ELBA-2024-18658 - snapd Bug Fix update

Release Date:2024-02-29


* Fri Feb 16 2024 Ernest Lotter
- New upstream release 2.61.2
- Fix to enable plug/slot sanitization for prepare-image
- Fix panic when device-service.access=offline
- Support offline remodeling
- Allow offline update only remodels without serial
- Fail early when remodeling to old model revision
- Fix to enable plug/slot sanitization for validate-seed
- Allow removal of core snap on classic systems
- Fix network-control interface denial for file lock on /run/netns
- Add well-known core24 snap-id
- Fix remodel snap installation order
- Prevent remodeling from UC18+ to UC16
- Fix cups auto-connect on classic with cups snap installed
- u2f-devices interface support for GoTrust Idem Key with USB-C
- Fix to restore services after unlink failure
- Add libcudnn.so to Nvidia libraries
- Fix skipping base snap download due to false snapd downgrade

- Rebuild for golang 1.22.0

- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild

- Changelog resynchronization

- Require xdelta on Fedora or EPEL >= 9 (for delta updates)

* Fri Nov 24 2023 Ernest Lotter
- New upstream release 2.61.1
- Stop requiring default provider snaps on image building and first
boot if alternative providers are included and available
- Fix auth.json access for login as non-root group ID
- Fix incorrect remodelling conflict when changing track to older
snapd version
- Improved check-rerefresh message
- Fix UC16/18 kernel/gadget update failure due volume mismatch with
installed disk
- Stop auto-import of assertions during install modes
- Desktop interface exposes GetIdletime
- Polkit interface support for new polkit versions
- Fix not applying snapd snap changes in tracked channel when remodelling

* Fri Oct 13 2023 Philip Meulengracht
- New upstream release 2.61
- Fix control of activated services in 'snap start' and 'snap stop'
- Correctly reflect activated services in 'snap services'
- Disabled services are no longer enabled again when snap is
- interfaces/builtin: added support for Token2 U2F keys
- interfaces/u2f-devices: add Swissbit iShield Key
- interfaces/builtin: update gpio apparmor to match pattern that
contains multiple subdirectories under /sys/devices/platform
- interfaces: add a polkit-agent interface
- interfaces: add pcscd interface
- Kernel command-line can now be edited in the gadget.yaml
- Only track validation-sets in run-mode, fixes validation-set
issues on first boot.
- Added support for using store.access to disable access to snap
- Support for fat16 partition in gadget
- Pre-seed authority delegation is now possible
- Support new system-user name daemon
- Several bug fixes and improvements around remodelling
- Offline remodelling support

* Fri Sep 15 2023 Michael Vogt
- New upstream release 2.60.4
- i/b/qualcomm_ipc_router.go: switch to plug/slot and add socket
- interfaces/builtin: fix custom-device udev KERNEL values
- overlord: allow the firmware-updater snap to install user daemons
- interfaces: allow loopback as a block-device

* Fri Aug 25 2023 Michael Vogt
- New upstream release 2.60.3
- i/b/shared-memory: handle 'private' plug attribute in shared-
memory interface correctly
- i/apparmor: support for home.d tunables from /etc/

* Fri Aug 04 2023 Michael Vogt
- New upstream release 2.60.2
- i/builtin: allow directories in private /dev/shm
- i/builtin: add read access to /proc/task/schedstat in system-
- snap-bootstrap: print version information at startup
- go.mod: update gopkg.in/yaml.v3 to v3.0.1 to fix CVE-2022-28948
- snap, store: filter out invalid snap edited links from store info
and persisted state
- o/configcore: write netplan defaults to 00-snapd-config on seeding
- snapcraft.yaml: pull in apparmor_parser optimization patches from
- snap-confine: fix missing \0 after readlink
- cmd/snap: hide append-integrity-data
- interfaces/opengl: add support for ARM Mali

- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild

* Tue Jul 04 2023 Michael Vogt
- New upstream release 2.60.1
- install: fallback to lazy unmount() in writeFilesystemContent
- data: include 'modprobe.d' and 'modules-load.d' in preseeded blob
- gadget: fix install test on armhf
- interfaces: fix typo in network_manager_observe
- sandbox/apparmor: don't let vendored apparmor conflict with system
- gadget/update: set parts in laid out data from the ones matched
- many: move SnapConfineAppArmorDir from dirs to sandbox/apparmor
- many: stop using -O no-expr-simplify in apparmor_parser
- go.mod: update secboot to latest uc22 branch

* Thu Jun 15 2023 Michael Vogt
- New upstream release 2.60
- Support for dynamic snapshot data exclusions
- Apparmor userspace is vendored inside the snapd snap
- Added a default-configure hook that exposes gadget default
configuration options to snaps during first install before
services are started
- Allow install from initrd to speed up the initial installation
for systems that do not have a install-device hook
- New snap sign --chain flag that appends the account and
account-key assertions
- Support validation-sets in the model assertion
- Support new 'min-size' field in gadget.yaml
- New interface: 'userns'

* Sat May 27 2023 Michael Vogt
- New upstream release 2.59.5
- Explicitly disallow the use of ioctl + TIOCLINUX
This fixes CVE-2023-1523.

* Fri May 12 2023 Michael Vogt
- New upstream release 2.59.4
- Retry when looking for disk label on non-UEFI systems
(LP: #2018977)
- Fix remodel from UC20 to UC22

* Wed May 03 2023 Michael Vogt
- New upstream release 2.59.3
- Fix quiet boot
- i/b/physical_memory_observe: allow reading virt-phys page mappings
- gadget: warn instead of returning error if overlapping with GPT
- overlord,wrappers: restart always enabled units
- go.mod: update github.com/snapcore/secboot to latest uc22
- boot: make sure we update assets for the system-seed-null role
- many: ignore case for vfat partitions when validating

* Tue Apr 18 2023 Michael Vogt
- New upstream release 2.59.2
- Notify users when a user triggered auto refresh finished

* Tue Mar 28 2023 Michael Vogt
- New upstream release 2.59.1
- Add udev rules from steam-devices to steam-support interface
- Bugfixes for layout path checking, dm_crypt permissions,
mount-control interface parameter checking, kernel commandline
parsing, docker-support, refresh-app-awareness

* Fri Mar 10 2023 Michael Vogt
- New upstream release 2.59
- Support setting extra kernel command line parameters via snap
configuration and under a gadget allow-list
- Support for Full-Disk-Encryption using ICE
- Support for arbitrary home dir locations via snap configuration
- New nvidia-drivers-support interface
- Support for udisks2 snap
- Pre-download of snaps ready for refresh and automatic refresh of
the snap when all apps are closed
- New microovn interface
- Support uboot with CONFIG_SYS_REDUNDAND_ENV=n
- Make 'snap-preseed --reset' re-exec when needed
- Update the fwupd interface to support fully confined fwupd
- The memory,cpu,thread quota options are no longer experimental
- Support debugging snap client requests via the
SNAPD_CLIENT_DEBUG_HTTP environment variable
- Support ssh listen-address via snap configuration
- Support for quotas on single services
- prepare-image now takes into account snapd versions going into
the image, including in the kernel initrd, to fetch supported
assertion formats

- Releate 2.58.3 to Fedora RHBZ#2173056

* Tue Feb 21 2023 Michael Vogt
- New upstream release 2.58.3
- interfaces/screen-inhibit-control: Add support for xfce-power-
- interfaces/network-manager: do not show ptrace read
- interfaces: relax rules for mount-control what for functionfs
- cmd/snap-bootstrap: add support for snapd_system_disk
- interfaces/modem-manager: add net_admin capability
- interfaces/network-manager: add permission for OpenVPN
- httputil: fix checking x509 certification error on go 1.20
- i/b/fwupd: allow reading host os-release
- boot: on classic+modes MarkBootSuccessfull does not need a base
- boot: do not include base= in modeenv for classic+modes installs
- tests: add spread test that validates revert on boot for core does
not happen on classic+modes
- snapstate: only take boot participants into account in
- snapstate: refactor UpdateBootRevisions() to make it easier to
check for boot.SnapTypeParticipatesInBoot()

* Wed Jan 25 2023 Michael Vogt
- New upstream release 2.58.2
- bootloader: fix dirty build by hardcoding copyright year

* Mon Jan 23 2023 Michael Vogt
- New upstream release 2.58.1
- secboot: detect lockout mode in CheckTPMKeySealingSupported
- cmd/snap-update-ns: prevent keeping unneeded mountpoints
- o/snapstate: do not infinitely retry when an update fails during
- interfaces/modem-manager: add permissions for NETLINK_ROUTE
- systemd/emulation.go: use systemctl --root to enable/disable
- snap: provide more error context in NotSnapError
- interfaces: add read access to /run for cryptsetup
- boot: avoid reboot loop if there is a bad try kernel
- devicestate: retry serial acquire on time based certificate
- o/devicestate: run systemctl daemon-reload after install-device
- cmd/snap,daemon: add 'held' to notes in 'snap list'
- o/snapshotstate: check snapshots are self-contained on import
- cmd/snap: show user+gating hold info in 'snap info'
- daemon: expose user and gating holds at /v2/snaps/{name}

- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild

- Fix for RHBZ#2152903

* Thu Dec 01 2022 Michael Vogt
- New upstream release 2.58
- many: Use /tmp/snap-private-tmp for per-snap private tmps
- data: Add systemd-tmpfiles configuration to create private tmp dir
- cmd/snap: test allowed and forbidden refresh hold values
- cmd/snap: be more consistent in --hold help and err messages
- cmd/snap: error on refresh holds that are negative or too short
- o/homedirs: make sure we do not write to /var on build time
- image: make sure file customizations happen also when we have
- tests/fde-on-classic: set ubuntu-seed label in seed partitions
- gadget: system-seed-null should also have fs label ubuntu-seed
- many: gadget.HasRole, ubuntu-seed can come also from system-seed-
- o/devicestate: fix paths for retrieving recovery key on classic
- cmd/snap-confine: do not discard const qualifier
- interfaces: allow python3.10+ in the default template
- o/restart: fix PendingForSystemRestart
- interfaces: allow wayland slot snaps to access shm files created
by Firefox
- o/assertstate: add Sequence() to val set tracking
- o/assertstate: set val set 'Current' to pinned sequence
- tests: tweak the libvirt interface test to work on 22.10
- tests: use system-seed-null role on classic with modes tests
- boot: add directory for data on install
- o/devicestate: change some names from esp to seed/seed-null
- gadget: add system-seed-null role
- o/devicestate: really add error to new error message
- restart,snapstate: implement reboot-required notifications on
- many: avoid automatic system restarts on classic through new
overlord/restart logic
- release: Fix WSL detection in LXD
- o/state: introduce WaitStatus
- interfaces: Fix desktop interface rules for document portal
- client: remove classic check for snap recovery --show-
- many: create snapd.mounts targets to schedule mount units
- image: enable sysfs overlay for UC preseeding
- i/b/network-control: add permissions for using AF_XDP
- i/apparmor: move mocking of home and overlay conditions to osutil
- tests/main/degraded: ignore man-db update failures in CentOS
- cmd/snap: fix panic when running snap w/ flag but w/o subcommand
- tests: save snaps generated during image preaparation
- tests: skip building snapd based on new env var
- client: remove misleading comments in ValidateApplyOptions
- boot/seal: add debug traces for bootchains
- bootloader/assets: fix grub.cfg when there are no labels
- cmd/snap: improve refresh hold's output
- packaging: enable BPF in RHEL9
- packaging: do not traverse filesystems in postrm script
- tests: get microk8s from another branch
- bootloader: do not specify Core version in grub entry
- many: refresh --hold follow-up
- many: support refresh hold/unhold to API and CLI
- many: expand fully handling links mapping in all components, in
the API and in snap info
- snap/system_usernames,tests: Azure IoT Edge system usernames
- interface: Allow access to
org.freedesktop.DBus.ListActivatableNames via system-observe
- o/devicestate,daemon: use the expiration date from the assertion
in user-state and REST api (user-removal 4/n)
- gadget: add unit tests for new install functions for FDE on
- cmd/snap-seccomp: fix typo in AF_XDP value
- tests/connected-after-reboot-revert: run also on UC16
- kvm: allow read of AMD-SEV parameters
- data: tweak apt integration config var
- o/c/configcore: add faillock configuration
- tests: use dbus-daemon instead of dbus-launch
- packaging: remove unclean debian-sid patch
- asserts: add keyword 'user-presence' keyword in system-user
assertion (auto-removal 3/n)
- interfaces: steam-support allow pivot /run/media and /etc/nvidia
- aspects: initial code
- overlord: process auto-import assertion at first boot
- release, snapd-apparmor, syscheck: distinguish WSL1 and WSL2
- tests: fix lxd-mount-units in ubuntu kinetic
- tests: new variable used to configure the kernel command line in
nested tests
- go.mod: update to newer secboot/uc22 branch
- autopkgtests: fix running autopkgtest on kinetic
- tests: remove squashfs leftovers in fakeinstaller
- tests: create partition table in fakeinstaller
- o/ifacestate: introduce DebugAutoConnectCheck hook
- tests: use test-snapd-swtpm instead of swtpm-mvo snap in nested
- interfaces/polkit: do not require polkit directory if no file is
- o/snapstate: be consistent not creating per-snap save dirs for
classic models
- inhibit: use hintFile()
- tests: use snap prepare-image in fde-on-classic mk-image.sh
- interfaces: add microceph interface
- seccomp: allow opening XDP sockets
- interfaces: allow access to icon subdirectories
- tests: add minimal-smoke test for UC22 and increase minimal RAM
- overlord: introduce hold levels in the snapstate.Hold* API
- o/devicestate: support mounting ubuntu-save also on classic with
- interfaces: steam-support allow additional mounts
- fakeinstaller: format SystemDetails result with %+v
- cmd/libsnap-confine-private: do not panic on chmod failure
- tests: ensure that fakeinstaller put the seed into the right place
- many: add stub services for prompting
- tests: add libfwupd and libfwupdplugin5 to openSUSE dependencies
- o/snapstate: fix snaps-hold pruning/reset in the presence of
system holding
- many: add support for setting up encryption from installer
- many: support classic snaps in the context of classic and extended
- cmd/snap,daemon: allow zero values from client to daemon for
journal rate limit
- boot,o/devicestate: extend HasFDESetupHook to consider unrelated
- cmd/snap: validation set refresh-enforce CLI support + spread test
- many: fix filenames written in modeenv for base/gadget plus drive-
- seed: fix seed test to use a pseudo-random byte sequence
- cmd/snap-confine: remove setuid calls from cgroup init code
- boot,o/devicestate: introduce and use MakeRunnableStandaloneSystem
- devicestate,boot,tests: make fakeinstaller test work
- store: send Snap-Device-Location header with cloud information
- overlord: fix unit tests after merging master in
- o/auth: move HasUserExpired into UserState and name it HasExpired,
and add unit tests for this
- o/auth: rename NewUserData to NewUserParams
- many: implementation of finish install step handlers
- overlord: auto-resolve validation set enforcement constraints
- i/backends,o/ifacestate: cleanup backends.All
- cmd/snap-confine: move bind-mount setup into separate function
- tests/main/mount-ns: update namespace for 18.04
- o/state: Hold pseudo-error for explicit holding, concept of
pending changes in prune logic
- many: support extended classic models that omit kernel/gadget
- data/selinux: allow snapd to detect WSL
- overlord: add code to remove users that has an expiration date set
- wrappers,snap/quota: clear LogsDirectory= in the service unit for
journal namespaces
- daemon: move user add, remove operations to overlord device state
- gadget: implement write content from gadget information
- {device,snap}state: fix ineffectual assignments
- daemon: support validation set refresh+enforce in API
- many: rename AddAffected* to RegisterAffected*, add
Change|State.Has, fix a comment
- many: reset store session when setting proxy.store
- overlord/ifacestate: fix conflict detection of auto-connection
- interfaces: added read/write access to /proc/self/coredump_filter
for process-control
- interfaces: add read access to /proc/cgroups and
/proc/sys/vm/swappiness to system-observe
- fde: run fde-reveal-key with DefaultDependencies=no
- many: don't concatenate non-constant format strings
- o/devicestate: fix non-compiling test
- release, snapd-apparmor: fixed outdated WSL detection
- many: add todos discussed in the review in
tests/nested/manual/fde-on-classic, snapstate cleanups
- overlord: run install-device hook during factory reset
- i/b/mount-control: add optional / to umount rules
- gadget/install: split Run in several functions
- o/devicestate: refactor some methods as preparation for install
steps implementation
- tests: fix how snaps are cached in uc22
- tests/main/cgroup-tracking-failure: fix rare failure in Xenial and
- many: make {Install,Initramfs}{{,Host},Writable}Dir a function
- tests/nested/manual/core20: fix manual test after changes to
'tests.nested exec'
- tests: move the unit tests system to 22.04 in github actions
- tests: fix nested errors uc20
- boot: rewrite switch in SnapTypeParticipatesInBoot()
- gadget: refactor to allow usage from the installer
- overlord/devicestate: support for mounting ubuntu-save before the
install-device hook
- many: allow to install/update kernels/gadgets on classic with
- tests: fix issues related to dbus session and localtime in uc18
- many: support home dirs located deeper under /home
- many: refactor tests to use explicit strings instead of
- boot: add factory-reset cases for boot-flags
- tests: disable quota tests on arm devices using ubuntu core
- tests: fix unbound SPREAD_PATH variable on nested debug session
- overlord: start turning restart into a full state manager
- boot: apply boot logic also for classic with modes boot snaps
- tests: fix snap-env test on debug section when no var files were
- overlord,daemon: allow returning errors when requesting a restart
- interfaces: login-session-control: add further D-Bus interfaces
- snapdenv: added wsl to userAgent
- o/snapstate: support running multiple ops transactionally
- store: use typed valset keys in store package
- daemon: add ensureStateSoon() when calling systems POST api
- gadget: add rules for validating classic with modes gadget.yaml
- wrappers: journal namespaces did not honor journal.persistent
- many: stub devicestate.Install{Finish,SetupStorageEncryption}()
- sandbox/cgroup: don't check V1 cgroup if V2 is active
- seed: add support to load auto import assertion
- tests: fix preseed tests for arm systems
- include/lk: update LK recovery environment definition to include
device lock state used by bootloader
- daemon: return storage-encryption in /systems/

Updated Packages

Release/ArchitectureFilenameMD5sumSuperseded By AdvisoryChannel Label
Oracle Linux 7 (x86_64) snapd-2.61.2-0.el7.src.rpmc3fb8cd3391cb4fb39d2a42a9caa0e33-ol7_x86_64_developer_EPEL

This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team