it once again! | 18:02 |
georgios | it seems a patch is needed | 19:14 |
georgios | i shall wait | 19:14 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!