/srv/irclogs.ubuntu.com/2022/03/08/#ubuntu-security.txt

schopin	sbeattie: you might want to have a look at https://bugs.launchpad.net/ubuntu/+source/rustc/+bug/1964098 :)	09:50
ubottu	Launchpad bug 1964098 in rustc (Ubuntu) "[FFe] Versioned packages for Rust toolchain" [Undecided, New]	09:50
sbeattie	schopin: thanks!	14:19
hallyn	sigh - i'm being lazy here, but is there a way for me to post an extra apparmor profile snipped for a snap (firefox, specifically)? /etc/dnsmasq.d/ style? That'll just get appended to the shipped policy?	15:05
hallyn	something like https://stackoverflow.com/questions/44174234/apparmor-profile-for-libreoffice-in-a-ubuntu-snap-package	15:05
hallyn	I want firefox to be allowed to run /usr/local/bin/st and /usr/bin/vim	15:06
hallyn	i'm on impish. should it have a kernel immune to dirtypipez?	15:44
hallyn	(cuase, it doesn't :( )	15:44
ebarretto	georgiag, ^	15:45
sdeziel	hallyn: fixed kernels are apparently going to be released in the next 24h	15:45
hallyn	:cringe:	15:46
hallyn	ok thanks	15:46
georgiag	hallyn: I don't think there's currently a way to have a policy on top of the current snap policy for firefox. as a workaround, you can change the snap firefox policy and reload it, but that's temporary - snap will reload the original unchanged policy after a while	15:54
hallyn	:(	15:58
jjohansen	hallyn: georgiag is right. This is one of those things that is planned for but we just haven't had time to do yet	15:58
hallyn	so the 'snap policy' includes 'apparmor policy'? Where do I find that?	15:59
jjohansen	basically there are two things that are wip to do this	15:59
jjohansen	1. being able to "inherit" from a profile	15:59
hallyn	will you slap me if i say you should hire someone? :)	15:59
jjohansen	2. Being able to specify an overlay location	16:00
jjohansen	hahaha	16:00
hallyn	what would inherit from what?	16:00
hallyn	it seems like the notion of "connecting" would be useful... which ionly mention bc i readsomewhere about snap connect or something	16:01
jjohansen	so you could specify a new profile, inheriting from another profile, and then add new rules to that profile	16:01
hallyn	ok	16:01
hallyn	that would be perfect	16:02
hallyn	but so in the meantime where woudl i find the polcy to update? having t oupdate it after every snap refresh is better than nothing	16:02
hallyn	i can script that :)	16:02
jjohansen	/var/lib/snapd/apparmor/profiles/	16:03
sbeattie	hallyn: you're hired! (I wish)	16:04
hallyn	thanks jjohansen	16:04
hallyn	sbeattie: hirenapping is illegal	16:04
sbeattie	hallyn: uh-hunh, sure, if you say so.	16:05
hallyn	"laws are subject to interpretation"	16:06
sarnold	look if you just want to do the work without being paid, that's fine by us too...	17:01
hallyn	:) deal!	17:27
hallyn	ok so i need to go find snap help i guess	17:27
hallyn	ugh this is a pain. maybe i should just move to the apt package	17:36
jjohansen	yeah, that is what I have done for the moment	17:36
hallyn	otherwise it looks like i need to learn what 'stage' and 'prime' mean. (I need to bind in /usr/bin/vim into the chroot)	17:37
hallyn	wow. i did "snap remove firefox", and it removed my profile from my homedir!	17:45
jjohansen	O_o	17:45
hallyn	Now I"m very angry. Maybe it's time to move to void linux	17:45
sarnold	I do keep hearing good things about void	18:09
sarnold	snap remove firefox killing your user profile is vastly uncool	18:10
hallyn	and i didn't have a backup :(	18:13
sarnold	:(	18:13
hallyn	well, i'm taking the opportunity to clear my bookmarks and make sure my extensions haven't gotten a long-lived trojan over time :)	18:14
sarnold	losing firefox history would be a huge blow..	18:14
hallyn	i don't like leaving anything but small easily verifiable text files when i switch systems (which i just did last week), but i'd cheated and rsynced my old .mozilla	18:15
hallyn	yeah, but OTOH having stuff in history leads me to fogetting how to find it :) i'm juts gonna look on the bright side	18:15
sarnold	I wonder how moz does their firefox binary publishing; I wonder if they repurpose an existing binary for the snap, or if the snap is the "right" place to get an ubuntu firefox binary	18:18
hallyn	this morning i did an xprop on firefox (bc the WM_NAME had changed, as it turns out to 'Navigator' , which threw off my wm), i noticed that one of the variables said something about Arch linux.	18:20
hallyn	i didnt' keep the info around.	18:20
sarnold	navigator, wow. that's a blast from the past.	18:22
hallyn	I KNOW RITE	18:25
hallyn	i'm curious how that snuck in :)	18:25
hallyn	it wasn't there yesterday	18:25
sarnold	is it april? heh	18:27
* hallyn checks		18:29
jdstrand	hallyn: iirc, snapd keeps backups	21:57
* jdstrand tries to find it		21:58
jdstrand	hallyn: https://snapcraft.io/docs/snapshots - "Snapshots are generated manually with the snap save command and automatically when a snap is removed."	21:58
hallyn	orly	22:33
hallyn	i see a zipfile... will it actually have my homedir stuff? let's see	22:36
hallyn	yeah i see it. thanks - i'll just encrypt and keep a cpy of htat in case i absolutely need something back :)	22:38
sdeziel	hallyn: update kernels are available now	22:57
sdeziel	those patching CVE-2022-0847 that is	22:58
ubottu	A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the syste... <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0847>	22:58
hallyn	(seems to have dropped, but in case he checks the logs) thanks sdeziel, updated a few hours ago and tested that the poc stopped working :) \o/	23:00
jdstrand	hallyn: \o/ :)	23:20

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!