| === stgraber_ is now known as stgraber | ||
| jamesh | amurray: thanks for the feedback on the removable-media PR. It wasn't clear to me whether the lack of map/execute permissions was just from caution or had more reasons. I guess I'll simplify the PR down to an unconditional change then. | 03:52 |
|---|---|---|
| amurray | jamesh: hey - I assume it was done specifically but as you say, since there is nothing stopping a snap from copying an existing executable from a removable-media device over to somewhere it can already execute from then we may as well just add it as execute for simplicity | 04:15 |
| amurray | e.g. https://paste.ubuntu.com/p/86W8P8HddW/ | 04:21 |
| jamesh | amurray: one other thing I was working on that you might find interesting: a libseccomp patch to let it do 32-bit argument comparisons on 64-bit systems: https://github.com/seccomp/libseccomp/pull/384 | 04:27 |
| mup | PR seccomp/libseccomp#384: RFE: add support for comparisons against 32-bit arguments <enhancement> <priority/medium> <pending/review> <Created by jhenstridge> <https://github.com/seccomp/libseccomp/pull/384> | 04:27 |
| jamesh | Once we get that in, it should help simplify some of the seccomp filters by making them only act on data the syscall actually uses. | 04:28 |
| jamesh | making it harder to bypass | 04:29 |
| amurray | jamesh: thanks - yeah I saw that (I am subscribed to notifications for the upstream libseccomp github project) - that is awesome - I always find libseccomp code a bit gnarly - nice work | 04:38 |
| mborzecki | morning | 06:03 |
| pstolowski | morning | 07:08 |
| mardy | hi all | 07:27 |
| mup | PR snapd#11705 closed: interfaces,overlord: add support for adding extra mount layouts <Created by Meulengracht> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11705> | 07:37 |
| mup | PR snapd#11742 closed: cmd/snap-bootstrap: Listen to keyboard added after start and handle switch root <Created by valentindavid> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11742> | 07:52 |
| mup | PR snapd#11779 closed: cmd/snap-fde-keymgr: support for multiple devices and authorizations for add/remove recovery key <factory reset 🔌> <Created by bboozzoo> <Merged by mvo5> <https://github.com/snapcore/snapd/pull/11779> | 07:52 |
| mup | PR snapd#11704 closed: tests: Apparmor sandbox profile mocking <Created by mardy> <Merged by mardy> <https://github.com/snapcore/snapd/pull/11704> | 07:57 |
| mardy | do you also get an error when accessing https://api.snapcraft.io/api/v1/snaps/download/eFe8BTR5L5V9F7yHeMAPxkEr2NdUXMtw_6.snap ? | 08:11 |
| pstolowski | mardy: I do | 08:29 |
| pstolowski | Unable to contact snapident. Too many retries | 08:30 |
| mardy | pstolowski: thanks, that's comforting, in a way :-) | 08:37 |
| pstolowski | mardy: might be worth reporting it to the store people | 08:38 |
| mardy | pstolowski: seems to be working now | 08:53 |
| === ackk is now known as ack | ||
| diddledani | status.snapcraft.io shows it was down | 09:00 |
| mardy | mborzecki: OK, I finally understood the problem: the capabilities are blocked by AppArmor. cap_fowner is not in the profile, and for some reason no warning was being logger. I'm going to test this assumption soon, but I'm confident that that's it | 09:02 |
| mardy | diddledani: oh, I didn't even know of that. Thanks :-) | 09:02 |
| mborzecki | mardy: haha, maybe there's an explicit deny in one of the base abstractions we include, as a result there's no explicit denial logged | 09:04 |
| mup | PR snapd#11799 opened: [WIP] many: optional recovery keys <Run nested> <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11799> | 09:27 |
| mup | PR snapd#11800 opened: cmd/snap-fde-keymgr: best effort idempotency of add-recovery-key <Created by bboozzoo> <https://github.com/snapcore/snapd/pull/11800> | 09:42 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!