[14:26] <georgios> i see in snap-store that all my apps are not confined. however apparmor is installed and blocks hello-world.evil as expected. so what is the truth?
[14:29] <georgios> in practice, firefox for example, follows the rules  that i set
[15:12]  * zyga-mbp georgios which OS are you on?
[15:12] <zyga-mbp> try
[15:12] <zyga-mbp> snap debug confinement
[15:13] <zyga-mbp> you can also try thi:
[15:13] <zyga-mbp> snap debug sandbox-features
[16:43] <georgios> hi zyga. i am on archlinux
[16:50] <zyga-mbp> georgios hi
[16:50] <zyga-mbp> what did the two debug command say?
[16:54] <georgios> [root@wizy ~]# snap debug confinement
[16:54] <georgios> partial
[16:54] <georgios> [root@wizy ~]# snap debug sandbox-features
[16:54] <georgios> apparmor:             kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:partial
[16:54] <georgios> confinement-options:  classic devmode
[16:54] <georgios> dbus:                 mediated-bus-access
[16:54] <georgios> kmod:                 mediated-modprobe
[16:54] <georgios> mount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
[16:54] <georgios> seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
[16:54] <georgios> udev:                 tagging
[16:54] <georgios> oooooooooooooops
[16:54] <georgios> i was going to paste this 
[16:54] <georgios> [root@wizy ~]# snap debug confinement
[16:54] <georgios> partial
[16:54] <georgios> [root@wizy ~]# snap debug sandbox-features
[16:54] <georgios> apparmor:             kernel:caps kernel:domain kernel:file kernel:mount kernel:namespaces kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:unsafe policy:default support-level:partial
[16:54] <georgios> confinement-options:  classic devmode
[16:54] <georgios> dbus:                 mediated-bus-access
[16:54] <georgios> kmod:                 mediated-modprobe
[16:54] <georgios> mount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
[16:54] <georgios> seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
[16:54] <georgios> udev:                 tagging
[16:54] <georgios> WTF
[16:55] <georgios> i am very sorry for polluting the channel
[16:55] <georgios> http://paste.debian.net/1216498/
[16:55] <georgios> this is what i intended to paste
[16:55] <georgios> let me see if my client has anti-spam protection
[17:00] <georgios> ok, set
[17:06] <zyga-mbp> no worries
[17:07] <zyga-mbp> georgios this tells you that confinement is partial, many things are supported but some things are not
[17:07] <zyga-mbp> most notably, I beileve, your kernel doesn't have apparmor unix mediation, so dbus is not protected 
[17:07] <zyga-mbp> dbus is confusing here because there are two parts of snapd that interact with it
[17:08] <zyga-mbp> dbus as in host's dbus configuration (that's always supported)
[17:08] <zyga-mbp> and apparmor's parsing of unix socket messages on dbus
[17:08] <zyga-mbp> that's not universally supported yet AFAIK
[17:08] <zyga-mbp> that's that
[17:08] <georgios> is it tewakable by rebuilding?
[17:10] <georgios> i wanted to rebuild the kernel anyway
[17:37] <zyga-mbp> georgios perhaps, but I'm not an expert on Arch
[17:37] <zyga-mbp> you may want to ask mborzecki next week, he is running arch
[18:02] <georgios> it has been some years that i am not building my own kernels. it feels nice to do it once again!
[19:14] <georgios> it seems a patch is needed
[19:14] <georgios> i shall wait