[05:52] <mardy> amurray: hi! Is there a performance hit if an AppArmor profile contains the same rules multiple times? Or is apparmor_parser (or the kernel) smart enough to keep a single copy of them?
[05:54] <amurray> mardy: I am pretty sure the parser de-dupes rules before loading them into the kernel
[05:57] <mardy> amurray: thanks, then I'll definitely take your suggestion in https://github.com/snapcore/snapd/pull/12127
[05:57] <mup> PR #12127: i/b/system_packages_doc: restore access to Libreoffice documentation <Created by mardy> <https://github.com/snapcore/snapd/pull/12127>
[05:57] <amurray> mardy: you could test this by loading a profile into the kernel, dumping it out - /sys/kernel/security/apparmor/policy/profiles/<profile_name>.N/raw_data - then editing the profile to contain a heap of duplicate entries, re-load it, dump it out again and check the difference
[05:57] <amurray> heh also that is such a small difference surely it is not worth the optimisation?
[05:59] <mardy> amurray: yep! I've updated the branch now
[08:39] <mup> PR snapd#12131 opened: client: prepare InstallSystemOptions for real use <Created by mvo5> <https://github.com/snapcore/snapd/pull/12131>
[09:05] <kkkssf> Hi
[09:08] <kkkssf> Is it possible to deny access to /home/<USER>/Desktop via snap connections?
[09:10] <ravage> ogra is the expert here. but i think if a snap gets the "home" permission there are no further limitations 
[09:10] <mardy> kkkssf: hi! By default, /home/<USER>/Desktop is not a directory that snaps can access. If you have a snap which uses this directory and you would like to revoke this access, please run `snap connections <snap-name>` and see if it has the "home" interface connected
[09:14] <ogra> well ... that really depends on the snap ... if you have the xdg-desktop portal packages installed, you have indirect access to everything ... 
[09:14] <ogra> there disabling the home interface would not help
[09:15] <ogra> so to really lock down the system you'd have to remove the xdg-portal packages alongside with disconnecting the home interface ... but since portals also handle other things beyond file access you might lose functionality 
[09:37] <kkkssf> That sounds bad. the snap is firefox beta and i need xdg-desktop-portal for keepassxc browser integration. Is there anything i can do to keep  keepassxc browser integration  deny access to $HOME?
[09:39] <ogra> i fear you cant, beyond making the directory completely inaccessible for the user on a fileystem level (xdg portals operate as the user, so what the user can not access is blocked)
[09:40] <ogra> i guess long term the portals should be packaged more fine grained, so you could remove the file portal but keep the others or so ... 
[09:41] <ogra> i'd file a whishlist bug against xdg-desktop-portal
[10:15] <mup> PR snapd#12095 closed: snap/quota,wrappers: allow using 0 values for the journal rate limit <quota> <Created by Meulengracht> <Merged by Meulengracht> <https://github.com/snapcore/snapd/pull/12095>
[11:30] <mup> PR snapd#12132 opened: wrappers: use a revision-agnostic paths when rewriting a desktop file <Created by oSoMoN> <https://github.com/snapcore/snapd/pull/12132>
[13:02] <amurray> ogra: note portals require user interaction - so as long as a user isn't choosing to say have firefox access a file in ~/Desktop then it doesn't have that permission
[13:03] <amurray> ie portals spawn a file chooser dialog and then access to only the chosen file is then provided 
[13:21] <mup> PR snapd#11157 closed: overlord: extended ssl support, synthetic update-ca-certification functionality <Precious but later :heart:> <Created by Meulengracht> <Closed by Meulengracht> <https://github.com/snapcore/snapd/pull/11157>
[13:40] <ogra> amurray, that doesnt help an admin that wants to prevent users from stornig stuff in ~/Desktop 
[13:41] <mup> PR snapd#12131 closed: client: prepare InstallSystemOptions for real use <Created by mvo5> <Closed by mvo5> <https://github.com/snapcore/snapd/pull/12131>
[13:41] <ogra> portals sadly cmpetely circumvent the use of interfaces, without the ability of fine grained control 
[13:41] <ogra> (not that interfaces have more fine grained control either indeed 🙂 )
[16:41] <mup> PR snapd#12133 opened: client: prepare InstallSystemOptions for real use <Created by mvo5> <https://github.com/snapcore/snapd/pull/12133>
[20:47] <mup> PR snapd#12134 opened: interfaces/u2f-devices: Add Flipper Zero U2F support (https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1989376) <Created by ChrisMacNaughton> <https://github.com/snapcore/snapd/pull/12134>