mardyamurray: hi! Is there a performance hit if an AppArmor profile contains the same rules multiple times? Or is apparmor_parser (or the kernel) smart enough to keep a single copy of them?05:52
amurraymardy: I am pretty sure the parser de-dupes rules before loading them into the kernel05:54
mardyamurray: thanks, then I'll definitely take your suggestion in https://github.com/snapcore/snapd/pull/1212705:57
mupPR #12127: i/b/system_packages_doc: restore access to Libreoffice documentation <Created by mardy> <https://github.com/snapcore/snapd/pull/12127>05:57
amurraymardy: you could test this by loading a profile into the kernel, dumping it out - /sys/kernel/security/apparmor/policy/profiles/<profile_name>.N/raw_data - then editing the profile to contain a heap of duplicate entries, re-load it, dump it out again and check the difference05:57
amurrayheh also that is such a small difference surely it is not worth the optimisation?05:57
mardyamurray: yep! I've updated the branch now05:59
mupPR snapd#12131 opened: client: prepare InstallSystemOptions for real use <Created by mvo5> <https://github.com/snapcore/snapd/pull/12131>08:39
kkkssfIs it possible to deny access to /home/<USER>/Desktop via snap connections?09:08
ravageogra is the expert here. but i think if a snap gets the "home" permission there are no further limitations 09:10
mardykkkssf: hi! By default, /home/<USER>/Desktop is not a directory that snaps can access. If you have a snap which uses this directory and you would like to revoke this access, please run `snap connections <snap-name>` and see if it has the "home" interface connected09:10
ograwell ... that really depends on the snap ... if you have the xdg-desktop portal packages installed, you have indirect access to everything ... 09:14
ograthere disabling the home interface would not help09:14
ograso to really lock down the system you'd have to remove the xdg-portal packages alongside with disconnecting the home interface ... but since portals also handle other things beyond file access you might lose functionality 09:15
kkkssfThat sounds bad. the snap is firefox beta and i need xdg-desktop-portal for keepassxc browser integration. Is there anything i can do to keep  keepassxc browser integration  deny access to $HOME?09:37
ograi fear you cant, beyond making the directory completely inaccessible for the user on a fileystem level (xdg portals operate as the user, so what the user can not access is blocked)09:39
ograi guess long term the portals should be packaged more fine grained, so you could remove the file portal but keep the others or so ... 09:40
ograi'd file a whishlist bug against xdg-desktop-portal09:41
mupPR snapd#12095 closed: snap/quota,wrappers: allow using 0 values for the journal rate limit <quota> <Created by Meulengracht> <Merged by Meulengracht> <https://github.com/snapcore/snapd/pull/12095>10:15
mupPR snapd#12132 opened: wrappers: use a revision-agnostic paths when rewriting a desktop file <Created by oSoMoN> <https://github.com/snapcore/snapd/pull/12132>11:30
amurrayogra: note portals require user interaction - so as long as a user isn't choosing to say have firefox access a file in ~/Desktop then it doesn't have that permission13:02
amurrayie portals spawn a file chooser dialog and then access to only the chosen file is then provided 13:03
mupPR snapd#11157 closed: overlord: extended ssl support, synthetic update-ca-certification functionality <Precious but later :heart:> <Created by Meulengracht> <Closed by Meulengracht> <https://github.com/snapcore/snapd/pull/11157>13:21
ograamurray, that doesnt help an admin that wants to prevent users from stornig stuff in ~/Desktop 13:40
mupPR snapd#12131 closed: client: prepare InstallSystemOptions for real use <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/12131>13:41
ograportals sadly cmpetely circumvent the use of interfaces, without the ability of fine grained control 13:41
ogra(not that interfaces have more fine grained control either indeed 🙂 )13:41
mupPR snapd#12133 opened: client: prepare InstallSystemOptions for real use <Created by mvo5> <https://github.com/snapcore/snapd/pull/12133>16:41
mupPR snapd#12134 opened: interfaces/u2f-devices: Add Flipper Zero U2F support (https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1989376) <Created by ChrisMacNaughton> <https://github.com/snapcore/snapd/pull/12134>20:47

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!