From 47a18f3d2bbce275366342f621ce362d189cc1bc Mon Sep 17 00:00:00 2001 From: Neal Gompa Date: Jan 25 2018 08:37:21 +0000 Subject: Release 2.30 to Fedora (RH#1527519) - Backport fix to correctly locate snapd libexecdir on Fedora derivatives (RH#1536895) - Refresh SELinux policy fix patches with upstream backport version --- diff --git a/.gitignore b/.gitignore index 706cd05..0103534 100644 --- a/.gitignore +++ b/.gitignore @@ -15,3 +15,4 @@ /snapd-2.28.4.tar.gz /snapd-2.28.5.tar.gz /snapd-2.29.4.tar.gz +/snapd-2.30.tar.gz diff --git a/0001-cmd-use-libtool-for-the-internal-library.patch b/0001-cmd-use-libtool-for-the-internal-library.patch index 56ee24f..4233100 100644 --- a/0001-cmd-use-libtool-for-the-internal-library.patch +++ b/0001-cmd-use-libtool-for-the-internal-library.patch @@ -1,4 +1,4 @@ -From 8cf292e721a287567ff3e8dfd8dca03f3f3c93fb Mon Sep 17 00:00:00 2001 +From 9b7338d55d8d6ecd92656e2a0de1626e902352db Mon Sep 17 00:00:00 2001 From: Zygmunt Krynicki Date: Mon, 6 Mar 2017 20:26:26 +0100 Subject: [PATCH] cmd: use libtool for the internal library @@ -14,10 +14,10 @@ Signed-off-by: Zygmunt Krynicki 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/cmd/Makefile.am b/cmd/Makefile.am -index 90ee4b9..7c7dbbb 100644 +index 9063a16bb..bed9a5b84 100644 --- a/cmd/Makefile.am +++ b/cmd/Makefile.am -@@ -58,12 +58,12 @@ snap-seccomp/snap-seccomp: snap-seccomp/*.go +@@ -66,12 +66,12 @@ snap-seccomp/snap-seccomp: snap-seccomp/*.go cd snap-seccomp && GOPATH=$(or $(GOPATH),$(realpath $(srcdir)/../../../../..)) go build -i -v ## @@ -33,7 +33,7 @@ index 90ee4b9..7c7dbbb 100644 libsnap-confine-private/cgroup-freezer-support.c \ libsnap-confine-private/cgroup-freezer-support.h \ libsnap-confine-private/classic.c \ -@@ -138,7 +138,7 @@ noinst_PROGRAMS += decode-mount-opts/decode-mount-opts +@@ -147,7 +147,7 @@ noinst_PROGRAMS += decode-mount-opts/decode-mount-opts decode_mount_opts_decode_mount_opts_SOURCES = \ decode-mount-opts/decode-mount-opts.c @@ -42,34 +42,34 @@ index 90ee4b9..7c7dbbb 100644 decode_mount_opts_decode_mount_opts_STATIC = if STATIC_LIBCAP -@@ -192,7 +192,7 @@ snap_confine_snap_confine_SOURCES = \ +@@ -201,7 +201,7 @@ snap_confine_snap_confine_SOURCES = \ - snap_confine_snap_confine_CFLAGS = -Wall -Werror $(AM_CFLAGS) -DLIBEXECDIR=\"$(libexecdir)\" + snap_confine_snap_confine_CFLAGS = $(CHECK_CFLAGS) $(AM_CFLAGS) -DLIBEXECDIR=\"$(libexecdir)\" snap_confine_snap_confine_LDFLAGS = $(AM_LDFLAGS) -snap_confine_snap_confine_LDADD = libsnap-confine-private.a +snap_confine_snap_confine_LDADD = libsnap-confine-private.la snap_confine_snap_confine_CFLAGS += $(LIBUDEV_CFLAGS) snap_confine_snap_confine_LDADD += $(LIBUDEV_LIBS) # _STATIC is where we collect statically linked in libraries -@@ -364,7 +364,7 @@ snap_discard_ns_snap_discard_ns_SOURCES = \ +@@ -367,7 +367,7 @@ snap_discard_ns_snap_discard_ns_SOURCES = \ snap-discard-ns/snap-discard-ns.c - snap_discard_ns_snap_discard_ns_CFLAGS = -Wall -Werror $(AM_CFLAGS) + snap_discard_ns_snap_discard_ns_CFLAGS = $(CHECK_CFLAGS) $(AM_CFLAGS) snap_discard_ns_snap_discard_ns_LDFLAGS = $(AM_LDFLAGS) -snap_discard_ns_snap_discard_ns_LDADD = libsnap-confine-private.a +snap_discard_ns_snap_discard_ns_LDADD = libsnap-confine-private.la snap_discard_ns_snap_discard_ns_STATIC = if APPARMOR -@@ -405,7 +405,7 @@ system_shutdown_system_shutdown_SOURCES = \ +@@ -408,7 +408,7 @@ system_shutdown_system_shutdown_SOURCES = \ system-shutdown/system-shutdown-utils.c \ system-shutdown/system-shutdown-utils.h \ system-shutdown/system-shutdown.c -system_shutdown_system_shutdown_LDADD = libsnap-confine-private.a +system_shutdown_system_shutdown_LDADD = libsnap-confine-private.la - system_shutdown_system_shutdown_CFLAGS = $(filter-out -fPIE -pie,$(CFLAGS)) -static + system_shutdown_system_shutdown_CFLAGS = $(CHECK_CFLAGS) $(filter-out -fPIE -pie,$(CFLAGS)) -static system_shutdown_system_shutdown_LDFLAGS = $(filter-out -fPIE -pie,$(LDFLAGS)) -static -@@ -415,7 +415,7 @@ system_shutdown_unit_tests_SOURCES = \ +@@ -418,7 +418,7 @@ system_shutdown_unit_tests_SOURCES = \ libsnap-confine-private/unit-tests-main.c \ libsnap-confine-private/unit-tests.c \ system-shutdown/system-shutdown-utils-test.c @@ -79,7 +79,7 @@ index 90ee4b9..7c7dbbb 100644 system_shutdown_unit_tests_LDADD += $(GLIB_LIBS) endif diff --git a/cmd/configure.ac b/cmd/configure.ac -index f2e6ce6..976e1d0 100644 +index f2e6ce6ef..976e1d0ed 100644 --- a/cmd/configure.ac +++ b/cmd/configure.ac @@ -11,7 +11,8 @@ AC_PROG_CC_C99 diff --git a/1001-data-selinux-allow-messages-from-policykit.patch b/1001-data-selinux-allow-messages-from-policykit.patch new file mode 100644 index 0000000..705cd81 --- /dev/null +++ b/1001-data-selinux-allow-messages-from-policykit.patch @@ -0,0 +1,42 @@ +From ebe68ccbe2a0198629e3e012315bac6ec1252bbd Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Fri, 15 Dec 2017 17:05:50 +0100 +Subject: [PATCH 1001/1003] data/selinux: allow messages from policykit + +snapd talks to polkitd over DBus and calls +org.freedesktop.PolicyKit1.Authority.CheckAuthorization() method. The default +SELinux policy prevents polkitd from sending a reply back to snapd. + +Resolves: https://forum.snapcraft.io/t/selinux-blocking-snapd-since-update-on-fedora-27/3002 + +Quoting dbus-daemon manual (SELinux section): + + > First, any time a message is routed from one connection to another connection, + > the bus daemon will check permissions with the security context of the first + > connection as source, security context of the second connection as target, + > object class "dbus" and requested permission "send_msg". + +The change adds adjusts the policy to allow DBus messages (dbus send_msg) to be +sent from processes with type polkit_t (polkitd) to processes with type +snappy_t (snapd). + +Signed-off-by: Maciej Borzecki +--- + data/selinux/snappy.te | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te +index 50d58d42d..262f28890 100644 +--- a/data/selinux/snappy.te ++++ b/data/selinux/snappy.te +@@ -215,3 +215,7 @@ corenet_tcp_sendrecv_dns_port(snappy_t) + corenet_udp_sendrecv_dns_port(snappy_t) + corenet_tcp_connect_dns_port(snappy_t) + corenet_sendrecv_dns_client_packets(snappy_t) ++ ++# allow polkit to reply to snapd ++gen_require(` type policykit_t; class dbus send_msg; ') ++allow policykit_t snappy_t:dbus send_msg; +-- +2.14.3 + diff --git a/1002-data-selinux-bump-policy-version-to-0.0.13.patch b/1002-data-selinux-bump-policy-version-to-0.0.13.patch new file mode 100644 index 0000000..17efb37 --- /dev/null +++ b/1002-data-selinux-bump-policy-version-to-0.0.13.patch @@ -0,0 +1,26 @@ +From bbb4e664b54d078fc76537ed954128a7bf9d34a8 Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Mon, 18 Dec 2017 07:19:28 +0100 +Subject: [PATCH 1002/1003] data/selinux: bump policy version to 0.0.13 + +Signed-off-by: Maciej Borzecki +--- + data/selinux/snappy.te | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te +index 262f28890..3370fb394 100644 +--- a/data/selinux/snappy.te ++++ b/data/selinux/snappy.te +@@ -17,7 +17,7 @@ + # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + + +-policy_module(snappy,0.0.12) ++policy_module(snappy,0.0.13) + + ######################################## + # +-- +2.14.3 + diff --git a/1003-data-selinux-add-policykit_dbus_chat.patch b/1003-data-selinux-add-policykit_dbus_chat.patch new file mode 100644 index 0000000..8c7617b --- /dev/null +++ b/1003-data-selinux-add-policykit_dbus_chat.patch @@ -0,0 +1,31 @@ +From 57a9c3b627a970a73947a2d45d16d0baf4d4f027 Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Mon, 18 Dec 2017 08:09:38 +0100 +Subject: [PATCH 1003/1003] data/selinux: add policykit_dbus_chat() + +Add an optional policy to allow policykit_dbus_chat(). Enables sending to and +receiving messages from policykit. + +Signed-off-by: Maciej Borzecki +--- + data/selinux/snappy.te | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/data/selinux/snappy.te b/data/selinux/snappy.te +index 3370fb394..cd2f0fccc 100644 +--- a/data/selinux/snappy.te ++++ b/data/selinux/snappy.te +@@ -216,6 +216,7 @@ corenet_udp_sendrecv_dns_port(snappy_t) + corenet_tcp_connect_dns_port(snappy_t) + corenet_sendrecv_dns_client_packets(snappy_t) + +-# allow polkit to reply to snapd +-gen_require(` type policykit_t; class dbus send_msg; ') +-allow policykit_t snappy_t:dbus send_msg; ++# allow communication with polkit over dbus ++optional_policy(` ++ policykit_dbus_chat(snappy_t) ++') +-- +2.14.3 + diff --git a/1101-dirs-check-if-distro-is-like-fedora-when-picking-pat.patch b/1101-dirs-check-if-distro-is-like-fedora-when-picking-pat.patch new file mode 100644 index 0000000..9116373 --- /dev/null +++ b/1101-dirs-check-if-distro-is-like-fedora-when-picking-pat.patch @@ -0,0 +1,40 @@ +From fbfee0ea2b7c43de58b2091ee231cc988a9ef925 Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Tue, 16 Jan 2018 13:42:42 +0100 +Subject: [PATCH 1101/1102] dirs: check if distro 'is like' fedora when picking + path to libexecdir + +The original bug report [1] comes from Korora, a Fedora derivative. Address it +by checking if distro 'is like' fedora rather than using a hardcoded list of +options. Both RHEL and CentOS list ID_LIKE="..fedora.." in their /etc/os-release +files. Korora, being a derivative also has ID_LIKE="fedora". + +[1]. https://bugs.launchpad.net/snappy/+bug/1743301 + +Signed-off-by: Maciej Borzecki +--- + dirs/dirs.go | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/dirs/dirs.go b/dirs/dirs.go +index 1d0175eea..5db1174de 100644 +--- a/dirs/dirs.go ++++ b/dirs/dirs.go +@@ -228,10 +228,11 @@ func SetRootDir(rootdir string) { + LocaleDir = filepath.Join(rootdir, "/usr/share/locale") + ClassicDir = filepath.Join(rootdir, "/writable/classic") + +- switch release.ReleaseInfo.ID { +- case "fedora", "centos", "rhel": ++ if release.DistroLike("fedora") { ++ // rhel, centos, fedora and derivatives ++ // both rhel and centos list "fedora" in ID_LIKE + DistroLibExecDir = filepath.Join(rootdir, "/usr/libexec/snapd") +- default: ++ } else { + DistroLibExecDir = filepath.Join(rootdir, "/usr/lib/snapd") + } + +-- +2.14.3 + diff --git a/1102-cmd-snap-use-distro-snap-exec-when-running-under-cla.patch b/1102-cmd-snap-use-distro-snap-exec-when-running-under-cla.patch new file mode 100644 index 0000000..ba519dc --- /dev/null +++ b/1102-cmd-snap-use-distro-snap-exec-when-running-under-cla.patch @@ -0,0 +1,116 @@ +From e5b3564dceaa7108caf7d3720c15568e245af7e5 Mon Sep 17 00:00:00 2001 +From: Maciej Borzecki +Date: Wed, 3 Jan 2018 08:57:14 +0100 +Subject: [PATCH 1102/1102] cmd/snap: use distro snap-exec when running under + classic confinement + +We have used a hardcoded path to snap-exec pointing to 'core' +libexec (/usr/lib/snapd) directory. Subsequently we tried to run snap-exec from +that location through snap-confine. When classic confinement is in effect, +snap-confine does not set up a mount namespace where the 'core' snap is a +rootfs, thus we are running off the distro's root filesystem. In such case, the +path to snap-exec may or may not be valid, depending on whether the distro's +libexec directory coincides with the path from 'core'. The assumption would be +invalid on distributions where libexec is under a different path, eg. Fedora +where snapd's libexecdir is /usr/libexec/snapd. + +Fix the issue by using snap-exec from distro specific libexec directory when +running under classic confinement. Should 'snap' be reexeced from the 'core' +snap, use the 'core' snap version of snap-exec too. + +Partially addresses: https://bugs.launchpad.net/snapd/+bug/1736939 + +Signed-off-by: Maciej Borzecki +--- + cmd/snap/cmd_run.go | 19 ++++++++++++++++++- + cmd/snap/cmd_run_test.go | 42 +++++++++++++++++++++++++++++++++++++++++- + 2 files changed, 59 insertions(+), 2 deletions(-) + +diff --git a/cmd/snap/cmd_run.go b/cmd/snap/cmd_run.go +index c94de6687..122433019 100644 +--- a/cmd/snap/cmd_run.go ++++ b/cmd/snap/cmd_run.go +@@ -459,7 +459,24 @@ func runSnapConfine(info *snap.Info, securityTag, snapApp, command, hook string, + cmd = append(cmd, "--base", info.Base) + } + cmd = append(cmd, securityTag) +- cmd = append(cmd, filepath.Join(dirs.CoreLibExecDir, "snap-exec")) ++ ++ // when under confinement, snap-exec is run from 'core' snap rootfs ++ snapExecPath := filepath.Join(dirs.CoreLibExecDir, "snap-exec") ++ ++ if info.NeedsClassic() { ++ // running with classic confinement, carefully pick snap-exec we ++ // are going to use ++ if isReexeced() { ++ // same rule as when choosing the location of snap-confine ++ snapExecPath = filepath.Join(dirs.SnapMountDir, "core/current", ++ dirs.CoreLibExecDir, "snap-exec") ++ } else { ++ // there is no mount namespace where 'core' is the ++ // rootfs, hence we need to use distro's snap-exec ++ snapExecPath = filepath.Join(dirs.DistroLibExecDir, "snap-exec") ++ } ++ } ++ cmd = append(cmd, snapExecPath) + + if command != "" { + cmd = append(cmd, "--command="+command) +diff --git a/cmd/snap/cmd_run_test.go b/cmd/snap/cmd_run_test.go +index b90308abf..3e61f1c28 100644 +--- a/cmd/snap/cmd_run_test.go ++++ b/cmd/snap/cmd_run_test.go +@@ -158,9 +158,49 @@ func (s *SnapSuite) TestSnapRunClassicAppIntegration(c *check.C) { + c.Check(execArgs, check.DeepEquals, []string{ + filepath.Join(dirs.DistroLibExecDir, "snap-confine"), "--classic", + "snap.snapname.app", +- filepath.Join(dirs.CoreLibExecDir, "snap-exec"), ++ filepath.Join(dirs.DistroLibExecDir, "snap-exec"), + "snapname.app", "--arg1", "arg2"}) + c.Check(execEnv, testutil.Contains, "SNAP_REVISION=x2") ++ ++} ++ ++func (s *SnapSuite) TestSnapRunClassicAppIntegrationReexeced(c *check.C) { ++ mountedCorePath := filepath.Join(dirs.SnapMountDir, "core/current") ++ mountedCoreLibExecPath := filepath.Join(mountedCorePath, dirs.CoreLibExecDir) ++ ++ defer mockSnapConfine(mountedCoreLibExecPath)() ++ ++ // mock installed snap ++ si := snaptest.MockSnap(c, string(mockYaml)+"confinement: classic\n", string(mockContents), &snap.SideInfo{ ++ Revision: snap.R("x2"), ++ }) ++ err := os.Symlink(si.MountDir(), filepath.Join(si.MountDir(), "../current")) ++ c.Assert(err, check.IsNil) ++ ++ restore := snaprun.MockOsReadlink(func(name string) (string, error) { ++ // pretend 'snap' is reexeced from 'core' ++ return filepath.Join(mountedCorePath, "usr/bin/snap"), nil ++ }) ++ defer restore() ++ ++ execArg0 := "" ++ execArgs := []string{} ++ execEnv := []string{} ++ restorer := snaprun.MockSyscallExec(func(arg0 string, args []string, envv []string) error { ++ execArg0 = arg0 ++ execArgs = args ++ execEnv = envv ++ return nil ++ }) ++ defer restorer() ++ rest, err := snaprun.Parser().ParseArgs([]string{"run", "snapname.app", "--arg1", "arg2"}) ++ c.Assert(err, check.IsNil) ++ c.Assert(rest, check.DeepEquals, []string{"snapname.app", "--arg1", "arg2"}) ++ c.Check(execArgs, check.DeepEquals, []string{ ++ filepath.Join(mountedCoreLibExecPath, "snap-confine"), "--classic", ++ "snap.snapname.app", ++ filepath.Join(mountedCoreLibExecPath, "snap-exec"), ++ "snapname.app", "--arg1", "arg2"}) + } + + func (s *SnapSuite) TestSnapRunAppWithCommandIntegration(c *check.C) { +-- +2.14.3 + diff --git a/snapd.spec b/snapd.spec index 88158c5..280c984 100644 --- a/snapd.spec +++ b/snapd.spec @@ -65,8 +65,8 @@ %endif Name: snapd -Version: 2.29.4 -Release: 3%{?dist} +Version: 2.30 +Release: 1%{?dist} Summary: A transactional software package manager Group: System Environment/Base License: GPLv3 @@ -79,8 +79,14 @@ Source1: https://%{provider_prefix}/releases/download/%{version}/%{name}_ # Upstream proposed PR: https://github.com/snapcore/snapd/pull/3162 Patch0001: 0001-cmd-use-libtool-for-the-internal-library.patch -# Upstream proposed PR: https://github.com/snapcore/snapd/pull/4404 -Patch4404: PR4404-data-selinux--allow-messages-from-policykit.patch +# Backports from upstream release/2.30 branch +# SELinux policy fixes +Patch1001: 1001-data-selinux-allow-messages-from-policykit.patch +Patch1002: 1002-data-selinux-bump-policy-version-to-0.0.13.patch +Patch1003: 1003-data-selinux-add-policykit_dbus_chat.patch +# snap-exec fixes +Patch1101: 1101-dirs-check-if-distro-is-like-fedora-when-picking-pat.patch +Patch1102: 1102-cmd-snap-use-distro-snap-exec-when-running-under-cla.patch %if 0%{?with_goarches} # e.g. el6 has ppc64 arch without gcc-go, so EA tag is required @@ -97,10 +103,16 @@ BuildRequires: systemd Requires: snap-confine%{?_isa} = %{version}-%{release} Requires: squashfs-tools -# snapd will use this in the event that squashfs.ko isn't available (cloud instances, containers, etc.) -# FIXME: Use rich deps for this once Bodhi is switched to using pungi + +%if 0%{?fedora} >= 26 || 0%{?rhel} >= 8 +# snapd will use squashfuse in the event that squashfs.ko isn't available (cloud instances, containers, etc.) +Requires: ((squashfuse and fuse) or kmod(squashfs.ko)) +%else +# Rich dependencies not available, always pull in squashfuse +# snapd will use squashfs.ko instead of squashfuse if it's on the system Requires: squashfuse Requires: fuse +%endif # bash-completion owns /usr/share/bash-completion/completions Requires: bash-completion @@ -625,7 +637,6 @@ popd %{_mandir}/man1/snap-confine.1* %{_mandir}/man5/snap-discard-ns.5* %{_prefix}/lib/udev/snappy-app-dev -%{_udevrulesdir}/80-snappy-assign.rules %attr(0000,root,root) %{_sharedstatedir}/snapd/void @@ -693,6 +704,249 @@ fi %changelog +* Thu Jan 25 2018 Neal Gompa - 2.30-1 +- Release 2.30 to Fedora (RH#1527519) +- Backport fix to correctly locate snapd libexecdir on Fedora derivatives (RH#1536895) +- Refresh SELinux policy fix patches with upstream backport version + +* Mon Dec 18 2017 Michael Vogt +- New upstream release 2.30 + - tests: set TRUST_TEST_KEYS=false for all the external backends + - tests: fix external backend for tests that need DEBUG output + - tests: do not disable refresh timer on external backend + - client: send all snap related bool json fields + - interfaces: interfaces: also add an app/hook-specific udev RUN + rule for hotplugging + - interfaces/desktop,unity7: allow status/activate/lock of + screensavers + - tests/main: source mkpinentry.sh + - devicestate: use a different nowhere domain + - interfaces: add ssh-keys, ssh-public-keys, gpg-keys and gpg-public + keys interfaces + - interfaces/many: misc updates for default, browser-support, opengl, + desktop, unity7, x11 + - devicestate: fix misbehaving test when using systemd-resolved + - interfaces/removable-media: also allow 'k' (lock) + - interfaces/many: misc updates for default, browser-support, + opengl, desktop, unity7, x11 + - corecfg: also "mask" services when disabling them + - tests: add support for autopkgtests on s390x + - snapstate: support for pre-refresh hook + - many: allow to configure core before it is installed + - devicestate: fix unkeyed fields error + - snap-confine: create mount target for lib32,vulkan on demand + - snapstate: add support for refresh.schedule=managed + - cmd/snap-update-ns: teach update logic to handle synthetic changes + - many: remove configure-snapd task again and handle internally + - snap: fix TestDirAndFileMethods() test to work with gccgo + - debian: ensure /var/lib/snapd/lib/vulkan is available + - cmd/snap-confine: use #include instead of bare include + - snapstate: store userID in snapstate + - snapd.dirs: add var/lib/snapd/lib/gl32 + - timeutil, overlod/snapstate: cleanup remaining pieces of timeutil + weekday support + - packaging/arch: install missing directories, manpages and version + info + - snapstate,store: store if a snap is a paid snap in the sideinfo + - packaging/arch: pre-create snapd directories when packaging + - tests/main/manpages: set LC_ALL=C as man may complain if the + locale is unset or unsupported + - repo: ConnectedPlug and ConnectedSlot types + - snapd: fix handling of undo in the taskrunner + - store: fix download caching and add integration test + - snapstate: move autorefresh code into autoRefresh helper + - snapctl: don't error out on start/stop/restart from configure hook + during install or refresh + - cmd/snap-update-ns: add planWritableMimic + - deamon: don't omit responses, even if null + - tests: add test for frame buffer interface + - tests/lib: fix shellcheck errors + - apparmor: generate the snap-confine re-exec profile for + AppArmor{Partial,Full} + - tests: remove obsolete workaround + - snap: use existing files in `snap download` if digest/size matches + - tests: merge pepare-project.sh into prepare-restore.sh + - tests: cache snaps to $TESTSLIB/cache + - tests: set -e, -o pipefail in prepare-restore.sh + - apparmor: generate the snap-confine re-exec profile for + AppArmor{Partial,Full} + - cmd/snap-seccomp: fix uid/gid restrictions tests on Arch + - tests: document and slightly refactor prepare/restore code + - snapstate: ensure RefreshSchedule() gives accurate results + - snapstate: add new refresh-hints helper and use it + - spread.yaml,tests: move most of project-wide prepare/restore to + separate file + - timeutil: introduce helpers for weekdays and TimeOfDay + - tests: adding new test for uhid interface + - cmd/libsnap: fix parsing of empty mountinfo fields + - overlord/devicestate: best effort to go to early full retries for + registration on the like of DNS no host + - spread.yaml: bump delta ref to 2.29 + - tests: adding test to test physical memory observe interface + - cmd, errtracker: get rid of SNAP_DID_REEXEC environment + - timeutil: remove support to parse weekday schedules + - snap-confine: add workaround for snap-confine on 4.13/upstream + - store: do not log the http body for catalog updates + - snapstate: move catalogRefresh into its own helper + - spread.yaml: fix shellcheck issues and trivial refactor + - spread.yaml: move prepare-each closer to restore-each + - spread.yaml: increase workers for opensuse to 3 + - tests: force delete when tests are restore to avoid suite failure + - test: ignore /snap/README + - interfaces/opengl: also allow read on 'revision' in + /sys/devices/pci... + - interfaces/screen-inhibit-control: fix case in screen inhibit + control + - asserts/sysdb: panic early if pointed to staging but staging keys + are not compiled-in + - interfaces: allow /bin/chown and fchownat to root:root + - timeutil: include test input in error message in + TestParseSchedule() + - interfaces/browser-support: adjust base declaration for auto- + connection + - snap-confine: fix snap-confine under lxd + - store: bit less aggressive retry strategy + - tests: add new `fakestore new-snap-{declaration,revision}` helpers + - cmd/snap-update-ns: add secureMkfileAll + - snap: use field names when initializing composite literals + - HACKING: fix path in snap install + - store: add support for flags in ListRefresh() + - interfaces: remove invalid plugs/slots from SnapInfo on + sanitization. + - debian: add missing udev dependency + - snap/validate: extend socket validation tests + - interfaces: add "refresh-schedule" attribute to snapd-control + - interfaces/builtin/account_control: use gid owning /etc/shadow to + setup seccomp rules + - cmd/snap-update-ns: tweak changePerform + - interfaces,tests: skip unknown plug/slot interfaces + - tests: disable interfaces-network-control-tuntap + - cmd: use a preinit_array function rather than parsing + /proc/self/cmdline + - interfaces/time*_control: explicitly deny noisy read on + /proc/1/environ + - cmd/snap-update-ns: misc cleanups + - snapd: allow hooks to have slots + - fakestore: add go-flags to prepare for `new-snap-declaration` cmd + - interfaces/browser-support: add shm path for nwjs + - many: add magic /snap/README file + - overlord/snapstate: support completion for command aliases + - tests: re-enable tun/tap test on Debian + - snap,wrappers: add support for socket activation + - repo: use PlugInfo and SlotInfo for permanent plugs/slots + - tests/interfaces-network-control-tuntap: disable on debian- + unstable for now + - cmd/snap-confine: Loosen the NVIDIA Vulkan ICD glob + - cmd/snap-update-ns: detect and report read-only filesystems + - cmd/snap-update-ns: re-factor secureMkdirAll into + secureMk{Prefix,Dir} + - run-checks, tests/lib/snaps/: shellcheck fixes + - corecfg: validate refresh.schedule when it is applied + - tests: adjust test to match stderr + - snapd: fix snap cookie bugs + - packaging/arch: do not quote MAKEFLAGS + - state: add change.LaneTasks helper + - cmd/snap-update-ns: do not assume 'nogroup' exists + - tests/lib: handle distro specific grub-editenv naming + - cmd/snap-confine: Add missing bi-arch NVIDIA filesthe + `/var/lib/snapd/lib/gl:/var/lib/snapd/lib/gl/vdpau` paths within + - cmd: Support exposing NVIDIA Vulkan ICD files to the snaps + - cmd/snap-confine: Implement full 32-bit NVIDIA driver support + - packaging/arch: packaging update + - cmd/snap-confine: Support bash as base runtime entry + - wrappers: do not error on incorrect Exec= lines + - interfaces: fix udev tagging for hooks + - tests/set-proxy-store: exclude ubuntu-core-16 via systems: key + - tests: new tests for network setup control and observe interfaces + - osutil: add helper for obtaining group ID of given file path + - daemon,overlord/snapstate: return snap-not-installed error in more + cases + - interfaces/builtin/lxd_support: allow discovering of host's os- + release + - configstate: add support for configure-snapd for + snapstate.IgnoreHookError + - tests: add a spread test for proxy.store setting together with + store assertion + - cmd/snap-seccomp: do not use group 'shadow' in tests + - asserts/assertstest: fix use of hardcoded value when the passed + or default keys should be used + - interfaces/many: misc policy updates for browser-support, cups- + control and network-status + - tests: fix xdg-open-compat + - daemon: for /v2/logs, 404 when no services are found + - packaging/fedora: Merge changes from Fedora Dist-Git + - cmd/snap-update-ns: add new helpers for mount entries + - cmd/snap-confine: Respect biarch nature of libdirs + - cmd/snap-confine: Ensure snap-confine is allowed to access os- + release + - cmd: fix re-exec bug with classic confinement for host snapd < + 2.28 + - interfaces/kmod: simplify loadModules now that errors are ignored + - tests: disable xdg-open-compat test + - tests: add test that checks core reverts on core devices + - dirs: use alt root when checking classic confinement support + without … + - interfaces/kmod: treat failure to load module as non-fatal + - cmd/snap-update-ns: fix golint and some stale comments + - corecfg: support setting proxy.store if there's a matching store + assertion + - overlord/snapstate: toggle ignore-validation as needed as we do + for channel + - tests: fix security-device-cgroup* tests on devices with + framebuffer + - interfaces/raw-usb: match on SUBSYSTEM, not SUBSYSTEMS + - interfaces: add USB interface number attribute in udev rule for + serial-port interface + - overlord/devicestate: switch to the new endpoints for registration + - snap-update-ns: add missing unit test for desired/current profile + handling + - cmd/{snap-confine,libsnap-confine-private,snap-shutdown}: cleanup + low-level C bits + - ifacestate: make interfaces.Repository available via state cache + - overlord/snapstate: cleanups around switch-snap* + - cmd/snapd,client,daemon: display ignore-validation flag through + the notes mechanism + - cmd/snap-update-ns: add logging to snap-update-ns + - many: have a timestamp on store assertions + - many: lookup and use the URL from a store assertion if one is set + for use + - tests/test-snapd-service: fix shellcheck issues + - tests: new test for hardware-random-control interface + - tests: use `snap change --last=install` in snapd-reexec test + - repo, daemon: use PlugInfo, SlotInfo + - many: handle core configuration internally instead of using the + core configure hook + - tests: refactor and expand content interface test + - snap-seccomp: skip in-kernel bpf tests for socket() in trusty/i386 + - cmd/snap-update-ns: allow Change.Perform to return changes + - snap-confine: Support biarch Linux distribution confinement + - partition/ubootenv: don't panic when uboot.env is missing the eof + marker + - cmd/snap-update-ns: allow fault injection to provide dynamic + result + - interfaces/mount: exspose mount.{Escape,Unescape} + - snapctl: added long help to stop/start/restart command + - cmd/snap-update-ns: create missing mount points automatically. + - cmd: downgrade log message in InternalToolPath to Debugf() + - tests: wait for service status change & file update in the test to + avoid races + - daemon, store: forward SSO invalid credentials errors as 401 + Unauthorized responses + - spdx: fix for WITH syntax, require a license name before the + operator + - many: reorg things in preparation to make handling of the base url + in store dynamic + - hooks/configure: queue service restarts + - cmd/snap: warn when a snap is not from the tracking channel + - interfaces/mount: add support for parsing x-snapd.{mode,uid,gid}= + - cmd/snap-confine: add detection of stale mount namespace + - interfaces: add plugRef/slotRef helpers for PlugInfo/SlotInfo + - tests: check for invalid udev files during all tests + - daemon: use newChange() in changeAliases for consistency + - servicestate: use taskset + - many: add support for /home on NFS + - packaging,spread: fix and re-enable opensuse builds + * Sun Dec 17 2017 Neal Gompa - 2.29.4-3 - Add patch to SELinux policy to allow snapd to receive replies from polkit diff --git a/sources b/sources index 1492c5e..34b3981 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (snapd-2.29.4.tar.gz) = 60742daebc18cf96f23dd0ee2149591d7e44fab33c8424c51d15b631783fe747c0b5373d155670d73ba616eae703e10b1d882a2eb91097cdfe23ff51b753fa3c +SHA512 (snapd-2.30.tar.gz) = cb7fdc7bc88848decd2b9c9c9edbb152b4c45905e58480ecc12bbd67808001ffc6d33026dbdf693a6cdaae97e63aee41f3c228dff4d4559b9db68bdf67c3a6fd