[00:37] <mup> PR snapcraft#3777 opened: parts: fix metadata extraction dirs <Created by cmatsuoka> <https://github.com/snapcore/snapcraft/pull/3777>
[01:43] <mup> PR snapd#11811 closed: tests: allow to re-execute aborted tests  <Run nested> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11811>
[02:32] <mup> PR snapcraft#3745 closed: Fix/core20 ros plugin build failure should stop snapcraft <Created by Guillaumebeuzeboc> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3745>
[03:08] <jamesh> amurray: hi. I ran into some problems with the cups interface, and was trying to work out whether I'm misreading the AppArmor rules or if they're just buggy.
[03:09] <jamesh> amurray: there are a bunch of dbus rules using "peer=(name=org.freedesktop.DBus,label=unconfined)," (or similar but allowing different labels)
[03:10] <jamesh> amurray: which looks weird since no peer is going to be able to own org.freedesktop.DBus (it is reserved for dbus-daemon)
[03:11] <jamesh> also, are the "name=" and "label=" parts of the clause combined with an "AND" or an "OR"?
[03:11] <jamesh> the apparmor.d man page wasn't much help in determining the answer to that last one
[03:19] <amurray> jamesh: yeah I have been confused by that in the past too... let me see if I have any notes on that as I am not sure off the top of my head (I had thought it was 'AND' semantics - ie the peer has to be both unconfined and own the name)
[03:21] <jamesh> amurray: my understanding was that jdstrand added the name= clause to a lot of these rules to handle D-Bus activatable services (where we don't know the peer label until after the message has been approved/rejected)
[03:21] <jamesh> but a peer can't own org.freedesktop.DBus...
[03:23] <jamesh> amurray: the specific problem was in the cupsControlConnectedPlugAppArmor policy fragment: removing the name= part allowed messages to be received
[03:25] <jamesh> I don't think the D-Bus activation reason really makes sense here either: if we're processing a receive rule, then the sender is already running and we'll know its AppArmor label.
[03:26] <amurray> yeah I saw till's discussion of that - so the only other instances of name=org.freedesktop.DBus that I can see in snapd apparmor rules are for talking to dbus itself - so perhaps these (for /org/cups/cupsd/Notifier) were just wrong to begin with
[03:28] <jamesh> Okay. I'll make a PR to update the cups-control interface here (Till was running into it). There seem to be a bunch of other interfaces with dubious rules using name=org.freedesktop.DBus where dbus-daemon isn't the source/destination
[03:29] <amurray> sounds good
[03:31] <jamesh> Thanks.
[03:32] <amurray> I see a bunch in desktop-legacy, desktop, unity7 - I think these should also be updated to remove the name=org.freedesktop.DBus bit 
[03:33] <jamesh> or work out what the appropriate bus name should be
[03:38] <amurray> yes that would probably be better
[03:39] <jamesh> It'd be good to deprecate unity7 at some point
[03:41] <jamesh> Anything still useful should be provided by one of combination of desktop and desktop-legacy
[06:10] <mborzecki> morning
[06:37] <mardy> mborzecki: hi!
[07:01] <mborzecki> heya
[08:49] <mup> PR snapd#11833 closed: secboot, boot: TPM provisioning mode enum, introduce reprovisioning <Run nested> <factory reset 🔌> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11833>
=== benfrancis0 is now known as benfrancis
[10:14] <mup> PR snapd#11843 opened: interfaces/builtin: remove the name=org.freedesktop.DBus restriction in cups-control AppArmor rules <Created by jhenstridge> <https://github.com/snapcore/snapd/pull/11843>
[10:29] <mup> PR snapd#11844 opened: secboot, boot: support and use alternative PCR handles during factory reset <Run nested> <factory reset 🔌> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11844>
[10:34] <mup> PR snapd#11845 opened: tests/main/nfs-support: be robust against umount failures <Simple 😃> <Test Robustness> <Created by mardy> <https://github.com/snapcore/snapd/pull/11845>
[10:45] <mup> PR snapd#11817 closed: many: print valid/invalid status on snap validate --monitor  <Squash-merge> <Needs Samuele review> <validation-sets :white_check_mark:> <Created by stolowski> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11817>
[14:15] <mup> PR snapd#11846 opened: i/b/desktop,unity7: remove name= specification on D-Bus signals <Created by mardy> <https://github.com/snapcore/snapd/pull/11846>
[14:33] <mup> PR snapcraft#3776 closed: parts,projects: add verifications and warnings <Created by cmatsuoka> <Merged by sergiusens> <https://github.com/snapcore/snapcraft/pull/3776>
[20:31] <mup> PR snapd#11728 closed: tests: remove old ubuntu-core-transition nightly tests <Simple 😃> <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11728>
[22:02] <mup> PR snapd#11818 closed: tests: update centos images and add new centos 9 image <Created by sergiocazzolato> <Merged by sergiocazzolato> <https://github.com/snapcore/snapd/pull/11818>