| mup | PR snapcraft#3777 opened: parts: fix metadata extraction dirs <Created by cmatsuoka> <https://github.com/snapcore/snapcraft/pull/3777> | 00:37 |
|---|---|---|
| mup | PR snapd#11811 closed: tests: allow to re-execute aborted tests <Run nested> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11811> | 01:43 |
| mup | PR snapcraft#3745 closed: Fix/core20 ros plugin build failure should stop snapcraft <Created by Guillaumebeuzeboc> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3745> | 02:32 |
| jamesh | amurray: hi. I ran into some problems with the cups interface, and was trying to work out whether I'm misreading the AppArmor rules or if they're just buggy. | 03:08 |
| jamesh | amurray: there are a bunch of dbus rules using "peer=(name=org.freedesktop.DBus,label=unconfined)," (or similar but allowing different labels) | 03:09 |
| jamesh | amurray: which looks weird since no peer is going to be able to own org.freedesktop.DBus (it is reserved for dbus-daemon) | 03:10 |
| jamesh | also, are the "name=" and "label=" parts of the clause combined with an "AND" or an "OR"? | 03:11 |
| jamesh | the apparmor.d man page wasn't much help in determining the answer to that last one | 03:11 |
| amurray | jamesh: yeah I have been confused by that in the past too... let me see if I have any notes on that as I am not sure off the top of my head (I had thought it was 'AND' semantics - ie the peer has to be both unconfined and own the name) | 03:19 |
| jamesh | amurray: my understanding was that jdstrand added the name= clause to a lot of these rules to handle D-Bus activatable services (where we don't know the peer label until after the message has been approved/rejected) | 03:21 |
| jamesh | but a peer can't own org.freedesktop.DBus... | 03:21 |
| jamesh | amurray: the specific problem was in the cupsControlConnectedPlugAppArmor policy fragment: removing the name= part allowed messages to be received | 03:23 |
| jamesh | I don't think the D-Bus activation reason really makes sense here either: if we're processing a receive rule, then the sender is already running and we'll know its AppArmor label. | 03:25 |
| amurray | yeah I saw till's discussion of that - so the only other instances of name=org.freedesktop.DBus that I can see in snapd apparmor rules are for talking to dbus itself - so perhaps these (for /org/cups/cupsd/Notifier) were just wrong to begin with | 03:26 |
| jamesh | Okay. I'll make a PR to update the cups-control interface here (Till was running into it). There seem to be a bunch of other interfaces with dubious rules using name=org.freedesktop.DBus where dbus-daemon isn't the source/destination | 03:28 |
| amurray | sounds good | 03:29 |
| jamesh | Thanks. | 03:31 |
| amurray | I see a bunch in desktop-legacy, desktop, unity7 - I think these should also be updated to remove the name=org.freedesktop.DBus bit | 03:32 |
| jamesh | or work out what the appropriate bus name should be | 03:33 |
| amurray | yes that would probably be better | 03:38 |
| jamesh | It'd be good to deprecate unity7 at some point | 03:39 |
| jamesh | Anything still useful should be provided by one of combination of desktop and desktop-legacy | 03:41 |
| mborzecki | morning | 06:10 |
| mardy | mborzecki: hi! | 06:37 |
| mborzecki | heya | 07:01 |
| mup | PR snapd#11833 closed: secboot, boot: TPM provisioning mode enum, introduce reprovisioning <Run nested> <factory reset 🔌> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11833> | 08:49 |
| === benfrancis0 is now known as benfrancis | ||
| mup | PR snapd#11843 opened: interfaces/builtin: remove the name=org.freedesktop.DBus restriction in cups-control AppArmor rules <Created by jhenstridge> <https://github.com/snapcore/snapd/pull/11843> | 10:14 |
| mup | PR snapd#11844 opened: secboot, boot: support and use alternative PCR handles during factory reset <Run nested> <factory reset 🔌> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11844> | 10:29 |
| mup | PR snapd#11845 opened: tests/main/nfs-support: be robust against umount failures <Simple 😃> <Test Robustness> <Created by mardy> <https://github.com/snapcore/snapd/pull/11845> | 10:34 |
| mup | PR snapd#11817 closed: many: print valid/invalid status on snap validate --monitor <Squash-merge> <Needs Samuele review> <validation-sets :white_check_mark:> <Created by stolowski> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11817> | 10:45 |
| mup | PR snapd#11846 opened: i/b/desktop,unity7: remove name= specification on D-Bus signals <Created by mardy> <https://github.com/snapcore/snapd/pull/11846> | 14:15 |
| mup | PR snapcraft#3776 closed: parts,projects: add verifications and warnings <Created by cmatsuoka> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3776> | 14:33 |
| mup | PR snapd#11728 closed: tests: remove old ubuntu-core-transition nightly tests <Simple 😃> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11728> | 20:31 |
| mup | PR snapd#11818 closed: tests: update centos images and add new centos 9 image <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11818> | 22:02 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!