diff --git a/.gitignore b/.gitignore index cb1da1d..8c0625d 100644 --- a/.gitignore +++ b/.gitignore @@ -92,3 +92,5 @@ /snapd_2.55.3.only-vendor.tar.xz /snapd_2.56.2.no-vendor.tar.xz /snapd_2.56.2.only-vendor.tar.xz +/snapd_2.57.5.no-vendor.tar.xz +/snapd_2.57.5.only-vendor.tar.xz diff --git a/0001-cmd-snap-confine-do-not-discard-const-qualifier.patch b/0001-cmd-snap-confine-do-not-discard-const-qualifier.patch new file mode 100644 index 0000000..80f593f --- /dev/null +++ b/0001-cmd-snap-confine-do-not-discard-const-qualifier.patch @@ -0,0 +1,35 @@ +From 51c27ea0c71a1737607b21bf9de3cc91cf690ebd Mon Sep 17 00:00:00 2001 +Message-Id: <51c27ea0c71a1737607b21bf9de3cc91cf690ebd.1669579092.git.maciek.borzecki@gmail.com> +From: Maciej Borzecki +Date: Sun, 27 Nov 2022 20:47:29 +0100 +Subject: [PATCH] cmd/snap-confine: do not discard const qualifier + +GCC 12.2.1 with the default build flags in Rawhide is more picky than usual, and +fails with this: + +snap-confine/selinux-support.c:85:29: error: initialization discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers] + 85 | char *new_ctx_str = context_str(ctx); + | ^~~~~~~~~~~ +cc1: all warnings being treated as errors + +Signed-off-by: Maciej Borzecki +--- + cmd/snap-confine/selinux-support.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/cmd/snap-confine/selinux-support.c b/cmd/snap-confine/selinux-support.c +index 344a3444b23d10afa408d2f1390156b44506ebc8..a65c02632968ac0f8f23d1bd4b7045a5206b59d9 100644 +--- a/cmd/snap-confine/selinux-support.c ++++ b/cmd/snap-confine/selinux-support.c +@@ -82,7 +82,7 @@ int sc_selinux_set_snap_execcon(void) { + } + + /* freed by context_free(ctx) */ +- char *new_ctx_str = context_str(ctx); ++ const char *new_ctx_str = context_str(ctx); + if (new_ctx_str == NULL) { + die("cannot obtain updated SELinux context string"); + } +-- +2.38.1 + diff --git a/snapd.spec b/snapd.spec index 1af0360..a7a2869 100644 --- a/snapd.spec +++ b/snapd.spec @@ -65,8 +65,8 @@ %define gobuild_static(o:) go build -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '%__global_ldflags -static'" -a -v -x %{?**}; %endif -# These macros are missing BUILDTAGS in RHEL 8, see RHBZ#1825138 -%if 0%{?rhel} == 8 +# These macros are missing BUILDTAGS in RHEL 8/9, see RHBZ#1825138 +%if 0%{?rhel} >= 8 %define gobuild(o:) go build -buildmode pie -compiler gc -tags="rpm_crashtraceback ${BUILDTAGS:-}" -ldflags "-B 0x$(head -c20 /dev/urandom|od -An -tx1|tr -d ' \\n') -linkmode external -extldflags '%__global_ldflags'" -a -v -x %{?**}; %endif @@ -82,13 +82,15 @@ %{!?_systemd_system_env_generator_dir: %global _systemd_system_env_generator_dir %{_prefix}/lib/systemd/system-environment-generators} Name: snapd -Version: 2.56.2 -Release: 5%{?dist} +Version: 2.57.5 +Release: 1%{?dist} Summary: A transactional software package manager License: GPLv3 URL: https://%{provider_prefix} Source0: https://%{provider_prefix}/releases/download/%{version}/%{name}_%{version}.no-vendor.tar.xz Source1: https://%{provider_prefix}/releases/download/%{version}/%{name}_%{version}.only-vendor.tar.xz +# FTBFS fix, submitted upstream https://github.com/snapcore/snapd/pull/12357 +Patch0: 0001-cmd-snap-confine-do-not-discard-const-qualifier.patch ExclusiveArch: %{?golang_arches}%{!?golang_arches:%{ix86} x86_64 %{arm} aarch64 ppc64le s390x} @@ -534,8 +536,8 @@ sed -e "s/-Bstatic -lseccomp/-Bstatic/g" -i cmd/snap-seccomp/*.go %if 0%{?rhel} == 7 M4PARAM='-D distro_rhel7' %endif -%if 0%{?rhel} == 7 || 0%{?rhel} == 8 - # RHEL7 and RHEL8 are missing the BPF interfaces from their reference policy +%if 0%{?rhel} == 7 || 0%{?rhel} == 8 || 0%{?rhel} == 9 + # RHEL7, RHEL8 and RHEL9 are missing the BPF interfaces from their reference policy M4PARAM="$M4PARAM -D no_bpf" %endif # Build SELinux module @@ -677,6 +679,11 @@ rm %{buildroot}%{_libexecdir}/snapd/system-shutdown rm -f %{buildroot}%{_unitdir}/snapd.apparmor.service rm -f %{buildroot}%{_libexecdir}/snapd/snapd-apparmor +# Remove prompt services +rm %{buildroot}%{_unitdir}/snapd.aa-prompt-listener.service +rm %{buildroot}%{_userunitdir}/snapd.aa-prompt-ui.service +rm %{buildroot}%{_datadir}/dbus-1/services/io.snapcraft.Prompt.service + # Install Polkit configuration install -m 644 -D data/polkit/io.snapcraft.snapd.policy %{buildroot}%{_datadir}/polkit-1/actions @@ -927,6 +934,314 @@ fi %changelog +* Sun Nov 27 2022 Maciek Borzecki - 2.57.5-1 +- Release 2.57.5 to Fedora + +* Mon Oct 17 2022 Michael Vogt +- New upstream release 2.57.5 + - image: clean snapd mount after preseeding + - wrappers,snap/quota: clear LogsDirectory= in the service unit + for journal namespaces + - cmd/snap,daemon: allow zero values from client to daemon for + journal rate-limit + - interfaces: steam-support allow pivot /run/media and /etc/nvidia + mount + - o/ifacestate: introduce DebugAutoConnectCheck hook + - release, snapd-apparmor, syscheck: distinguish WSL1 and WSL2 + - autopkgtests: fix running autopkgtest on kinetic + - interfaces: add microceph interface + - interfaces: steam-support allow additional mounts + - many: add stub services + - interfaces: add kconfig paths to system-observe + - i/b/system_observe: honour root dir when checking for + /boot/config-* + - interfaces: grant access to speech-dispatcher socket + - interfaces: rework logic of unclashMountEntries + +* Thu Sep 29 2022 Michael Vogt +- New upstream release 2.57.4 + - release, snapd-apparmor: fixed outdated WSL detection + - overlord/ifacestate: fix conflict detection of auto-connection + - overlord: run install-device hook during factory reset + - image/preseed/preseed_linux: add missing new line + - boot: add factory-reset cases for boot-flags. + - interfaces: added read/write access to /proc/self/coredump_filter + for process-control + - interfaces: add read access to /proc/cgroups and + /proc/sys/vm/swappiness to system-observe + - fde: run fde-reveal-key with `DefaultDependencies=no` + - snapdenv: added wsl to userAgent + - tests: fix restore section for persistent-journal-namespace + - i/b/mount-control: add optional `/` to umount rules + - cmd/snap-bootstrap: changes to be able to boot classic rootfs + - cmd/snap-bootstrap: add CVM mode + +* Thu Sep 15 2022 Michael Vogt +- New upstream release 2.57.3 + - wrappers: journal namespaces did not honor journal.persistent + - snap/quota,wrappers: allow using 0 values for the journal rate to + override the system default values + - multiple: clear up naming convention for cpu-set quota + - i/b/mount-control: allow custom filesystem types + - i/b/system-observe: allow reading processes security label + - sandbox/cgroup: don't check V1 cgroup if V2 is active + - asserts,boot,secboot: switch to a secboot version measuring + classic + +* Fri Sep 02 2022 Michael Vogt +- New upstream release 2.57.2 + - store/tooling,tests: support UBUNTU_STORE_URL override env var + - packaging/*/tests/integrationtests: reload ssh.service, not + sshd.service + - tests: check snap download with snapcraft v7+ export-login auth + data + - store/tooling: support using snapcraft v7+ base64-encoded auth + data + - many: progress bars should use the overridable stdouts + - many: refactor store code to be able to use simpler form of auth + creds + - snap,store: drop support/consideration for anonymous download urls + - data: include snapd/mounts in preseeded blob + - many: Set SNAPD_APPARMOR_REEXEC=1 + - overlord: track security profiles for non-active snaps + +* Wed Aug 10 2022 Alberto Mardegan +- New upstream release 2.57.1 + - cmd/snap-update-ns: handle mountpoint removal failures with EBUSY + - cmd/snap-update-ns: print current mount entries + - cmd/snap-update-ns: check the unused mounts with a cleaned path + - snap-confine: disable -Werror=array-bounds in __overflow tests to + fix build error on Ubuntu 22.10 + - systemd: add `WantedBy=default.target` to snap mount units + (LP: #1983528) + +* Thu Jul 28 2022 Michael Vogt +- New upstream release 2.57 + - tests: Fix calls to systemctl is-system-running + - osutil/disks: handle GPT for 4k disk and too small tables + - packaging: import change from the 2.54.3-1.1 upload + - many: revert "features: disable refresh-app-awarness by default + again" + - tests: improve robustness of preparation for regression/lp-1803542 + - tests: get the ubuntu-image binary built with test keys + - tests: remove commented code from lxd test + - interfaces/builtin: add more permissions for steam-support + - tests: skip interfaces-network-control on i386 + - tests: tweak the "tests/nested/manual/connections" test + - interfaces: posix-mq: allow specifying message queue paths as an + array + - bootloader/assets: add ttyS0,115200n8 to grub.cfg + - i/b/desktop,unity7: remove name= specification on D-Bus signals + - tests: ensure that microk8s does not produce DENIED messages + - many: support non-default provenance snap-revisions in + DeriveSideInfo + - tests: fix `core20-new-snapd-does-not-break-old-initrd` test + - many: device and provenance revision authority cross checks + - tests: fix nested save-data test on 22.04 + - sandbox/cgroup: ignore container slices when tracking snaps + - tests: improve 'ignore-running' spread test + - tests: add `debug:` section to `tests/nested/manual/connections` + - tests: remove leaking `pc-kernel.snap` in `repack_kernel_snap` + - many: preparations for revision authority cross checks including + device scope + - daemon,overlord/servicestate: followup changes from PR #11960 to + snap logs + - cmd/snap: fix visual representation of 'AxB%' cpu quota modifier. + - many: expose and support provenance from snap.yaml metadata + - overlord,snap: add support for per-snap storage on ubuntu-save + - nested: fix core-early-config nested test + - tests: revert lxd change to support nested lxd launch + - tests: add invariant check for leftover cgroup scopes + - daemon,systemd: introduce support for namespaces in 'snap logs' + - cmd/snap: do not track apps that wish to stay outside of the life- + cycle system + - asserts: allow classic + snaps models and add distribution to + model + - cmd/snap: add snap debug connections/connection commands + - data: start snapd after time-set.target + - tests: remove ubuntu 21.10 from spread tests due to end of life + - tests: Update the whitebox word to avoid inclusive naming issues + - many: mount gadget in run folder + - interfaces/hardware-observe: clean up reading access to sysfs + - tests: use overlayfs for interfaces-opengl-nvidia test + - tests: update fake-netplan-apply test for 22.04 + - tests: add executions for ubuntu 22.04 + - tests: enable centos-9 + - tests: make more robust the files check in preseed-core20 test + - bootloader/assets: add fallback entry to grub.cfg + - interfaces/apparmor: add permissions for per-snap directory on + ubuntu-save partition + - devicestate: add more path to `fixupWritableDefaultDirs()` + - boot,secboot: reset DA lockout counter after successful boot + - many: Revert "overlord,snap: add support for per-snap storage on + ubuntu-save" + - overlord,snap: add support for per-snap storage on ubuntu-save + - tests: exclude centos-7 from kernel-module-load test + - dirs: remove unused SnapAppArmorAdditionalDir + - boot,device: extract SealedKey helpers from boot to device + - boot,gadget: add new `device.TpmLockoutAuthUnder()` and use it + - interfaces/display-control: allow changing brightness value + - asserts: add more context to key expiry error + - many: introduce IsUndo flag in LinkContext + - i/apparmor: allow calling which.debianutils + - tests: new profile id for apparmor in test preseed-core20 + - tests: detect 403 in apt-hooks and skip test in this case + - overlord/servicestate: restart the relevant journald service when + a journal quota group is modified + - client,cmd/snap: add journal quota frontend (5/n) + - gadget/device: introduce package which provides helpers for + locations of things + - features: disable refresh-app-awarness by default again + - many: install bash completion files in writable directory + - image: fix handling of var/lib/extrausers when preseeding + uc20 + - tests: force version 2.48.3 on xenial ESM + - tests: fix snap-network-erros on uc16 + - cmd/snap-confine: be compatible with a snap rootfs built as a + tmpfs + - o/snapstate: allow install of unasserted gadget/kernel on + dangerous models + - interfaces: dynamic loading of kernel modules + - many: add optional primary key provenance to snap-revision, allow + delegating via snap-declaration revision-authority + - tests: fix boringcripto errors in centos7 + - tests: fix snap-validate-enforce in opensuse-tumbleweed + - test: print User-Agent on failed checks + - interfaces: add memory stats to system_observe + - interfaces/pwm: Remove implicitOnCore/implicitOnClassic + - spread: add openSUSE Leap 15.4 + - tests: disable core20-to-core22 nested test + - tests: fix nested/manual/connections test + - tests: add spread test for migrate-home command + - overlord/servicestate: refresh security profiles when services are + affected by quotas + - interfaces/apparmor: add missing apparmor rules for journal + namespaces + - tests: add nested test variant that adds 4k sector size + - cmd/snap: fix test failing due to timezone differences + - build-aux/snap: build against the snappy-dev/image PPA + - daemon: implement api handler for refresh with enforced validation + sets + - preseed: suggest to install "qemu-user-static" + - many: add migrate-home debug command + - o/snapstate: support passing validation sets to storehelpers via + RevisionOptions + - cmd/snapd-apparmor: fix unit tests on distros which do not support + reexec + - o/devicestate: post factory reset ensure, spread test update + - tests/core/basic20: Enable on uc22 + - packaging/arch: install snapd-apparmor + - o/snapstate: support migrating snap home as change + - tests: enable snapd.apparmor service in all the opensuse systems + - snapd-apparmor: add more integration-ish tests + - asserts: store required revisions for missing snaps in + CheckInstalledSnaps + - overlord/ifacestate: fix path for journal redirect + - o/devicestate: factory reset with encryption + - cmd/snapd-apparmor: reimplement snapd-apparmor in Go + - squashfs: improve error reporting when `unsquashfs` fails + - o/assertstate: support multiple extra validation sets in + EnforcedValidationSets + - tests: enable mount-order-regression test for arm devices + - tests: fix interfaces network control + - interfaces: update AppArmor template to allow read the memory … + - cmd/snap-update-ns: add /run/systemd to unrestricted paths + - wrappers: fix LogNamespace being written to the wrong file + - boot: release the new PCR handles when sealing for factory reset + - tests: add support fof uc22 in test uboot-unpacked-assets + - boot: post factory reset cleanup + - tests: add support for uc22 in listing test + - spread.yaml: add ubuntu-22.04-06 to qemu-nested + - gadget: check also mbr type when testing for implicit data + partition + - interfaces/system-packages-doc: allow read-only access to + /usr/share/cups/doc-root/ and /usr/share/gimp/2.0/help/ + - tests/nested/manual/core20-early-config: revert changes that + disable netplan checks + - o/ifacestate: warn if the snapd.apparmor service is disabled + - tests: add spread execution for fedora 36 + - overlord/hookstate/ctlcmd: fix timestamp coming out of sync in + unit tests + - gadget/install: do not assume dm device has same block size as + disk + - interfaces: update network-control interface with permissions + required by resolvectl + - secboot: stage and transition encryption keys + - secboot, boot: support and use alternative PCR handles during + factory reset + - overlord/ifacestate: add journal bind-mount snap layout when snap + is in a journal quota group (4/n) + - secboot/keymgr, cmd/snap-fde-keymgr: two step encryption key + change + - cmd/snap: cleanup and make the code a bit easier to read/maintain + for quota options + - overlord/hookstate/ctlcmd: add 'snapctl model' command (3/3) + - cmd/snap-repair: fix snap-repair tests silently failing + - spread: drop openSUSE Leap 15.2 + - interfaces/builtin: remove the name=org.freedesktop.DBus + restriction in cups-control AppArmor rules + - wrappers: write journald config files for quota groups with + journal quotas (3/n) + - o/assertstate: auto aliases for apps that exist + - o/state: use more detailed NoStateError in state + - tests/main/interfaces-browser-support: verify jupyter notebooks + access + - o/snapstate: exclude services from refresh app awareness hard + running check + - tests/main/nfs-support: be robust against umount failures + - tests: update centos images and add new centos 9 image + - many: print valid/invalid status on snap validate --monitor + - secboot, boot: TPM provisioning mode enum, introduce + reprovisioning + - tests: allow to re-execute aborted tests + - cmd/snapd-apparmor: add explicit WSL detection to + is_container_with_internal_policy + - tests: avoid launching lxd inside lxd on cloud images + - interfaces: extra htop apparmor rules + - gadget/install: encrypted system factory reset support + - secboot: helpers for dealing with PCR handles and TPM resources + - systemd: improve error handling for systemd-sysctl command + - boot, secboot: separate the TPM provisioning and key sealing + - o/snapstate: fix validation sets restoring and snap revert on + failed refresh + - interfaces/builtin/system-observe: extend access for htop + - cmd/snap: support custom apparmor features dir with snap prepare- + image + - interfaces/mount-observe: Allow read access to /run/mount/utab + - cmd/snap: add help strings for set-quota options + - interfaces/builtin: add README file + - cmd/snap-confine: mount support cleanups + - overlord: execute snapshot cleanup in task + - i/b/accounts_service: fix path of introspectable objects + - interfaces/opengl: update allowed PCI accesses for RPi + - configcore: add core.system.ctrl-alt-del-action config option + - many: structured startup timings + - spread: switch back to building ubuntu-image from source + - many: optional recovery keys + - tests/lib/nested: fix unbound variable + - run-checks: fail on equality checks w/ ErrNoState + - snap-bootstrap: Mount as private + - tests: Test for gadget connections + - tests: set `br54.dhcp4=false` in the netplan-cfg test + - tests: core20 preseed/nested spread test + - systemd: remove the systemctl stop timeout handling + - interfaces/shared-memory: Update AppArmor permissions for + mmap+link + - many: replace ErrNoState equality checks w/ errors.Is() + - cmd/snap: exit w/ non-zero code on missing snap + - systemd: fix snapd systemd-unit stop progress notifications + - .github: Trigger daily riscv64 snapd edge builds + - interfaces/serial-port: add ttyGS to serial port allow list + - interfaces/modem-manager: Don't generate DBus plug policy + - tests: add spread test to test upgrade from release snapd to + current + - wrappers: refactor EnsureSnapServices + - testutil: add ErrorIs test checker + - tests: import spread shellcheck changes + - cmd/snap-fde-keymgr: best effort idempotency of add-recovery-key + - interfaces/udev: refactor handling of udevadm triggers for input + - secboot: support for changing encryption keys via keymgr + * Sat Jul 23 2022 Fedora Release Engineering - 2.56.2-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild @@ -934,6 +1249,26 @@ fi - Rebuild for CVE-2022-{1705,32148,30631,30633,28131,30635,30632,30630,1962} in golang +* Wed Jul 13 2022 Michael Vogt +- New upstream release 2.56.3 + - devicestate: add more path to `fixupWritableDefaultDirs()` + - many: introduce IsUndo flag in LinkContext + - i/apparmor: allow calling which.debianutils + - interfaces: update AppArmor template to allow reading snap's + memory statistics + - interfaces: add memory stats to system_observe + - i/b/{mount,system}-observe: extend access for htop + - features: disable refresh-app-awarness by default again + - image: fix handling of var/lib/extrausers when preseeding + uc20 + - interfaces/modem-manager: Don't generate DBus policy for plugs + - interfaces/modem-manager: Only generate DBus plug policy on + Core + - interfaces/serial_port_test: fix static-checks errors + - interfaces/serial-port: add USB gadget serial devices (ttyGSX) to + allowed list + - interface/serial_port_test: adjust variable IDs + * Sun Jul 10 2022 Maxwell G - 2.56.2-2 - Only build on %%golang_arches (i.e. where golang is available). - Rebuild to fix update ordering issues. diff --git a/sources b/sources index ea1d20b..323c452 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (snapd_2.56.2.no-vendor.tar.xz) = 457396fad451a7e7c2940acc6268a55b17d28f30c7ca122030b2e516c15519cf5199163da814749615634484dd04125b85c3891cde8ffdac77dd592a24ea6b48 -SHA512 (snapd_2.56.2.only-vendor.tar.xz) = 5f4315c172815086a07bef919811d02c4ba882f1fe813f032bc4013fba25690a3bd2aa17937767b44dcc20a6d9e0420f7c73ba80540db82a991a19d4a464be69 +SHA512 (snapd_2.57.5.no-vendor.tar.xz) = 49666b7ba4589bbcaa557a88f3a4f4ea0b04cb7400b5b065aaa26d20ed0fae8f05ba93ca4861a6dd70178508781cd9dff1fb64f7d5393092b4212d4c47948d7c +SHA512 (snapd_2.57.5.only-vendor.tar.xz) = 79c033db93f3b478e0b6dd74b3a4b34a2e07d8ede64a05c84f9a64b0a193cf44c1d1bb04f5152ab9111e04e99ae2bf232442f1bcd694de4bb5f84e76a17a1882