/srv/irclogs.ubuntu.com/2022/03/16/#snappy.txt

mupPR snapcraft#3662 closed: tests: update spread url <Created by mr-cal> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3662>01:00
mupPR snapcraft#3663 closed: tests: update spread url <Created by mr-cal> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3663>01:00
mupPR snapcraft#3665 opened: kde extension: new content snap for core20 <Created by sergiusens> <https://github.com/snapcore/snapcraft/pull/3665>01:00
mwhudsonshould i expect snap-preseed to work on a rootfs from a different architecture?04:24
mupPR snapd#11509 opened: tests/lib/fakestore/store: return snap base in details <Simple 😃> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11509>06:26
mborzeckimorning06:27
mardyhi!06:30
mupPR snapd#11510 opened: dirs: remove unused SnapMetaDir variable <Simple 😃> <Skip spread> <Created by mardy> <https://github.com/snapcore/snapd/pull/11510>06:41
mupPR snapd#11507 closed: overlord: extend single reboot test to include a non-base, non-kernel snap <Squash-merge> <Simple 😃> <Skip spread> <Created by bboozzoo> <Merged by bboozzoo> <https://github.com/snapcore/snapd/pull/11507>07:27
mborzeckiwow github can re run failed jobs only now07:43
pstolowskimorning08:10
mupPR snapd#11511 opened: many: replace use of "sanity" with more inclusive naming (part 2) <Simple 😃> <Skip spread> <:heart: Inclusive language> <Created by mvo5> <https://github.com/snapcore/snapd/pull/11511>08:22
mupPR snapd#11510 closed: dirs: remove unused SnapMetaDir variable <Simple 😃> <Skip spread> <Created by mardy> <Merged by MiguelPires> <https://github.com/snapcore/snapd/pull/11510>09:47
zyga[m]mwhudson: go 1.18 is out :)09:59
mwhudsonzyga[m]: it's in 1.18/candidate!09:59
mwhudsonbut i should promote it10:00
mwhudsoni wonder why https://launchpad.net/~go-snap-maintainers/+snap/go118-core18 is not getting pushed to the store10:02
mwhudsonzyga[m]: ok it's in 1.18/stable now10:02
zyga[m]mwhudson: 10:13
zyga[m]mwhudson: woot, thank you so much for looking after the go snaps :)10:13
mborzeckimeh the lxd jobs are failing on 20.0411:15
mupPR snapd#11506 closed: tests: fix test to avoid editing the test-snapd-tools snap.yaml file <Simple 😃> <Created by sergiocazzolato> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11506>11:48
mupPR snapd#11470 closed: boot: support factory-reset when sealing and resealing <Run nested> <factory reset 🔌> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11470>11:53
georgioshi. i ve installed firefox and a message appeares in Details:13:20
georgios"This app has no constrains. it can access all your personal files and system resources"13:21
georgiosbasically i wanted the app version in order to constrain firefox as much as possible, so this is an epic fail... but why?13:22
georgiosis there a way to troubleshoot it?13:23
mardygeorgios: hi! What distribution are you using?13:38
ogrageorgios, snaps use interfaces to access the world outside their confined space ... you can check which ones FF uses with "snap connections firefox" ... but as mardy points out it depends on the support of your distro wether full confinement can be used or not 13:39
ograif your distro supports full confinement can be checked with "snap debug confinement" and "snap debug sandbox-features" ... if your distro supports full strict confinement you can use "snap disconnect firefox:<interface name>" to block certain access by disconnecting the interfaces13:41
georgiosarchlinux with apparmor. here's the tragedy https://paste.debian.net/1234603/13:52
zyga[m]amurray: I've filed https://bugs.launchpad.net/snapd/+bug/1965139 14:04
mborzeckigeorgios: so on arch there's dbus mediation, or apparmor fine grained socket mediation, iirc the rest is supported, still we'll show that confinement is not strict as not all the boxes can be checked14:06
mvothanks zyga[m] !14:20
zyga[m]mvo: pleasure, I hope this can help14:20
* mvo hugs zyga[m] 14:21
mvozyga[m]: fwiw I would switch to your version in a hearbeat (looked at the code, very nice) - if only we could vendor things everywhere :/14:21
zyga[m]just copy it in14:24
zyga[m]I've made it REUSE compliant for a reason14:24
zyga[m]super easy copyright handling14:24
zyga[m]or revert to old approach 14:24
* zyga[m] is super light on details on purpose14:24
georgiosso what does mediation mean, and how could i change that to a mode where confinement is the maximum snapd can offer?14:27
zyga[m]georgios: a way for the kernel to control delivery of dbus communication14:28
zyga[m]georgios: you would have to use a kernel with an extra patch that adds this feature14:28
zyga[m]georgios: snapd relies on this feature to control if two processes can communicate with dbus messages14:29
zyga[m]georgios: this allows a confined application to be denied communication with system or session services to bypass the sandbox and gain permissions that would otherwise be similar to an unconfined classic application that can do everything with the full permissions of the running user14:30
mupPR snapd#11512 opened: cmd/snap-bootstrap: support booting into factory-reset mode <Run nested> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11512>15:49
mupPR snapd#11513 opened: .github: run woke tool on PR's  <Skip spread> <Created by anonymouse64> <https://github.com/snapcore/snapd/pull/11513>16:24
mupPR snapd#11514 opened: o/devicestate: write preseed-export.json when preseeding <Preseeding 🍞> <Created by stolowski> <https://github.com/snapcore/snapd/pull/11514>16:54
georgioszyga[m]: thanks a lot for the valuable information. but this leaves me with a question. this dbus-mediation should be secured by the kernel itself while know it is just a userspace daemon? also, why apparmor mediation isn't capable of applying the correct restrictions?16:55
zyga[m]I am afk, I can respond tomorrow if you stick around.17:37
georgiosok zyga[m]. i can patch my kernel but this is an interesting topic anyway20:38
zyga[m]georgios: there are several approaches, some people think that userspace filtering based on dbus proxy is better, some think that it should be handled by the kernel LSM modules. I think both have valid points. The rest is just history.22:32
zyga[m]georgios: the problem is that this patch is out of tree and it's been this way for years due to complex changes around apparmor and networking that I don't fully follow22:32
amurrayzyga[m]: thanks for the heaps up, I'll take a look22:37
zyga[m]Sure22:49
zyga[m]I don't think it is very serious but it might be for core20 22:49

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!