=== stgraber_ is now known as stgraber
jameshamurray: thanks for the feedback on the removable-media PR. It wasn't clear to me whether the lack of map/execute permissions was just from caution or had more reasons. I guess I'll simplify the PR down to an unconditional change then.03:52
amurrayjamesh: hey - I assume it was done specifically but as you say, since there is nothing stopping a snap from copying an existing executable from a removable-media device over to somewhere it can already execute from then we may as well just add it as execute for simplicity04:15
amurraye.g. https://paste.ubuntu.com/p/86W8P8HddW/04:21
jameshamurray: one other thing I was working on that you might find interesting: a libseccomp patch to let it do 32-bit argument comparisons on 64-bit systems: https://github.com/seccomp/libseccomp/pull/38404:27
mupPR seccomp/libseccomp#384: RFE: add support for comparisons against 32-bit arguments <enhancement> <priority/medium> <pending/review> <Created by jhenstridge> <https://github.com/seccomp/libseccomp/pull/384>04:27
jameshOnce we get that in, it should help simplify some of the seccomp filters by making them only act on data the syscall actually uses.04:28
jameshmaking it harder to bypass04:29
amurrayjamesh: thanks - yeah I saw that (I am subscribed to notifications for the upstream libseccomp github project) - that is awesome - I always find libseccomp code a bit gnarly - nice work04:38
mardyhi all07:27
mupPR snapd#11705 closed: interfaces,overlord: add support for adding extra mount layouts <Created by Meulengracht> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11705>07:37
mupPR snapd#11742 closed: cmd/snap-bootstrap: Listen to keyboard added after start and handle switch root <Created by valentindavid> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11742>07:52
mupPR snapd#11779 closed: cmd/snap-fde-keymgr: support for multiple devices and authorizations for add/remove recovery key <factory reset 🔌> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11779>07:52
mupPR snapd#11704 closed: tests: Apparmor sandbox profile mocking <Created by mardy> <Merged by mardy> <https://github.com/snapcore/snapd/pull/11704>07:57
mardydo you also get an error when accessing https://api.snapcraft.io/api/v1/snaps/download/eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw_6.snap ?08:11
pstolowskimardy: I do08:29
pstolowskiUnable to contact snapident. Too many retries08:30
mardypstolowski: thanks, that's comforting, in a way :-)08:37
pstolowskimardy: might be worth reporting it to the store people08:38
mardypstolowski: seems to be working now08:53
=== ackk is now known as ack
diddledanistatus.snapcraft.io shows it was down09:00
mardymborzecki: OK, I finally understood the problem: the capabilities are blocked by AppArmor. cap_fowner is not in the profile, and for some reason no warning was being logger. I'm going to test this assumption soon, but I'm confident that that's it09:02
mardydiddledani: oh, I didn't even know of that. Thanks :-)09:02
mborzeckimardy: haha, maybe there's an explicit deny in one of the base abstractions we include, as a result there's no explicit denial logged09:04
mupPR snapd#11799 opened: [WIP] many: optional recovery keys <Run nested> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11799>09:27
mupPR snapd#11800 opened: cmd/snap-fde-keymgr: best effort idempotency of add-recovery-key <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11800>09:42

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!