From 4944517743685595bda10c1424ddf16596a031a8 Mon Sep 17 00:00:00 2001 From: Maciek Borzecki Date: Nov 02 2021 12:11:43 +0000 Subject: snapd: update to 2.53.1 Signed-off-by: Maciek Borzecki --- diff --git a/.gitignore b/.gitignore index 27b917f..2a447c9 100644 --- a/.gitignore +++ b/.gitignore @@ -72,3 +72,5 @@ /snapd_2.51.7.only-vendor.tar.xz /snapd_2.52.no-vendor.tar.xz /snapd_2.52.only-vendor.tar.xz +/snapd_2.53.1.no-vendor.tar.xz +/snapd_2.53.1.only-vendor.tar.xz diff --git a/0001-cmd-libsnap-confine-private-g_spawn_check_exit_statu.patch b/0001-cmd-libsnap-confine-private-g_spawn_check_exit_statu.patch deleted file mode 100644 index 31fdf6d..0000000 --- a/0001-cmd-libsnap-confine-private-g_spawn_check_exit_statu.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 243900000f145eddc6b6bf1546400a9556bb2762 Mon Sep 17 00:00:00 2001 -Message-Id: <243900000f145eddc6b6bf1546400a9556bb2762.1627382870.git.maciej.zenon.borzecki@canonical.com> -From: Maciej Borzecki -Date: Tue, 27 Jul 2021 09:46:29 +0200 -Subject: [PATCH] cmd/libsnap-confine-private: g_spawn_check_exit_status is - deprecated since glib 2.69 - -With https://gitlab.gnome.org/GNOME/glib/-/merge_requests/1967 the -g_spawn_check_exit_status call is flagged as deprecated now. This also broke in -F35 mass rebuild in Rawhide: - -make[1]: Leaving directory '/builddir/build/BUILD/snapd-2.51/cmd' -libsnap-confine-private/test-utils.c: In function 'rm_rf_tmp': -libsnap-confine-private/test-utils.c:63:9: error: 'g_spawn_check_exit_status' is deprecated: Use 'g_spawn_check_wait_status' instead [-Werror=deprecated-declarations] - 63 | g_assert_true(g_spawn_check_exit_status(exit_status, NULL)); - | ^~~~~~~~~~~~~ -In file included from /usr/include/glib-2.0/glib.h:81, - from libsnap-confine-private/test-utils.c:24: -/usr/include/glib-2.0/glib/gspawn.h:280:10: note: declared here - 280 | gboolean g_spawn_check_exit_status (gint wait_status, - | ^~~~~~~~~~~~~~~~~~~~~~~~~ -cc1: all warnings being treated as errors -make[1]: *** [Makefile:2705: libsnap-confine-private/libsnap_confine_private_unit_tests-test-utils.o] Error 1 -make[1]: *** Waiting for unfinished jobs.... - -Signed-off-by: Maciej Borzecki ---- - cmd/libsnap-confine-private/test-utils.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/cmd/libsnap-confine-private/test-utils.c b/cmd/libsnap-confine-private/test-utils.c -index c3e17a18d91b32da04f5febc802926942011ca9c..5cf4eb53de693ad17294c5eede3bd05339395878 100644 ---- a/cmd/libsnap-confine-private/test-utils.c -+++ b/cmd/libsnap-confine-private/test-utils.c -@@ -23,6 +23,11 @@ - - #include - -+#if !GLIB_CHECK_VERSION(2, 69, 0) -+// g_spawn_check_exit_status is considered deprecated since 2.69 -+#define g_spawn_check_wait_status(x, y) (g_spawn_check_exit_status (x, y)) -+#endif -+ - void rm_rf_tmp(const char *dir) - { - // Sanity check, don't remove anything that's not in the temporary -@@ -60,7 +65,7 @@ void rm_rf_tmp(const char *dir) - (working_directory, argv, envp, flags, child_setup, - user_data, standard_output, standard_error, &exit_status, - &error)); -- g_assert_true(g_spawn_check_exit_status(exit_status, NULL)); -+ g_assert_true(g_spawn_check_wait_status(exit_status, NULL)); - if (error != NULL) { - g_test_message("cannot remove temporary directory: %s\n", - error->message); --- -2.32.0 - diff --git a/0001-data-selinux-allow-snap-confine-to-read-udev-s-datab.patch b/0001-data-selinux-allow-snap-confine-to-read-udev-s-datab.patch new file mode 100644 index 0000000..b24a95c --- /dev/null +++ b/0001-data-selinux-allow-snap-confine-to-read-udev-s-datab.patch @@ -0,0 +1,37 @@ +From 463edb369455fff83ea2fefcd932cbf64d48e285 Mon Sep 17 00:00:00 2001 +Message-Id: <463edb369455fff83ea2fefcd932cbf64d48e285.1635853306.git.maciej.zenon.borzecki@canonical.com> +From: Maciej Borzecki +Date: Thu, 28 Oct 2021 12:03:40 +0200 +Subject: [PATCH] data/selinux: allow snap-confine to read udev's database + +These denials occasionally pop up when snap-confine starts inspecting assigned +devices: + +---- +type=AVC msg=audit(10/28/21 06:54:05.000:11501) : avc: denied { read } for pid=56565 comm=snap-confine name=c1:7 dev="tmpfs" ino=17684 scontext=system_u:system_r:snappy_confine_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 +---- +type=AVC msg=audit(10/28/21 06:54:05.000:11502) : avc: denied { open } for pid=56565 comm=snap-confine path=/run/udev/data/c1:7 dev="tmpfs" ino=17684 scontext=system_u:system_r:snappy_confine_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 +---- +type=AVC msg=audit(10/28/21 06:54:05.000:11503) : avc: denied { getattr } for pid=56565 comm=snap-confine path=/run/udev/data/c1:7 dev="tmpfs" ino=17684 scontext=system_u:system_r:snappy_confine_t:s0 tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1 +----- + +Signed-off-by: Maciej Borzecki +--- + data/selinux/snappy.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te +index a28a924c62f04e885cf395e7d2e80b25fca4e41f..91c6f231c6dddbc16d69962b1b5f3c0f0a0e720f 100644 +--- a/data/selinux/snappy.te ++++ b/data/selinux/snappy.te +@@ -591,6 +591,7 @@ init_read_state(snappy_confine_t) + + # libudev + udev_manage_pid_dirs(snappy_confine_t) ++udev_read_db(snappy_confine_t) + + # basic access to system info in /proc + kernel_read_system_state(snappy_confine_t) +-- +2.33.1 + diff --git a/0002-interfaces-seccomp-add-clone3-to-default-template.patch b/0002-interfaces-seccomp-add-clone3-to-default-template.patch deleted file mode 100644 index 0487bd9..0000000 --- a/0002-interfaces-seccomp-add-clone3-to-default-template.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 999c2e61f07e18081916936665291834770a2ee1 Mon Sep 17 00:00:00 2001 -Message-Id: <999c2e61f07e18081916936665291834770a2ee1.1632894658.git.maciej.zenon.borzecki@canonical.com> -From: Maciej Borzecki -Date: Mon, 27 Sep 2021 12:00:53 +0200 -Subject: [PATCH] interfaces/seccomp: add clone3 to default template - -Recent combinations of Go 1.17, glibc 2.34 and Linux 5.14 ended up triggering -pthread_create() code paths that try to use clone3() syscall when executing -snap-exec. Since snap-exec runs under the seccomp profile of the application, -make sure that clone3 is allowed in the default template. Also, applications may -trigger this code path themselves anyway. - -The strace output when this fails looks like this: - -mprotect(0x7f4ad3ea2000, 8388608, PROT_READ|PROT_WRITE) = 0 -rt_sigprocmask(SIG_BLOCK, ~[], ~[KILL STOP RTMIN RT_1], 8) = 0 -syscall_435(0x7ffc466b4c60, 0x58, 0x58b300, 0x8, 0x7f4ad46a1640, 0x7ffc466b4d4f) = -1 (errno 1) -rt_sigprocmask(SIG_SETMASK, ~[KILL STOP RTMIN RT_1], NULL, 8) = 0 -rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0 -write(2, "runtime/cgo: ", 13runtime/cgo: ) = 13 -write(2, "pthread_create failed: Operation not permitted", 46pthread_create -failed: Operation not permitted) = 46 - -Where syscall 435 is also known as clone3: - -$ scmp_sys_resolver 435 -clone3 - -Signed-off-by: Maciej Borzecki ---- - interfaces/seccomp/template.go | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/interfaces/seccomp/template.go b/interfaces/seccomp/template.go -index a84de18a819a5bd3e6323242952633087cfbfd81..583f8cd9fdff1044459127c6db056a7bbc3a1b21 100644 ---- a/interfaces/seccomp/template.go -+++ b/interfaces/seccomp/template.go -@@ -103,6 +103,7 @@ clock_gettime64 - clock_nanosleep - clock_nanosleep_time64 - clone -+clone3 - close - - # needed by ls -l --- -2.33.0 - diff --git a/snapd.spec b/snapd.spec index 964875a..d63506e 100644 --- a/snapd.spec +++ b/snapd.spec @@ -85,17 +85,15 @@ %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} Name: snapd -Version: 2.52 +Version: 2.53.1 Release: 1%{?dist} Summary: A transactional software package manager License: GPLv3 URL: https://%{provider_prefix} Source0: https://%{provider_prefix}/releases/download/%{version}/%{name}_%{version}.no-vendor.tar.xz Source1: https://%{provider_prefix}/releases/download/%{version}/%{name}_%{version}.only-vendor.tar.xz -# cherry-picked from https://github.com/snapcore/snapd/commit/243900000f145eddc6b6bf1546400a9556bb2762 -Patch0: 0001-cmd-libsnap-confine-private-g_spawn_check_exit_statu.patch -# cherry-picked from https://github.com/snapcore/snapd/commit/999c2e61f07e18081916936665291834770a2ee1 -Patch1: 0002-interfaces-seccomp-add-clone3-to-default-template.patch +# cherry-picked from https://github.com/snapcore/snapd/commit/463edb369455fff83ea2fefcd932cbf64d48e285 +Patch0: 0001-data-selinux-allow-snap-confine-to-read-udev-s-datab.patch %if 0%{?with_goarches} # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required @@ -942,6 +940,396 @@ fi %changelog +* Tue Nov 2 2021 Maciek Borzecki - 2.53.1-1 +- Release 2.53.1 to Fedora + +* Thu Oct 21 2021 Ian Johnson +- New upstream release 2.53.1 + - spread: run lxd tests with version from latest/stable + - secboot: use latest secboot with tpm legacy platform and v2 fully + optional (#10946) + - cmd/snap-confine: die when snap process is outside of snap + specific cgroup (2.53) + - interfaces/u2f-devices: add Nitrokey 3 + - Update the ubuntu-image channel to candidate + - Allow hostnames up to 253 characters, with dot-delimited elements + (as suggested by man 7 hostname). + - Disable i386 until it is possible to build snapd using lxd + - o/snapstate, hookstate: print remaining hold time on snapctl + --hold + - tests/snapd-sigterm: be more robust against service restart + - tests: add a regression test for snapd hanging on SIGTERM + - daemon: use the syscall connection to get the socket + credentials + - interfaces/builtin/hardware-observer: add /proc/bus/input/devices + too + - cmd/snap-confine/snap-confine.apparmor.in: update ld rule for + s390x impish + - interface/modem-manager: add accept for MBIM/QMI proxy clients + - secboot: revert move to new version + +* Tue Oct 05 2021 Michael Vogt +- New upstream release 2.53 + - overlord: fix generated snap-revision assertions in remodel unit + tests + - snap-bootstrap: wait in `mountNonDataPartitionMatchingKernelDisk` + - interfaces/modem-manager: add access to PCIe modems + - overlord/devicestate: record recovery capable system on a + successful remodel + - o/snapstate: use device ctx in prerequisite install/update + - osutil/disks: support filtering by mount opts in + MountPointsForPartitionRoot + - many: support an API flag system-restart-immediate to make snap + ops proceed immediately with system restarts + - osutil/disks: add RootMountPointsForPartition + - overlord/devicestate, tests: enable UC20 remodel, add spread tests + - cmd/snap: improve snap run help message + - o/snapstate: support ignore validation flag on install/update + - osutil/disks: add Disk.FindMatchingPartitionWith{Fs,Part}Label + - desktop: implement gtk notification backend and provide minimal + notification api + - tests: use the latest cpu family for nested tests execution + - osutil/disks: add Partition struct and Disks.Partitions() + - o/snapstate: prevent install hang if prereq install fails + - osutil/disks: add Disk.KernelDevice{Node,Path} methods + - disks: add `Size(path)` helper + - tests: reset some mount units failing on ubuntu impish + - osutil/disks: add DiskFromDevicePath, other misc changes + - interfaces/apparmor: do not fail during initialization when there + is no AppArmor profile for snap-confine + - daemon: implement access checkers for themes API + - interfaces/seccomp: add clone3 to default template + - interfaces/u2f-devices: add GoTrust Idem Key + - o/snapstate: validation sets enforcing on update + - o/ifacestate: don't fail remove if disconnect hook fails + - tests: fix error trying to create the extra-snaps dir which + already exists + - devicestate: use EncryptionType + - cmd/libsnap-confine-private: workaround BPF memory accounting, + update apparmor profile + - tests: skip system-usernames-microk8s when TRUST_TEST_KEYS is + false + - interfaces/dsp: add a usb rule to the ambarella flavor + - interfaces/apparmor/template.go: allow inspection of dbus + mediation level + - tests/main/security-device-cgroups: fix when both variants run on + the same host + - cmd/snap-confine: update s-c apparmor profile to allow versioned + ld.so + - many: rename systemd.Kind to Backend for a bit more clarity + - cmd/libsnap-confine-private: fix set but unused variable in the + unit tests + - tests: fix netplan test on i386 architecture + - tests: fix lxd-mount-units test which is based on core20 in ubuntu + focal system + - osutil/disks: add new `CreateLinearMapperDevice` helper + - cmd/snap: wait while inhibition file is present + - tests: cleanup the job workspace as first step of the actions + workflow + - tests: use our own image for ubuntu impish + - o/snapstate: update default provider if missing required content + - o/assertstate, api: update validation set assertions only when + updating all snaps + - fde: add HasDeviceUnlock() helper + - secboot: move to new version + - o/ifacestate: don't lose connections if snaps are broken + - spread: display information about current device cgroup in debug + dump + - sysconfig: set TMPDIR in tests to avoid cluttering the real /tmp + - tests, interfaces/builtin: introduce 21.10 cgroupv2 variant, tweak + tests for cgroupv2, update builtin interfaces + - sysconfig/cloud-init: filter MAAS c-i config from ubuntu-seed on + grade signed + - usersession/client: refactor doMany() method + - interfaces/builtin/opengl.go: add libOpenGL.so* too + - o/assertstate: check installed snaps when refreshing validation + set assertions + - osutil: helper for injecting run time faults in snapd + - tests: update test nested tool part 2 + - libsnap-confine: use the pid parameter + - gadget/gadget.go: LaidOutSystemVolumeFromGadget -> + LaidOutVolumesFromGadget + - tests: update the time tolerance to fix the snapd-state test + - .github/workflows/test.yaml: revert #10809 + - tests: rename interfaces-hooks-misbehaving spread test to install- + hook-misbehaving + - data/selinux: update the policy to allow s-c to manipulate BPF map + and programs + - overlord/devicestate: make settle wait longer in remodel tests + - kernel/fde: mock systemd-run in unit test + - o/ifacestate: do not create stray task in batchConnectTasks if + there are no connections + - gadget: add VolumeName to Volume and VolumeStructure + - cmd/libsnap-confine-private: use root when necessary for BPF + related operations + - .github/workflows/test.yaml: bump action-build to 1.0.9 + - o/snapstate: enforce validation sets/enforce on InstallMany + - asserts, snapstate: return full validation set keys from + CheckPresenceRequired and CheckPresenceInvalid + - cmd/snap: only log translation warnings in debug/testing + - tests/main/preseed: update for new base snap of the lxd snap + - tests/nested/manual: use loop for checking for initialize-system + task done + - tests: add a local snap variant to testing prepare-image gating + support + - tests/main/security-device-cgroups-strict-enforced: demonstrate + device cgroup being enforced + - store: one more tweak for the test action timeout + - github: do not fail when codecov upload fails + - o/devicestate: fix flaky test remodel clash + - o/snapstate: add ChangeID to conflict error + - tests: fix regex of TestSnapActionTimeout test + - tests: fix tests for 21.10 + - tests: add test for store.SnapAction() request timeout + - tests: print user sessions info on debug-each + - packaging: backports of golang-go 1.13 are good enough + - sysconfig/cloudinit: add cloudDatasourcesInUseForDir + - cmd: build gdb shims as static binaries + - packaging/ubuntu: pass GO111MODULE to dh_auto_test + - cmd/libsnap-confine-private, tests, sandbox: remove warnings about + cgroup v2, drop forced devmode + - tests: increase memory quota in quota-groups-systemd-accounting + - tests: be more robust against a new day stepping in + - usersession/xdgopenproxy: move PortalLauncher class to own package + - interfaces/builtin: fix microstack unit tests on distros using + /usr/libexec + - cmd/snap-confine: handle CURRENT_TAGS on systems that support it + - cmd/libsnap-confine-private: device cgroup v2 support + - o/servicestate: Update task summary for restart action + - packaging, tests/lib/prepare-restore: build packages without + network access, fix building debs with go modules + - systemd: add AtLeast() method, add mocking in systemdtest + - systemd: use text.template to generate mount unit + - o/hookstate/ctlcmd: Implement snapctl refresh --show-lock command + - o/snapstate: optimize conflicts around snaps stored on + conditional-auto-refresh task + - tests/lib/prepare.sh: download core20 for UC20 runs via + BASE_CHANNEL + - mount-control: step 1 + - go: update go.mod dependencies + - o/snapstate: enforce validation sets on snap install + - tests: revert revert manual lxd removal + - tests: pre-cache snaps in classic and core systems + - tests/lib/nested.sh: split out additional helper for adding files + to VM imgs + - tests: update nested tool - part1 + - image/image_linux.go: add newline + - interfaces/block-devices: support to access the state of block + devices + - o/hookstate: require snap-refresh-control interface for snapctl + refresh --proceed + - build-aux: stage libgcc1 library into snapd snap + - configcore: add read-only netplan support + - tests: fix fakedevicesvc service already exists + - tests: fix interfaces-libvirt test + - tests: remove travis leftovers + - spread: bump delta ref to 2.52 + - packaging: ship the `snapd.apparmor.service` unit in debian + - packaging: remove duplicated `golang-go` build-dependency + - boot: record recovery capable systems in recovery bootenv + - tests: skip overlord tests on riscv64 due to timeouts. + - overlord/ifacestate: fix arguments in unit tests + - ifacestate: undo repository connection if doConnect fails + - many: remove unused parameters + - tests: failure of prereqs on content interface doesn't prevent + install + - tests/nested/manual/refresh-revert-fundamentals: fix variable use + - strutil: add Intersection() + - o/ifacestate: special-case system-files and force refreshing its + static attributes + - interface/builtin: add qualcomm-ipc-router interface for + AF_QIPCRTR socket protocol + - tests: new snapd-state tool + - codecov: fix files pathnames + - systemd: add mock systemd helper + - tests/nested/core/extra-snaps-assertions: fix the match pattern + - image,c/snap,tests: support enforcing validations in prepare-image + via --customize JSON validation enforce(|ignore) + - o/snapstate: enforce validation sets assertions when removing + snaps + - many: update deps + - interfaces/network-control: additional ethernet rule + - tests: use host-scaled settle timeout for hookstate tests + - many: move to go modules + - interfaces: no need for snapRefreshControlInterface struct + - interfaces: introduce snap-refresh-control interface + - tests: move interfaces-libvirt test back to 16.04 + - tests: bump the number of retries when waiting for /dev/nbd0p1 + - tests: add more space on ubuntu xenial + - spread: add 21.10 to qemu, remove 20.10 (EOL) + - packaging: add libfuse3-dev build dependency + - interfaces: add microstack-support interface + - wrappers: fix a bunch of duplicated service definitions in tests + - tests: use host-scaled timeout to avoid riscv64 test failure + - many: fix run-checks gofmt check + - tests: spread test for snapctl refresh --pending/--proceed from + the snap + - o/assertstate,daemon: refresh validation sets assertions with snap + declarations + - tests: migrate tests that are only executed on xenial to bionic + - tests: remove opensuse-15.1 and add opensuse-15.3 from spread runs + - packaging: update master changelog for 2.51.7 + - sysconfig/cloudinit: fix bug around error state of cloud-init + - interfaces, o/snapstate: introduce AffectsPlugOnRefresh flag + - interfaces/interfaces/ion-memory-control: add: add interface for + ion buf + - interfaces/dsp: add /dev/ambad into dsp interface + - tests: new spread log parser + - tests: check files and dirs are cleaned for each test + - o/hookstate/ctlcmd: unify the error message when context is + missing + - o/hookstate: support snapctl refresh --pending from snap + - many: remove unused/dead code + - cmd/libsnap-confine-private: add BPF support helpers + - interfaces/hardware-observe: add some dmi properties + - snapstate: abort kernel refresh if no gadget update can be found + - many: shellcheck fixes + - cmd/snap: add Size column to refresh --list + - packaging: build without dwarf debugging data + - snapstate: fix misleading `assumes` error message + - tests: fix restore in snapfuse spread tests + - o/assertstate: fix missing 'scheduled' header when auto refreshing + assertions + - o/snapstate: fail remove with invalid snap names + - o/hookstate/ctlcmd: correct err message if missing root + - .github/workflows/test.yaml: fix logic + - o/snapstate: don't hold some snaps if not all snaps can be held by + the given gating snap + - c-vendor.c: new c-vendor subdir + - store: make sure expectedZeroFields in tests gets updated + - overlord: add manager test for "assumes" checking + - store: deal correctly with "assumes" from the store raw yaml + - sysconfig/cloudinit.go: add functions for filtering cloud-init + config + - cgroup-support: allow to hide cgroupv2 warning via ENV + - gadget: Export mkfs functions for use in ubuntu-image + - tests: set to 10 minutes the kill timeout for tests failing on + slow boards + - .github/workflows/test.yaml: test github.events key + - i18n/xgettext-go: preserve already escaped quotes + - cmd/snap-seccomp/syscalls: update syscalls list to libseccomp + v2.2.0-428-g5c22d4b + - github: do not try to upload coverage when working with cached run + - tests/main/services-install-hook-can-run-svcs: shellcheck issue + fix + - interfaces/u2f-devices: add Nitrokey FIDO2 + - testutil: add DeepUnsortedMatches Checker + - cmd, packaging: import BPF headers from kernel, detect whether + host headers are usable + - tests: fix services-refresh-mode test + - tests: clean snaps.sh helper + - tests: fix timing issue on security-dev-input-event-denied test + - tests: update systems for sru validation + - .github/workflows: add codedov again + - secboot: remove duplicate import + - tests: stop the service when is active in test interfaces- + firewall-control test + - packaging: remove TEST_GITHUB_AUTOPKGTEST support + - packaging: merge 2.51.6 changelog back to master + - secboot: use half the mem for KDF in AddRecoveryKey + - secboot: switch main key KDF memory cost to 32KB + - tests: remove the test user just when it was installed on create- + user-2 test + - spread: temporarily fix the ownership of /home/ubuntu/.ssh on + 21.10 + - daemon, o/snapstate: handle IgnoreValidation flag on install (2/3) + - usersession/agent: refactor common JSON validation into own + function + - o/hookstate: allow snapctl refresh --proceed from snaps + - cmd/libsnap-confine-private: fix issues identified by coverity + - cmd/snap: print logs in local timezone + - packaging: changelog for 2.51.5 to master + - build-aux: build with go-1.13 in the snapcraft build too + - config: rename "virtual" config to "external" config + - devicestate: add `snap debug timings --ensure=install-system` + - interfaces/builtin/raw_usb: fix platform typo, fix access to usb + devices accessible through platform + - o/snapstate: remove commented out code + - cmd/snap-device-helper: reimplement snap-device-helper + - cmd/libsnap-confine-private: fix coverity issues in tests, tweak + uses of g_assert() + - o/devicestate/handlers_install.go: add workaround to create dirs + for install + - o/assertstate: implement ValidationSetAssertionForEnforce helper + - clang-format: stop breaking my includes + - o/snapstate: allow auto-refresh limited to snaps affected by a + specific gating snap + - tests: fix core-early-config test to use tests.nested tool + - sysconfig/cloudinit.go: measure (but don't use) gadget cloud-init + datasource + - c/snap,o/hookstate/ctlcmd: add JSON/string strict processing flags + to snap/snapctl + - corecfg: add "system.hostname" setting to the system settings + - wrappers: measure time to enable services in StartServices() + - configcore: fix early config timezone handling + - tests/nested/manual: enable serial assertions on testkeys nested + VM's + - configcore: fix a bunch of incorrect error returns + - .github/workflows/test.yaml: use snapcraft 4.x to build the snapd + snap + - packaging: merge 2.51.4 changelog back to master + - {device,snap}state: skip kernel extraction in seeding + - vendor: move to snapshot-4c814e1 branch and set fixed KDF options + - tests: use bigger storage on ubuntu 21.10 + - snap: support links map in snap.yaml (and later from the store + API) + - o/snapstate: add AffectedByRefreshCandidates helper + - configcore: register virtual config for timezone reading + - cmd/libsnap-confine-private: move device cgroup files, add helper + to deny a device + - tests: fix cached-results condition in github actions workflow + - interfaces/tee: add support for Qualcomm qseecom device node + - packaging: fix build failure on bionic and simplify rules + - o/snapstate: affectedByRefresh tweaks + - tests: update nested wait for snapd command + - interfaces/builtin: allow access to per-user GTK CSS overrides + - tests/main/snapd-snap: install 4.x snapcraft to build the snapd + snap + - snap/squashfs: handle squashfs-tools 4.5+ + - asserts/snapasserts: CheckPresenceInvalid and + CheckPresenceRequired methods + - cmd/snap-confine: refactor device cgroup handling to enable easier + v2 integration + - tests: skip udp protocol on latest ubuntus + - cmd/libsnap-confine-private: g_spawn_check_exit_status is + deprecated since glib 2.69 + - interfaces: s/specifc/specific/ + - github: enable gofmt for Go 1.13 jobs + - overlord/devicestate: UC20 specific set-model, managers tests + - o/devicestate, sysconfig: refactor cloud-init config permission + handling + - config: add "virtual" config via config.RegisterVirtualConfig + - packaging: switch ubuntu to use golang-1.13 + - snap: change `snap login --help` to not mention "buy" + - tests: removing Ubuntu 20.10, adding 21.04 nested in spread + - tests/many: remove lxd systemd unit to prevent unexpected + leftovers + - tests/main/services-install-hook-can-run-svcs: make variants more + obvious + - tests: force snapd-session-agent.socket to be re-generated + +* Tue Oct 05 2021 Michael Vogt +- New upstream release 2.52.1 + - snap-bootstrap: wait in `mountNonDataPartitionMatchingKernelDisk` + for the disk (if not present already) + - many: support an API flag system-restart-immediate to make snap + ops proceed immediately with system restarts + - cmd/libsnap-confine-private: g_spawn_check_exit_status is + deprecated since glib 2.69 + - interfaces/seccomp: add clone3 to default template + - interfaces/apparmor/template.go: allow inspection of dbus + mediation level + - interfaces/dsp: add a usb rule to the ambarella flavor + - cmd/snap-confine: update s-c apparmor profile to allow versioned + ld.so + - o/ifacestate: don't lose connections if snaps are broken + - interfaces/builtin/opengl.go: add libOpenGL.so* too + - interfaces/hardware-observe: add some dmi properties + - build-aux: stage libgcc1 library into snapd snap + - interfaces/block-devices: support to access the state of block + devices + - packaging: ship the `snapd.apparmor.service` unit in debian + * Wed Sep 29 2021 Maciek Borzecki - 2.52-1 - Update to 2.52 - Drop squashfs 4.5+ patch as it's part of 2.52 release diff --git a/sources b/sources index 8e9538e..a6d3ab1 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (snapd_2.52.no-vendor.tar.xz) = d18d299ae112679fddaddda81f3bdd15984d577285e9975ea3951b19a635d3d8ebf14bfc81dd59da8b0554423dd3c0cc7acea2d4b6abfd8830a3bbc3e54e9182 -SHA512 (snapd_2.52.only-vendor.tar.xz) = 8d3aa2e372f3681cb4d0be7258046a0634751adb09a82489bd7db6b11ca976df6fe5551b2d59814c7761363eef12acfb33730d7f0640d5f8331698b45921d4e5 +SHA512 (snapd_2.53.1.no-vendor.tar.xz) = efb76a3ecc732c93d0f3c253ca29150445d7f9d8c9e48383e4d093c6deab35379bc210b714f28801b288fb1cd1af9ab96f7cf9a4f92afc0ddc16606eb61f6a36 +SHA512 (snapd_2.53.1.only-vendor.tar.xz) = 08cb8c40e495fb19d2f3727f9f24f4a932f407b19e14fb6a2888328b238b8e2138d67f24c35d0f5f30e2ea2272b1e402626beb809f116fcbcf5f3cada642502f