[05:52] amurray: hi! Is there a performance hit if an AppArmor profile contains the same rules multiple times? Or is apparmor_parser (or the kernel) smart enough to keep a single copy of them? [05:54] mardy: I am pretty sure the parser de-dupes rules before loading them into the kernel [05:57] amurray: thanks, then I'll definitely take your suggestion in https://github.com/snapcore/snapd/pull/12127 [05:57] PR #12127: i/b/system_packages_doc: restore access to Libreoffice documentation [05:57] mardy: you could test this by loading a profile into the kernel, dumping it out - /sys/kernel/security/apparmor/policy/profiles/.N/raw_data - then editing the profile to contain a heap of duplicate entries, re-load it, dump it out again and check the difference [05:57] heh also that is such a small difference surely it is not worth the optimisation? [05:59] amurray: yep! I've updated the branch now [08:39] PR snapd#12131 opened: client: prepare InstallSystemOptions for real use [09:05] Hi [09:08] Is it possible to deny access to /home//Desktop via snap connections? [09:10] ogra is the expert here. but i think if a snap gets the "home" permission there are no further limitations [09:10] kkkssf: hi! By default, /home//Desktop is not a directory that snaps can access. If you have a snap which uses this directory and you would like to revoke this access, please run `snap connections ` and see if it has the "home" interface connected [09:14] well ... that really depends on the snap ... if you have the xdg-desktop portal packages installed, you have indirect access to everything ... [09:14] there disabling the home interface would not help [09:15] so to really lock down the system you'd have to remove the xdg-portal packages alongside with disconnecting the home interface ... but since portals also handle other things beyond file access you might lose functionality [09:37] That sounds bad. the snap is firefox beta and i need xdg-desktop-portal for keepassxc browser integration. Is there anything i can do to keep  keepassxc browser integration  deny access to $HOME? [09:39] i fear you cant, beyond making the directory completely inaccessible for the user on a fileystem level (xdg portals operate as the user, so what the user can not access is blocked) [09:40] i guess long term the portals should be packaged more fine grained, so you could remove the file portal but keep the others or so ... [09:41] i'd file a whishlist bug against xdg-desktop-portal [10:15] PR snapd#12095 closed: snap/quota,wrappers: allow using 0 values for the journal rate limit [11:30] PR snapd#12132 opened: wrappers: use a revision-agnostic paths when rewriting a desktop file [13:02] ogra: note portals require user interaction - so as long as a user isn't choosing to say have firefox access a file in ~/Desktop then it doesn't have that permission [13:03] ie portals spawn a file chooser dialog and then access to only the chosen file is then provided [13:21] PR snapd#11157 closed: overlord: extended ssl support, synthetic update-ca-certification functionality [13:40] amurray, that doesnt help an admin that wants to prevent users from stornig stuff in ~/Desktop [13:41] PR snapd#12131 closed: client: prepare InstallSystemOptions for real use [13:41] portals sadly cmpetely circumvent the use of interfaces, without the ability of fine grained control [13:41] (not that interfaces have more fine grained control either indeed 🙂 ) [16:41] PR snapd#12133 opened: client: prepare InstallSystemOptions for real use [20:47] PR snapd#12134 opened: interfaces/u2f-devices: Add Flipper Zero U2F support (https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1989376)