Changelog |
* Sat Aug 24 2024 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.65.1
- Support building snapd using base Core22 (Snapcraft 8.x)
- FIPS: support building FIPS complaint snapd variant that switches
to FIPS mode when the system boots with FIPS enabled
- AppArmor: update to latest 4.0.2 release
- AppArmor: enable using ABI 4.0 from host parser
- AppArmor: fix parser lookup
- AppArmor: support AppArmor snippet priorities
- AppArmor: allow reading cgroup memory.max file
- AppArmor: allow using snap-exec coming from the snapd snap when
starting a confined process with jailmode
- AppArmor prompting (experimental): add checks for prompting
support, include prompting status in system key, and restart snapd
if prompting flag changes
- AppArmor prompting (experimental): include prompt prefix in
AppArmor rules if prompting is supported and enabled
- AppArmor prompting (experimental): add common types, constraints,
and mappings from AppArmor permissions to abstract permissions
- AppArmor prompting (experimental): add path pattern parsing and
matching
- AppArmor prompting (experimental): add path pattern precedence
based on specificity
- AppArmor prompting (experimental): add packages to manage
outstanding request prompts and rules
- AppArmor prompting (experimental): add prompting API and notice
types, which require snap-interfaces-requests-control interface
- AppArmor prompting (experimental): feature flag can only be
enabled if prompting is supported, handler service connected, and
the service can be started
- Registry views (experimental): rename from aspects to registries
- Registry views (experimental): support reading registry views and
setting/unsetting registry data using snapctl
- Registry views (experimental): fetch and refresh registry
assertions as needed
- Registry views (experimental): restrict view paths from using a
number as first character and view names to storage path style
patterns
- Snap components: support installing snaps and components from
files at the same time (no REST API/CLI)
- Snap components: support downloading components related assertions
from the store
- Snap components: support installing components from the store
- Snap components: support removing components individually and
during snap removal
- Snap components: support kernel modules as components
- Snap components: support for component install, pre-refresh and
post-refresh hooks
- Snap components: initial support for building systems that contain
components
- Refresh app awareness (experimental): add data field for
/v2/changes REST API to allow associating each task with affected
snaps
- Refresh app awareness (experimental): use the app name from
.desktop file in notifications
- Refresh app awareness (experimental): give snap-refresh-observe
interface access to /v2/snaps/{name} endpoint
- Improve snap-confine compatibility with nvidia drivers
- Allow re-exec when SNAP_REEXEC is set for unlisted distros to
simplify testing
- Allow mixing revision and channel on snap install
- Generate GNU build ID for Go binaries
- Add missing etelpmoc.sh for shell completion
- Do not attempt to run snapd on classic when re-exec is disabled
- Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse
- Add snap debug API command to enable running raw queries
- Enable snap-confine snap mount directory detection
- Replace global seccomp filter with deny rules in standard seccomp
template
- Remove support for Ubuntu Core Launcher (superseded by snap-
confine)
- Support creating pending serial bound users after serial assertion
becomes available
- Support disabling cloud-init using kernel command-line
- In hybrid systems, apps can refresh without waiting for restarts
required by essential snaps
- Ship snap-debug-info.sh script used for system diagnostics
- Improve error messages when attempting to run non-existent snap
- Switch to -u UID:GID for strace-static
- Support enabling snapd logging with snap set system
debug.snapd.{log,log-level}
- Add options system.coredump.enable and system.coredump.maxuse to
support using systemd-coredump on Ubuntu Core
- Provide documentation URL for 'snap interface '
- Fix snapd riscv64 build
- Fix restarting activated services instead of their activator units
(i.e. sockets, timers)
- Fix potential unexpected auto-refresh of snap on managed schedule
- Fix potential segfault by guarding against kernel command-line
changes on classic system
- Fix proxy entries in /etc/environment with missing newline that
caused later manual entries to not be usable
- Fix offline remodelling by ignoring prerequisites that will
otherwise be downloaded from store
- Fix devmode seccomp deny regression that caused spamming the log
instead of actual denies
- Fix snap lock leak during refresh
- Fix not re-pinning validation sets that were already pinned when
enforcing new validation sets
- Fix handling of unexpected snapd runtime failure
- Fix /v2/notices REST API skipping notices with duplicate
timestamps
- Fix comparing systemd versions that may contain pre-release
suffixes
- Fix udev potentially starting before snap-device-helper is made
available
- Fix race in snap seed metadata loading
- Fix treating cloud-init exit status 2 as error
- Fix to prevent sending refresh complete notification if snap snap-
refresh-observe interface is connected
- Fix to queue snapctl service commands if run from the default-
configure hook to ensure they get up-to-date config values
- Fix stop service failure when the service is not actually running
anymore
- Fix parsing /proc/PID/mounts with spaces
- Add registry interface that provides snaps access to a particular
registry view
- Add snap-interfaces-requests-control interface to enable prompting
client snaps
- steam-support interface: remove all AppArmor and seccomp
restrictions to improve user experience
- opengl interface: improve compatibility with nvidia drivers
- home interface: autoconnect home on Ubuntu Core Desktop
- serial-port interface: support RPMsg tty
- display-control interface: allow changing LVDS backlight power and
brightness
- power-control interface: support for battery charging thesholds,
type/status and AC type/status
- cpu-control interface: allow CPU C-state control
- raw-usb interface: support RPi5 and Thinkpad x13s
- custom-device interface: allow device file locking
- lxd-support interface: allow LXD to self-manage its own cgroup
- network-manager interface: support MPTCP sockets
- network-control interface: allow plug/slot access to gnutls config
and systemd resolved cache flushing via D-Bus
- network-control interface: allow wpa_supplicant dbus api
- gpio-control interface: support gpiochip* devices
- polkit interface: fix "rw" mount option check
- u2f-devices interface: enable additional security keys
- desktop interface: enable kde theming support
* Fri Aug 23 2024 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.65
- Support building snapd using base Core22 (Snapcraft 8.x)
- FIPS: support building FIPS complaint snapd variant that switches
to FIPS mode when the system boots with FIPS enabled
- AppArmor: update to latest 4.0.2 release
- AppArmor: enable using ABI 4.0 from host parser
- AppArmor: fix parser lookup
- AppArmor: support AppArmor snippet priorities
- AppArmor: allow reading cgroup memory.max file
- AppArmor: allow using snap-exec coming from the snapd snap when
starting a confined process with jailmode
- AppArmor prompting (experimental): add checks for prompting
support, include prompting status in system key, and restart snapd
if prompting flag changes
- AppArmor prompting (experimental): include prompt prefix in
AppArmor rules if prompting is supported and enabled
- AppArmor prompting (experimental): add common types, constraints,
and mappings from AppArmor permissions to abstract permissions
- AppArmor prompting (experimental): add path pattern parsing and
matching
- AppArmor prompting (experimental): add path pattern precedence
based on specificity
- AppArmor prompting (experimental): add packages to manage
outstanding request prompts and rules
- AppArmor prompting (experimental): add prompting API and notice
types, which require snap-interfaces-requests-control interface
- AppArmor prompting (experimental): feature flag can only be
enabled if prompting is supported, handler service connected, and
the service can be started
- Registry views (experimental): rename from aspects to registries
- Registry views (experimental): support reading registry views and
setting/unsetting registry data using snapctl
- Registry views (experimental): fetch and refresh registry
assertions as needed
- Registry views (experimental): restrict view paths from using a
number as first character and view names to storage path style
patterns
- Snap components: support installing snaps and components from
files at the same time (no REST API/CLI)
- Snap components: support downloading components related assertions
from the store
- Snap components: support installing components from the store
- Snap components: support removing components individually and
during snap removal
- Snap components: support kernel modules as components
- Snap components: support for component install, pre-refresh and
post-refresh hooks
- Snap components: initial support for building systems that contain
components
- Refresh app awareness (experimental): add data field for
/v2/changes REST API to allow associating each task with affected
snaps
- Refresh app awareness (experimental): use the app name from
.desktop file in notifications
- Refresh app awareness (experimental): give snap-refresh-observe
interface access to /v2/snaps/{name} endpoint
- Improve snap-confine compatibility with nvidia drivers
- Allow re-exec when SNAP_REEXEC is set for unlisted distros to
simplify testing
- Allow mixing revision and channel on snap install
- Generate GNU build ID for Go binaries
- Add missing etelpmoc.sh for shell completion
- Do not attempt to run snapd on classic when re-exec is disabled
- Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse
- Add snap debug API command to enable running raw queries
- Enable snap-confine snap mount directory detection
- Replace global seccomp filter with deny rules in standard seccomp
template
- Remove support for Ubuntu Core Launcher (superseded by snap-
confine)
- Support creating pending serial bound users after serial assertion
becomes available
- Support disabling cloud-init using kernel command-line
- In hybrid systems, apps can refresh without waiting for restarts
required by essential snaps
- Ship snap-debug-info.sh script used for system diagnostics
- Improve error messages when attempting to run non-existent snap
- Switch to -u UID:GID for strace-static
- Support enabling snapd logging with snap set system
debug.snapd.{log,log-level}
- Add options system.coredump.enable and system.coredump.maxuse to
support using systemd-coredump on Ubuntu Core
- Provide documentation URL for 'snap interface '
- Fix restarting activated services instead of their activator units
(i.e. sockets, timers)
- Fix potential unexpected auto-refresh of snap on managed schedule
- Fix potential segfault by guarding against kernel command-line
changes on classic system
- Fix proxy entries in /etc/environment with missing newline that
caused later manual entries to not be usable
- Fix offline remodelling by ignoring prerequisites that will
otherwise be downloaded from store
- Fix devmode seccomp deny regression that caused spamming the log
instead of actual denies
- Fix snap lock leak during refresh
- Fix not re-pinning validation sets that were already pinned when
enforcing new validation sets
- Fix handling of unexpected snapd runtime failure
- Fix /v2/notices REST API skipping notices with duplicate
timestamps
- Fix comparing systemd versions that may contain pre-release
suffixes
- Fix udev potentially starting before snap-device-helper is made
available
- Fix race in snap seed metadata loading
- Fix treating cloud-init exit status 2 as error
- Fix to prevent sending refresh complete notification if snap snap-
refresh-observe interface is connected
- Fix to queue snapctl service commands if run from the default-
configure hook to ensure they get up-to-date config values
- Fix stop service failure when the service is not actually running
anymore
- Fix parsing /proc/PID/mounts with spaces
- Add registry interface that provides snaps access to a particular
registry view
- Add snap-interfaces-requests-control interface to enable prompting
client snaps
- steam-support interface: remove all AppArmor and seccomp
restrictions to improve user experience
- opengl interface: improve compatibility with nvidia drivers
- home interface: autoconnect home on Ubuntu Core Desktop
- serial-port interface: support RPMsg tty
- display-control interface: allow changing LVDS backlight power and
brightness
- power-control interface: support for battery charging thesholds,
type/status and AC type/status
- cpu-control interface: allow CPU C-state control
- raw-usb interface: support RPi5 and Thinkpad x13s
- custom-device interface: allow device file locking
- lxd-support interface: allow LXD to self-manage its own cgroup
- network-manager interface: support MPTCP sockets
- network-control interface: allow plug/slot access to gnutls config
and systemd resolved cache flushing via D-Bus
- network-control interface: allow wpa_supplicant dbus api
- gpio-control interface: support gpiochip* devices
- polkit interface: fix "rw" mount option check
- u2f-devices interface: enable additional security keys
- desktop interface: enable kde theming support
* Mon Jul 29 2024 Miroslav Suchý <msuchy@redhat.com> - 2.63-3
- convert license to SPDX
* Fri Jul 26 2024 Miroslav Suchý <msuchy@redhat.com> - 2.63-2
- convert license to SPDX
* Wed Jul 24 2024 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.64
- Support building snapd using base Core22 (Snapcraft 8.x)
- FIPS: support building FIPS complaint snapd variant that switches
to FIPS mode when the system boots with FIPS enabled
- AppArmor: update to AppArmor 4.0.1
- AppArmor: support AppArmor snippet priorities
- AppArmor prompting: add checks for prompting support, include
prompting status in system key, and restart snapd if prompting
flag changes
- AppArmor prompting: include prompt prefix in AppArmor rules if
prompting is supported and enabled
- AppArmor prompting: add common types, constraints, and mappings
from AppArmor permissions to abstract permissions
- AppArmor prompting: add path pattern parsing and matching
- Registry views (experimental): rename from aspects to registries
- Registry views (experimental): support reading registry views
using snapctl
- Registry views (experimental): restrict view paths from using a
number as first character and view names to storage path style
patterns
- Snap components: support installing snaps and components from
files at the same time (no REST API/CLI)
- Snap components: support downloading components related assertions
from the store
- Snap components: support installing components from the store (no
REST API/CLI)
- Snap components: support removing components (REST API, no CLI)
- Snap components: started support for component hooks
- Snap components: support kernel modules as components
- Refresh app awareness (experimental): add data field for
/v2/changes REST API to allow associating each task with affected
snaps
- Refresh app awareness (experimental): use the app name from
.desktop file in notifications
- Refresh app awareness (experimental): give snap-refresh-observe
interface access to /v2/snaps/{name} endpoint
- Allow re-exec when SNAP_REEXEC is set for unlisted distros to
simplify testing
- Generate GNU build ID for Go binaries
- Add missing etelpmoc.sh for shell completion
- Do not attempt to run snapd on classic when re-exec is disabled
- Packaging/build maintenance for Debian sid, Fedora, Arch, openSuse
- Add snap debug api command to enable running raw queries
- Enable snap-confine snap mount directory detection
- Replace global seccomp filter with deny rules in standard seccomp
template
- Remove support for Ubuntu Core Launcher (superseded by snap-
confine)
- Support creating pending serial bound users after serial assertion
becomes available
- Support disabling cloud-init using kernel command-line
- In hybrid systems, apps can refresh without waiting for restarts
required by essential snaps
- Ship snap-debug-info.sh script used for system diagnostics
- Improve error messages when attempting to run non-existent snap
- Switch to -u UID:GID for strace-static
- Support enabling snapd logging with snap set system
debug.snapd.{log,log-level}
- Fix restarting activated services instead of their activator units
(i.e. sockets, timers)
- Fix potential unexpected auto-refresh of snap on managed schedule
- Fix potential segfault by guarding against kernel command-line
changes on classic system
- Fix proxy entries in /etc/environment with missing newline that
caused later manual entries to not be usable
- Fix offline remodelling by ignoring prerequisites that will
otherwise be downloaded from store
- Fix devmode seccomp deny regression that caused spamming the log
instead of actual denies
- Fix snap lock leak during refresh
- Fix not re-pinning validation sets that were already pinned when
enforcing new validation sets
- Fix handling of unexpected snapd runtime failure
- Fix /v2/notices REST API skipping notices with duplicate
timestamps
- Fix comparing systemd versions that may contain pre-release
suffixes
- Fix udev potentially starting before snap-device-helper is made
available
- Fix race in snap seed metadata loading
- Fix treating cloud-init exit status 2 as error
- Fix to prevent sending refresh complete notification if snap snap-
refresh-observe interface is connected
- Fix to queue snapctl service commands if run from the default-
configure hook to ensure they get up-to-date config values
- Fix stop service failure when the service is not actually running
anymore
- Add registry interface that provides snaps access to a particular
registry view
- steam-support interface: relaxed AppArmor and seccomp restrictions
to improve user experience
- home interface: autoconnect home on Ubuntu Core Desktop
- serial-port interface: support RPMsg tty
- display-control interface: allow changing LVDS backlight power and
brightness
- power-control interface: support for battery charging thesholds,
type/status and AC type/status
- cpu-control interface: allow CPU C-state control
- raw-usb interface: support RPi5 and Thinkpad x13s
- custom-device interface: allow device file locking
- lxd-support interface: allow LXD to self-manage its own cgroup
- network-manager interface: support MPTCP sockets
- network-control interface: allow plug/slot access to gnutls config
and systemd resolved cache flushing via D-Bus
* Sat Jul 20 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.63-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild
* Wed Apr 24 2024 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.63
- Support for snap services to show the current status of user
services (experimental)
- Refresh app awareness: record snap-run-inhibit notice when
starting app from snap that is busy with refresh (experimental)
- Refresh app awareness: use warnings as fallback for desktop
notifications (experimental)
- Aspect based configuration: make request fields in the aspect-
bundle's rules optional (experimental)
- Aspect based configuration: make map keys conform to the same
format as path sub-keys (experimental)
- Aspect based configuration: make unset and set behaviour similar
to configuration options (experimental)
- Aspect based configuration: limit nesting level for setting value
(experimental)
- Components: use symlinks to point active snap component revisions
- Components: add model assertion support for components
- Components: fix to ensure local component installation always gets
a new revision number
- Add basic support for a CIFS remote filesystem-based home
directory
- Add support for AppArmor profile kill mode to avoid snap-confine
error
- Allow more than one interface to grant access to the same API
endpoint or notice type
- Allow all snapd service's control group processes to send systemd
notifications to prevent warnings flooding the log
- Enable not preseeded single boot install
- Update secboot to handle new sbatlevel
- Fix to not use cgroup for non-strict confined snaps (devmode,
classic)
- Fix two race conditions relating to freedesktop notifications
- Fix missing tunables in snap-update-ns AppArmor template
- Fix rejection of snapd snap udev command line by older host snap-
device-helper
- Rework seccomp allow/deny list
- Clean up files removed by gadgets
- Remove non-viable boot chains to avoid secboot failure
- posix_mq interface: add support for missing time64 mqueue syscalls
mq_timedreceive_time64 and mq_timedsend_time64
- password-manager-service interface: allow kwalletd version 6
- kubernetes-support interface: allow SOCK_SEQPACKET sockets
- system-observe interface: allow listing systemd units and their
properties
- opengl interface: enable use of nvidia container toolkit CDI
config generation
* Thu Mar 21 2024 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.62
- Aspects based configuration schema support (experimental)
- Refresh app awareness support for UI (experimental)
- Support for user daemons by introducing new control switches
--user/--system/--users for service start/stop/restart
(experimental)
- Add AppArmor prompting experimental flag (feature currently
unsupported)
- Installation of local snap components of type test
- Packaging of components with snap pack
- Expose experimental features supported/enabled in snapd REST API
endpoint /v2/system-info
- Support creating and removing recovery systems for use by factory
reset
- Enable API route for creating and removing recovery systems using
/v2/systems with action create and /v2/systems/{label} with action
remove
- Lift requirements for fde-setup hook for single boot install
- Enable single reboot gadget update for UC20+
- Allow core to be removed on classic systems
- Support for remodeling on hybrid systems
- Install desktop files on Ubuntu Core and update after snapd
upgrade
- Upgrade sandbox features to account for cgroup v2 device filtering
- Support snaps to manage their own cgroups
- Add support for AppArmor 4.0 unconfined profile mode
- Add AppArmor based read access to /etc/default/keyboard
- Upgrade to squashfuse 0.5.0
- Support useradd utility to enable removing Perl dependency for
UC24+
- Support for recovery-chooser to use console-conf snap
- Add support for --uid/--gid using strace-static
- Add support for notices (from pebble) and expose via the snapd
REST API endpoints /v2/notices and /v2/notice
- Add polkit authentication for snapd REST API endpoints
/v2/snaps/{snap}/conf and /v2/apps
- Add refresh-inhibit field to snapd REST API endpoint /v2/snaps
- Add refresh-inhibited select query to REST API endpoint /v2/snaps
- Take into account validation sets during remodeling
- Improve offline remodeling to use installed revisions of snaps to
fulfill the remodel revision requirement
- Add rpi configuration option sdtv_mode
- When snapd snap is not installed, pin policy ABI to 4.0 or 3.0 if
present on host
- Fix gadget zero-sized disk mapping caused by not ignoring zero
sized storage traits
- Fix gadget install case where size of existing partition was not
correctly taken into account
- Fix trying to unmount early kernel mount if it does not exist
- Fix restarting mount units on snapd start
- Fix call to udev in preseed mode
- Fix to ensure always setting up the device cgroup for base bare
and core24+
- Fix not copying data from newly set homedirs on revision change
- Fix leaving behind empty snap home directories after snap is
removed (resulting in broken symlink)
- Fix to avoid using libzstd from host by adding to snapd snap
- Fix autorefresh to correctly handle forever refresh hold
- Fix username regex allowed for system-user assertion to not allow
'+'
- Fix incorrect application icon for notification after autorefresh
completion
- Fix to restart mount units when changed
- Fix to support AppArmor running under incus
- Fix case of snap-update-ns dropping synthetic mounts due to
failure to match desired mount dependencies
- Fix parsing of base snap version to enable pre-seeding of Ubuntu
Core Desktop
- Fix packaging and tests for various distributions
- Add remoteproc interface to allow developers to interact with
Remote Processor Framework which enables snaps to load firmware to
ARM Cortex microcontrollers
- Add kernel-control interface to enable controlling the kernel
firmware search path
- Add nfs-mount interface to allow mounting of NFS shares
- Add ros-opt-data interface to allow snaps to access the host
/opt/ros/ paths
- Add snap-refresh-observe interface that provides refresh-app-
awareness clients access to relevant snapd API endpoints
- steam-support interface: generalize Pressure Vessel root paths and
allow access to driver information, features and container
versions
- steam-support interface: make implicit on Ubuntu Core Desktop
- desktop interface: improved support for Ubuntu Core Desktop and
limit autoconnection to implicit slots
- cups-control interface: make autoconnect depend on presence of
cupsd on host to ensure it works on classic systems
- opengl interface: allow read access to /usr/share/nvidia
- personal-files interface: extend to support automatic creation of
missing parent directories in write paths
- network-control interface: allow creating /run/resolveconf
- network-setup-control and network-setup-observe interfaces: allow
busctl bind as required for systemd 254+
- libvirt interface: allow r/w access to /run/libvirt/libvirt-sock-
ro and read access to /var/lib/libvirt/dnsmasq/**
- fwupd interface: allow access to IMPI devices (including locking
of device nodes), sysfs attributes needed by amdgpu and the COD
capsule update directory
- uio interface: allow configuring UIO drivers from userspace
libraries
- serial-port interface: add support for NXP Layerscape SoC
- lxd-support interface: add attribute enable-unconfined-mode to
require LXD to opt-in to run unconfined
- block-devices interface: add support for ZFS volumes
- system-packages-doc interface: add support for reading jquery and
sphinx documentation
- system-packages-doc interface: workaround to prevent autoconnect
failure for snaps using base bare
- microceph-support interface: allow more types of block devices to
be added as an OSD
- mount-observe interface: allow read access to
/proc/{pid}/task/{tid}/mounts and proc/{pid}/task/{tid}/mountinfo
- polkit interface: changed to not be implicit on core because
installing policy files is not possible
- upower-observe interface: allow stats refresh
- gpg-public-keys interface: allow creating lock file for certain
gpg operations
- shutdown interface: allow access to SetRebootParameter method
- media-control interface: allow device file locking
- u2f-devices interface: support for Trustkey G310H, JaCarta U2F,
Kensington VeriMark Guard, RSA DS100, Google Titan v2
* Wed Mar 06 2024 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.61.3
- Install systemd files in correct location for 24.04
* Fri Feb 16 2024 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.61.2
- Fix to enable plug/slot sanitization for prepare-image
- Fix panic when device-service.access=offline
- Support offline remodeling
- Allow offline update only remodels without serial
- Fail early when remodeling to old model revision
- Fix to enable plug/slot sanitization for validate-seed
- Allow removal of core snap on classic systems
- Fix network-control interface denial for file lock on /run/netns
- Add well-known core24 snap-id
- Fix remodel snap installation order
- Prevent remodeling from UC18+ to UC16
- Fix cups auto-connect on classic with cups snap installed
- u2f-devices interface support for GoTrust Idem Key with USB-C
- Fix to restore services after unlink failure
- Add libcudnn.so to Nvidia libraries
- Fix skipping base snap download due to false snapd downgrade
conflict
* Sun Feb 11 2024 Maxwell G <maxwell@gtmx.me> - 2.61.1-2
- Rebuild for golang 1.22.0
* Sat Jan 27 2024 Fedora Release Engineering <releng@fedoraproject.org> - 2.61.1-1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
* Thu Jan 18 2024 Zygmunt Krynicki <me@zygoon.pl> - 2.61.1-1
- Changelog resynchronization
* Wed Jan 17 2024 Zygmunt Krynicki <me@zygoon.pl> - 2.58.3-3
- Require xdelta on Fedora or EPEL >= 9 (for delta updates)
* Fri Nov 24 2023 Ernest Lotter <ernest.lotter@canonical.com>
- New upstream release 2.61.1
- Stop requiring default provider snaps on image building and first
boot if alternative providers are included and available
- Fix auth.json access for login as non-root group ID
- Fix incorrect remodelling conflict when changing track to older
snapd version
- Improved check-rerefresh message
- Fix UC16/18 kernel/gadget update failure due volume mismatch with
installed disk
- Stop auto-import of assertions during install modes
- Desktop interface exposes GetIdletime
- Polkit interface support for new polkit versions
- Fix not applying snapd snap changes in tracked channel when remodelling
* Fri Oct 13 2023 Philip Meulengracht <philip.meulengracht@canonical.com>
- New upstream release 2.61
- Fix control of activated services in 'snap start' and 'snap stop'
- Correctly reflect activated services in 'snap services'
- Disabled services are no longer enabled again when snap is
refreshed
- interfaces/builtin: added support for Token2 U2F keys
- interfaces/u2f-devices: add Swissbit iShield Key
- interfaces/builtin: update gpio apparmor to match pattern that
contains multiple subdirectories under /sys/devices/platform
- interfaces: add a polkit-agent interface
- interfaces: add pcscd interface
- Kernel command-line can now be edited in the gadget.yaml
- Only track validation-sets in run-mode, fixes validation-set
issues on first boot.
- Added support for using store.access to disable access to snap
store
- Support for fat16 partition in gadget
- Pre-seed authority delegation is now possible
- Support new system-user name daemon
- Several bug fixes and improvements around remodelling
- Offline remodelling support
* Fri Sep 15 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.60.4
- i/b/qualcomm_ipc_router.go: switch to plug/slot and add socket
permission
- interfaces/builtin: fix custom-device udev KERNEL values
- overlord: allow the firmware-updater snap to install user daemons
- interfaces: allow loopback as a block-device
* Fri Aug 25 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.60.3
- i/b/shared-memory: handle "private" plug attribute in shared-
memory interface correctly
- i/apparmor: support for home.d tunables from /etc/
* Fri Aug 04 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.60.2
- i/builtin: allow directories in private /dev/shm
- i/builtin: add read access to /proc/task/schedstat in system-
observe
- snap-bootstrap: print version information at startup
- go.mod: update gopkg.in/yaml.v3 to v3.0.1 to fix CVE-2022-28948
- snap, store: filter out invalid snap edited links from store info
and persisted state
- o/configcore: write netplan defaults to 00-snapd-config on seeding
- snapcraft.yaml: pull in apparmor_parser optimization patches from
https://gitlab.com/apparmor/apparmor/-/merge_requests/711
- snap-confine: fix missing \0 after readlink
- cmd/snap: hide append-integrity-data
- interfaces/opengl: add support for ARM Mali
* Sat Jul 22 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.58.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
* Tue Jul 04 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.60.1
- install: fallback to lazy unmount() in writeFilesystemContent
- data: include "modprobe.d" and "modules-load.d" in preseeded blob
- gadget: fix install test on armhf
- interfaces: fix typo in network_manager_observe
- sandbox/apparmor: don't let vendored apparmor conflict with system
- gadget/update: set parts in laid out data from the ones matched
- many: move SnapConfineAppArmorDir from dirs to sandbox/apparmor
- many: stop using `-O no-expr-simplify` in apparmor_parser
- go.mod: update secboot to latest uc22 branch
* Thu Jun 15 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.60
- Support for dynamic snapshot data exclusions
- Apparmor userspace is vendored inside the snapd snap
- Added a default-configure hook that exposes gadget default
configuration options to snaps during first install before
services are started
- Allow install from initrd to speed up the initial installation
for systems that do not have a install-device hook
- New `snap sign --chain` flag that appends the account and
account-key assertions
- Support validation-sets in the model assertion
- Support new "min-size" field in gadget.yaml
- New interface: "userns"
* Sat May 27 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.59.5
- Explicitly disallow the use of ioctl + TIOCLINUX
This fixes CVE-2023-1523.
* Fri May 12 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.59.4
- Retry when looking for disk label on non-UEFI systems
(LP: #2018977)
- Fix remodel from UC20 to UC22
* Wed May 03 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.59.3
- Fix quiet boot
- i/b/physical_memory_observe: allow reading virt-phys page mappings
- gadget: warn instead of returning error if overlapping with GPT
header
- overlord,wrappers: restart always enabled units
- go.mod: update github.com/snapcore/secboot to latest uc22
- boot: make sure we update assets for the system-seed-null role
- many: ignore case for vfat partitions when validating
* Tue Apr 18 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.59.2
- Notify users when a user triggered auto refresh finished
* Tue Mar 28 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.59.1
- Add udev rules from steam-devices to steam-support interface
- Bugfixes for layout path checking, dm_crypt permissions,
mount-control interface parameter checking, kernel commandline
parsing, docker-support, refresh-app-awareness
* Fri Mar 10 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.59
- Support setting extra kernel command line parameters via snap
configuration and under a gadget allow-list
- Support for Full-Disk-Encryption using ICE
- Support for arbitrary home dir locations via snap configuration
- New nvidia-drivers-support interface
- Support for udisks2 snap
- Pre-download of snaps ready for refresh and automatic refresh of
the snap when all apps are closed
- New microovn interface
- Support uboot with `CONFIG_SYS_REDUNDAND_ENV=n`
- Make "snap-preseed --reset" re-exec when needed
- Update the fwupd interface to support fully confined fwupd
- The memory,cpu,thread quota options are no longer experimental
- Support debugging snap client requests via the
`SNAPD_CLIENT_DEBUG_HTTP` environment variable
- Support ssh listen-address via snap configuration
- Support for quotas on single services
- prepare-image now takes into account snapd versions going into
the image, including in the kernel initrd, to fetch supported
assertion formats
* Sat Feb 25 2023 Maciek Borzecki <maciek.borzecki@gmail.com> - 2.58.3-1
- Releate 2.58.3 to Fedora RHBZ#2173056
* Tue Feb 21 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.58.3
- interfaces/screen-inhibit-control: Add support for xfce-power-
manager
- interfaces/network-manager: do not show ptrace read
denials
- interfaces: relax rules for mount-control `what` for functionfs
- cmd/snap-bootstrap: add support for snapd_system_disk
- interfaces/modem-manager: add net_admin capability
- interfaces/network-manager: add permission for OpenVPN
- httputil: fix checking x509 certification error on go 1.20
- i/b/fwupd: allow reading host os-release
- boot: on classic+modes `MarkBootSuccessfull` does not need a base
- boot: do not include `base=` in modeenv for classic+modes installs
- tests: add spread test that validates revert on boot for core does
not happen on classic+modes
- snapstate: only take boot participants into account in
UpdateBootRevisions
- snapstate: refactor UpdateBootRevisions() to make it easier to
check for boot.SnapTypeParticipatesInBoot()
* Wed Jan 25 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.58.2
- bootloader: fix dirty build by hardcoding copyright year
* Mon Jan 23 2023 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.58.1
- secboot: detect lockout mode in CheckTPMKeySealingSupported
- cmd/snap-update-ns: prevent keeping unneeded mountpoints
- o/snapstate: do not infinitely retry when an update fails during
seeding
- interfaces/modem-manager: add permissions for NETLINK_ROUTE
- systemd/emulation.go: use `systemctl --root` to enable/disable
- snap: provide more error context in `NotSnapError`
- interfaces: add read access to /run for cryptsetup
- boot: avoid reboot loop if there is a bad try kernel
- devicestate: retry serial acquire on time based certificate
errors
- o/devicestate: run systemctl daemon-reload after install-device
hook
- cmd/snap,daemon: add 'held' to notes in 'snap list'
- o/snapshotstate: check snapshots are self-contained on import
- cmd/snap: show user+gating hold info in 'snap info'
- daemon: expose user and gating holds at /v2/snaps/{name}
* Sat Jan 21 2023 Fedora Release Engineering <releng@fedoraproject.org> - 2.57.6-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild
* Fri Dec 16 2022 Maciek Borzecki <maciek.borzecki@gmail.com> - 2.57.6-2
- Fix for RHBZ#2152903
* Thu Dec 01 2022 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.58
- many: Use /tmp/snap-private-tmp for per-snap private tmps
- data: Add systemd-tmpfiles configuration to create private tmp dir
- cmd/snap: test allowed and forbidden refresh hold values
- cmd/snap: be more consistent in --hold help and err messages
- cmd/snap: error on refresh holds that are negative or too short
- o/homedirs: make sure we do not write to /var on build time
- image: make sure file customizations happen also when we have
defaultscause
- tests/fde-on-classic: set ubuntu-seed label in seed partitions
- gadget: system-seed-null should also have fs label ubuntu-seed
- many: gadget.HasRole, ubuntu-seed can come also from system-seed-
null
- o/devicestate: fix paths for retrieving recovery key on classic
- cmd/snap-confine: do not discard const qualifier
- interfaces: allow python3.10+ in the default template
- o/restart: fix PendingForSystemRestart
- interfaces: allow wayland slot snaps to access shm files created
by Firefox
- o/assertstate: add Sequence() to val set tracking
- o/assertstate: set val set 'Current' to pinned sequence
- tests: tweak the libvirt interface test to work on 22.10
- tests: use system-seed-null role on classic with modes tests
- boot: add directory for data on install
- o/devicestate: change some names from esp to seed/seed-null
- gadget: add system-seed-null role
- o/devicestate: really add error to new error message
- restart,snapstate: implement reboot-required notifications on
classic
- many: avoid automatic system restarts on classic through new
overlord/restart logic
- release: Fix WSL detection in LXD
- o/state: introduce WaitStatus
- interfaces: Fix desktop interface rules for document portal
- client: remove classic check for `snap recovery --show-
keys`
- many: create snapd.mounts targets to schedule mount units
- image: enable sysfs overlay for UC preseeding
- i/b/network-control: add permissions for using AF_XDP
- i/apparmor: move mocking of home and overlay conditions to osutil
- tests/main/degraded: ignore man-db update failures in CentOS
- cmd/snap: fix panic when running snap w/ flag but w/o subcommand
- tests: save snaps generated during image preaparation
- tests: skip building snapd based on new env var
- client: remove misleading comments in ValidateApplyOptions
- boot/seal: add debug traces for bootchains
- bootloader/assets: fix grub.cfg when there are no labels
- cmd/snap: improve refresh hold's output
- packaging: enable BPF in RHEL9
- packaging: do not traverse filesystems in postrm script
- tests: get microk8s from another branch
- bootloader: do not specify Core version in grub entry
- many: refresh --hold follow-up
- many: support refresh hold/unhold to API and CLI
- many: expand fully handling links mapping in all components, in
the API and in snap info
- snap/system_usernames,tests: Azure IoT Edge system usernames
- interface: Allow access to
org.freedesktop.DBus.ListActivatableNames via system-observe
interface
- o/devicestate,daemon: use the expiration date from the assertion
in user-state and REST api (user-removal 4/n)
- gadget: add unit tests for new install functions for FDE on
classic
- cmd/snap-seccomp: fix typo in AF_XDP value
- tests/connected-after-reboot-revert: run also on UC16
- kvm: allow read of AMD-SEV parameters
- data: tweak apt integration config var
- o/c/configcore: add faillock configuration
- tests: use dbus-daemon instead of dbus-launch
- packaging: remove unclean debian-sid patch
- asserts: add keyword 'user-presence' keyword in system-user
assertion (auto-removal 3/n)
- interfaces: steam-support allow pivot /run/media and /etc/nvidia
mount
- aspects: initial code
- overlord: process auto-import assertion at first boot
- release, snapd-apparmor, syscheck: distinguish WSL1 and WSL2
- tests: fix lxd-mount-units in ubuntu kinetic
- tests: new variable used to configure the kernel command line in
nested tests
- go.mod: update to newer secboot/uc22 branch
- autopkgtests: fix running autopkgtest on kinetic
- tests: remove squashfs leftovers in fakeinstaller
- tests: create partition table in fakeinstaller
- o/ifacestate: introduce DebugAutoConnectCheck hook
- tests: use test-snapd-swtpm instead of swtpm-mvo snap in nested
helper
- interfaces/polkit: do not require polkit directory if no file is
needed
- o/snapstate: be consistent not creating per-snap save dirs for
classic models
- inhibit: use hintFile()
- tests: use `snap prepare-image` in fde-on-classic mk-image.sh
- interfaces: add microceph interface
- seccomp: allow opening XDP sockets
- interfaces: allow access to icon subdirectories
- tests: add minimal-smoke test for UC22 and increase minimal RAM
- overlord: introduce hold levels in the snapstate.Hold* API
- o/devicestate: support mounting ubuntu-save also on classic with
modes
- interfaces: steam-support allow additional mounts
- fakeinstaller: format SystemDetails result with %+v
- cmd/libsnap-confine-private: do not panic on chmod failure
- tests: ensure that fakeinstaller put the seed into the right place
- many: add stub services for prompting
- tests: add libfwupd and libfwupdplugin5 to openSUSE dependencies
- o/snapstate: fix snaps-hold pruning/reset in the presence of
system holding
- many: add support for setting up encryption from installer
- many: support classic snaps in the context of classic and extended
models
- cmd/snap,daemon: allow zero values from client to daemon for
journal rate limit
- boot,o/devicestate: extend HasFDESetupHook to consider unrelated
kernels
- cmd/snap: validation set refresh-enforce CLI support + spread test
- many: fix filenames written in modeenv for base/gadget plus drive-
by TODO
- seed: fix seed test to use a pseudo-random byte sequence
- cmd/snap-confine: remove setuid calls from cgroup init code
- boot,o/devicestate: introduce and use MakeRunnableStandaloneSystem
- devicestate,boot,tests: make `fakeinstaller` test work
- store: send Snap-Device-Location header with cloud information
- overlord: fix unit tests after merging master in
- o/auth: move HasUserExpired into UserState and name it HasExpired,
and add unit tests for this
- o/auth: rename NewUserData to NewUserParams
- many: implementation of finish install step handlers
- overlord: auto-resolve validation set enforcement constraints
- i/backends,o/ifacestate: cleanup backends.All
- cmd/snap-confine: move bind-mount setup into separate function
- tests/main/mount-ns: update namespace for 18.04
- o/state: Hold pseudo-error for explicit holding, concept of
pending changes in prune logic
- many: support extended classic models that omit kernel/gadget
- data/selinux: allow snapd to detect WSL
- overlord: add code to remove users that has an expiration date set
- wrappers,snap/quota: clear LogsDirectory= in the service unit for
journal namespaces
- daemon: move user add, remove operations to overlord device state
- gadget: implement write content from gadget information
- {device,snap}state: fix ineffectual assignments
- daemon: support validation set refresh+enforce in API
- many: rename AddAffected* to RegisterAffected*, add
Change|State.Has, fix a comment
- many: reset store session when setting proxy.store
- overlord/ifacestate: fix conflict detection of auto-connection
- interfaces: added read/write access to /proc/self/coredump_filter
for process-control
- interfaces: add read access to /proc/cgroups and
/proc/sys/vm/swappiness to system-observe
- fde: run fde-reveal-key with `DefaultDependencies=no`
- many: don't concatenate non-constant format strings
- o/devicestate: fix non-compiling test
- release, snapd-apparmor: fixed outdated WSL detection
- many: add todos discussed in the review in
tests/nested/manual/fde-on-classic, snapstate cleanups
- overlord: run install-device hook during factory reset
- i/b/mount-control: add optional `/` to umount rules
- gadget/install: split Run in several functions
- o/devicestate: refactor some methods as preparation for install
steps implementation
- tests: fix how snaps are cached in uc22
- tests/main/cgroup-tracking-failure: fix rare failure in Xenial and
Bionic
- many: make {Install,Initramfs}{{,Host},Writable}Dir a function
- tests/nested/manual/core20: fix manual test after changes to
'tests.nested exec'
- tests: move the unit tests system to 22.04 in github actions
workflow
- tests: fix nested errors uc20
- boot: rewrite switch in SnapTypeParticipatesInBoot()
- gadget: refactor to allow usage from the installer
- overlord/devicestate: support for mounting ubuntu-save before the
install-device hook
- many: allow to install/update kernels/gadgets on classic with
modes
- tests: fix issues related to dbus session and localtime in uc18
- many: support home dirs located deeper under /home
- many: refactor tests to use explicit strings instead of
boot.Install{Initramfs,Host}{Writable,FDEData}Dir
- boot: add factory-reset cases for boot-flags
- tests: disable quota tests on arm devices using ubuntu core
- tests: fix unbound SPREAD_PATH variable on nested debug session
- overlord: start turning restart into a full state manager
- boot: apply boot logic also for classic with modes boot snaps
- tests: fix snap-env test on debug section when no var files were
created
- overlord,daemon: allow returning errors when requesting a restart
- interfaces: login-session-control: add further D-Bus interfaces
- snapdenv: added wsl to userAgent
- o/snapstate: support running multiple ops transactionally
- store: use typed valset keys in store package
- daemon: add `ensureStateSoon()` when calling systems POST api
- gadget: add rules for validating classic with modes gadget.yaml
files
- wrappers: journal namespaces did not honor journal.persistent
- many: stub devicestate.Install{Finish,SetupStorageEncryption}()
- sandbox/cgroup: don't check V1 cgroup if V2 is active
- seed: add support to load auto import assertion
- tests: fix preseed tests for arm systems
- include/lk: update LK recovery environment definition to include
device lock state used by bootloader
- daemon: return `storage-encryption` in /systems/<label> reply
- tests: start using remote tools from snapd-testing-tools project
in nested tests
- tests: fix non mountable filesystem error in interfaces-udisks2
- client: clarify what InstallStep{SetupStorageEncryption,Finish} do
- client: prepare InstallSystemOptions for real use
- usersession: Remove duplicated struct
- o/snapstate: support specific revisions in UpdateMany/InstallMany
- i/b/system_packages_doc: restore access to Libreoffice
documentation
- snap/quota,wrappers: allow using 0 values for the journal rate
limit
- tests: add kinetic images to the gce bucket for preseed test
- multiple: clear up naming convention for thread quota
- daemon: implement stub `"action": "install"`
- tests/main/snap-quota-{install/journal}: fix unstable spread tests
- tests: remove code for old systems not supported anymore
- tests: third part of the nested helper cleanup
- image: clean snapd mount after preseeding
- tests: use the new ubuntu kinetic image
- i/b/system_observe: honour root dir when checking for
/boot/config-*
- tests: restore microk8s test on 16.04
- tests: run spread tests on arm64 instances in google cloud
- tests: skip interfaces-udisks2 in fedora
- asserts,boot,secboot: switch to a secboot version measuring
classic
- client: add API for GET /systems/<label>
- overlord: frontend for --quota-group support (2/2)
- daemon: add GET support for `/systems/<seed-label>`
- i/b/system-observe: allow reading processes security label
- many: support '--purge' when removing multiple snaps
- snap-confine: remove obsolete code
- interfaces: rework logic of unclashMountEntries
- data/systemd/Makefile: add comment warning about "snapd." prefix
- interfaces: grant access to speech-dispatcher socket (bug 1787245)
- overlord/servicestate: disallow removal of quota group with any
limits set
- data: include snapd/mounts in preseeded blob
- many: Set SNAPD_APPARMOR_REEXEC=1
- store/tooling,tests: support UBUNTU_STORE_URL override env var
- multiple: clear up naming convention for cpu-set quota
- tests: improve and standardize debug section on tests
- device: add new DeviceManager.encryptionSupportInfo()
- tests: check snap download with snapcraft v7+ export-login auth
data
- cmd/snap-bootstrap: changes to be able to boot classic rootfs
- tests: fix debug section for test uc20-create-partitions
- overlord: --quota-group support (1/2)
- asserts,cmd/snap-repair: drop not pursued
AuthorityDelegation/signatory-id
- snap-bootstrap: add CVM mode* snap-bootstrap: add classic runmode
- interfaces: make polkit implicit on core if /usr/libexec/polkitd
exists
- multiple: move arguments for auth.NewUser into a struct (auto-
removal 1/n)
- overlord: track security profiles for non-active snaps
- tests: remove NESTED_IMAGE_ID from nested manual tests
- tests: add extra space to ubuntu bionic
- store/tooling: support using snapcraft v7+ base64-encoded auth
data
- overlord: allow seeding in the case of classic with modes system
- packaging/*/tests/integrationtests: reload ssh.service, not
sshd.service
- tests: rework snap-logs-journal test and add missing cleanup
- tests: add spread test for journal quotas
- tests: run spread tests in ubuntu kinetic
- o/snapstate: extend support for holding refreshes
- devicestate: return an error in checkEncryption() if KernelInfo
fails
- tests: fix sbuild test on debian sid
- o/devicestate: do not run tests in this folder twice
- sandbox/apparmor: remove duplicate hook into testing package
- many: refactor store code to be able to use simpler form of auth
creds
- snap,store: drop support/consideration for anonymous download urls
- data/selinux: allow snaps to read certificates
- many: add Is{Core,Classic}Boot() to DeviceContext
- o/assertstate: don't refresh enforced validation sets during check
- go.mod: replace maze.io/x/crypto with local repo
- many: fix unnecessary use of fmt.Sprintf
- bootloader,systemd: fix `don't use Yoda conditions (ST1017)`
- HACKING.md: extend guidelines with common review comments
- many: progress bars should use the overridable stdouts
- tests: remove ubuntu 21.10 from sru validation
- tests: import remote tools
- daemon,usersession: switch from HeaderMap to Header in tests
- asserts: add some missing `c.Check()` in the asserts test
- strutil: fix VersionCompare() to allow multiple `-` in the version
- testutil: remove unneeded `fmt.Sprintf`
- boot: remove some unneeded `fmt.Sprintf()` calls
- tests: implement prepare_gadget and prepare_base and unify all the
version
- o/snapstate: refactor managed refresh schedule logic
- o/assertstate, snapasserts: implementation of
assertstate.TryEnforceValidationSets function
- interfaces: add kconfig paths to system-observe
- dbusutil: move debian patch into dbustest
- many: change name and input of CheckProvenance to clarify usage
- tests: Fix a missing parameter in command to wait for device
- tests: Work-around non-functional --wait on systemctl
- tests: unify the way the snapd/core and kernel are repacked in
nested helper
- tests: skip interfaces-ufisks2 on centos-9
- i/b/mount-control: allow custom filesystem types
- interfaces,metautil: make error handling in getPaths() more
targeted
- cmd/snap-update-ns: handle mountpoint removal failures with EBUSY
- tests: fix pc-kernel repacking
- systemd: add `WantedBy=default.target` to snap mount units
- tests: disable microk8s test on 16.04
* Wed Nov 30 2022 Maciek Borzecki <maciek.borzecki@gmail.com> - 2.57.6-1
- Release 2.57.6 to Fedora
* Tue Nov 15 2022 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.57.6
- SECURITY UPDATE: Local privilege escalation
- snap-confine: Fix race condition in snap-confine when preparing a
private tmp mount namespace for a snap
- CVE-2022-3328
* Mon Oct 17 2022 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.57.5
- image: clean snapd mount after preseeding
- wrappers,snap/quota: clear LogsDirectory= in the service unit
for journal namespaces
- cmd/snap,daemon: allow zero values from client to daemon for
journal rate-limit
- interfaces: steam-support allow pivot /run/media and /etc/nvidia
mount
- o/ifacestate: introduce DebugAutoConnectCheck hook
- release, snapd-apparmor, syscheck: distinguish WSL1 and WSL2
- autopkgtests: fix running autopkgtest on kinetic
- interfaces: add microceph interface
- interfaces: steam-support allow additional mounts
- many: add stub services
- interfaces: add kconfig paths to system-observe
- i/b/system_observe: honour root dir when checking for
/boot/config-*
- interfaces: grant access to speech-dispatcher socket
- interfaces: rework logic of unclashMountEntries
* Thu Sep 29 2022 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.57.4
- release, snapd-apparmor: fixed outdated WSL detection
- overlord/ifacestate: fix conflict detection of auto-connection
- overlord: run install-device hook during factory reset
- image/preseed/preseed_linux: add missing new line
- boot: add factory-reset cases for boot-flags.
- interfaces: added read/write access to /proc/self/coredump_filter
for process-control
- interfaces: add read access to /proc/cgroups and
/proc/sys/vm/swappiness to system-observe
- fde: run fde-reveal-key with `DefaultDependencies=no`
- snapdenv: added wsl to userAgent
- tests: fix restore section for persistent-journal-namespace
- i/b/mount-control: add optional `/` to umount rules
- cmd/snap-bootstrap: changes to be able to boot classic rootfs
- cmd/snap-bootstrap: add CVM mode
* Thu Sep 15 2022 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.57.3
- wrappers: journal namespaces did not honor journal.persistent
- snap/quota,wrappers: allow using 0 values for the journal rate to
override the system default values
- multiple: clear up naming convention for cpu-set quota
- i/b/mount-control: allow custom filesystem types
- i/b/system-observe: allow reading processes security label
- sandbox/cgroup: don't check V1 cgroup if V2 is active
- asserts,boot,secboot: switch to a secboot version measuring
classic
* Fri Sep 02 2022 Michael Vogt <michael.vogt@ubuntu.com>
- New upstream release 2.57.2
- store/tooling,tests: support UBUNTU_STORE_URL override env var
- packaging/*/tests/integrationtests: reload ssh.service, not
sshd.service
- tests: check snap download with snapcraft v7+ export-login auth
data
- store/tooling: support using snapcraft v7+ base64-encoded auth
data
- many: progress bars should use the overridable stdouts
- many: refactor store code to be able to use simpler form of auth
creds
- snap,store: drop support/consideration for anonymous download urls
- data: include snapd/mounts in preseeded blob
- many: Set SNAPD_APPARMOR_REEXEC=1
- overlord: track security profiles for non-active snaps
|