mardy | amurray: hi! Is there a performance hit if an AppArmor profile contains the same rules multiple times? Or is apparmor_parser (or the kernel) smart enough to keep a single copy of them? | 05:52 |
---|---|---|
amurray | mardy: I am pretty sure the parser de-dupes rules before loading them into the kernel | 05:54 |
mardy | amurray: thanks, then I'll definitely take your suggestion in https://github.com/snapcore/snapd/pull/12127 | 05:57 |
mup | PR #12127: i/b/system_packages_doc: restore access to Libreoffice documentation <Created by mardy> <https://github.com/snapcore/snapd/pull/12127> | 05:57 |
amurray | mardy: you could test this by loading a profile into the kernel, dumping it out - /sys/kernel/security/apparmor/policy/profiles/<profile_name>.N/raw_data - then editing the profile to contain a heap of duplicate entries, re-load it, dump it out again and check the difference | 05:57 |
amurray | heh also that is such a small difference surely it is not worth the optimisation? | 05:57 |
mardy | amurray: yep! I've updated the branch now | 05:59 |
mup | PR snapd#12131 opened: client: prepare InstallSystemOptions for real use <Created by mvo5> <https://github.com/snapcore/snapd/pull/12131> | 08:39 |
kkkssf | Hi | 09:05 |
kkkssf | Is it possible to deny access to /home/<USER>/Desktop via snap connections? | 09:08 |
ravage | ogra is the expert here. but i think if a snap gets the "home" permission there are no further limitations | 09:10 |
mardy | kkkssf: hi! By default, /home/<USER>/Desktop is not a directory that snaps can access. If you have a snap which uses this directory and you would like to revoke this access, please run `snap connections <snap-name>` and see if it has the "home" interface connected | 09:10 |
ogra | well ... that really depends on the snap ... if you have the xdg-desktop portal packages installed, you have indirect access to everything ... | 09:14 |
ogra | there disabling the home interface would not help | 09:14 |
ogra | so to really lock down the system you'd have to remove the xdg-portal packages alongside with disconnecting the home interface ... but since portals also handle other things beyond file access you might lose functionality | 09:15 |
kkkssf | That sounds bad. the snap is firefox beta and i need xdg-desktop-portal for keepassxc browser integration. Is there anything i can do to keep keepassxc browser integration deny access to $HOME? | 09:37 |
ogra | i fear you cant, beyond making the directory completely inaccessible for the user on a fileystem level (xdg portals operate as the user, so what the user can not access is blocked) | 09:39 |
ogra | i guess long term the portals should be packaged more fine grained, so you could remove the file portal but keep the others or so ... | 09:40 |
ogra | i'd file a whishlist bug against xdg-desktop-portal | 09:41 |
mup | PR snapd#12095 closed: snap/quota,wrappers: allow using 0 values for the journal rate limit <quota> <Created by Meulengracht> <Merged by Meulengracht> <https://github.com/snapcore/snapd/pull/12095> | 10:15 |
mup | PR snapd#12132 opened: wrappers: use a revision-agnostic paths when rewriting a desktop file <Created by oSoMoN> <https://github.com/snapcore/snapd/pull/12132> | 11:30 |
amurray | ogra: note portals require user interaction - so as long as a user isn't choosing to say have firefox access a file in ~/Desktop then it doesn't have that permission | 13:02 |
amurray | ie portals spawn a file chooser dialog and then access to only the chosen file is then provided | 13:03 |
mup | PR snapd#11157 closed: overlord: extended ssl support, synthetic update-ca-certification functionality <Precious but later :heart:> <Created by Meulengracht> <Closed by Meulengracht> <https://github.com/snapcore/snapd/pull/11157> | 13:21 |
ogra | amurray, that doesnt help an admin that wants to prevent users from stornig stuff in ~/Desktop | 13:40 |
mup | PR snapd#12131 closed: client: prepare InstallSystemOptions for real use <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/12131> | 13:41 |
ogra | portals sadly cmpetely circumvent the use of interfaces, without the ability of fine grained control | 13:41 |
ogra | (not that interfaces have more fine grained control either indeed 🙂 ) | 13:41 |
mup | PR snapd#12133 opened: client: prepare InstallSystemOptions for real use <Created by mvo5> <https://github.com/snapcore/snapd/pull/12133> | 16:41 |
mup | PR snapd#12134 opened: interfaces/u2f-devices: Add Flipper Zero U2F support (https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1989376) <Created by ChrisMacNaughton> <https://github.com/snapcore/snapd/pull/12134> | 20:47 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!