snappy:release/2.67

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

Related rock recipes

23ca3fe... by Ernest Lotter on 2025-01-15

release: 2.67.1

7534cb2... by Oliver Calder on 2024-11-29

i/p/patterns: disallow /./ and /../ in path patterns (#14774)

* i/p/patterns: disallow /./ and /../ in path patterns

Since patterns like /foo/./bar don't match paths paths like /foo/bar,
throw an error if the client tries to reply or create a rule with such a
construction clearly in the pattern. That is, if the pattern contains
`/./` or `/../`, or if it ends with `/.` or `/..`.

Notably, we do this on the raw pattern string, similarly to how we
validate that the pattern begins with a `/`: we don't consider whether
all alts in a leading group happen to start with `/`, we simply throw an
error if the first character is not `/`.

In this case, we take a more lenient (but similarly lazy) approach: if
there's a literal `/./` or `/../`, or trailing `/.` or `/..`, then an
error is thrown. As long as there's something interrupting the `/` or
end of the pattern string (e.g. a group), we consider that fine. For
example, we allow `/foo/.{,bar}` even though technically this renders to
the variants `/foo/.` and `/foo/.bar`, where the former is undesirable.

We may reconsider this in the future, but checking whether any rendered
variant contains `/./` or `/../` in general requires fully rendering
each variant and checking each one, which we do not do at parse time,
and one nearly always has at least one pattern which is capable of
matching something valid (an exception being the pattern `/foo/.{,}`,
for example). But the user must fairly deliberately shoot themself in
the foot to end up in that situation.

Again, the worst case if a pattern which is "bad" in this way gets past
validation is that we end up with a path pattern which is incapable of
matching any paths. This is undesirable, but not problematic.

Signed-off-by: Oliver Calder <email address hidden>

* i/p/requestprompts: clarify comment for the relative path regexp

Co-authored-by: Zeyad Yasser <email address hidden>

---------

Signed-off-by: Oliver Calder <email address hidden>
Co-authored-by: Zeyad Yasser <email address hidden>

6f7e30d... by Maciej Borzecki on 2025-01-07

osutil/user: look up getent executable in known host directories (#14792)

* osutil/user: search for getent executable in known host directories

It is possible that `snap run` may be called with a PATH set such that
it does not include a directory containing getent. To workaround this,
try to search for getent in a number of known locations on the host.

Fixes: https://bugs.launchpad.net/snapd/+bug/2090938

Signed-off-by: Maciej Borzecki <email address hidden>

* osutil/user: allow overriding getent search path

Signed-off-by: Maciej Borzecki <email address hidden>

* osutil: update user lookup tests for possible build with snapdusergo tag

The snapdusergo tag disables use of cgo/Go based user.Lookup() (and
similar) code, and instead provides alternative implementations that use
getent under the hood. Adjust the tests to account for this.

Signed-off-by: Maciej Borzecki <email address hidden>

---------

Signed-off-by: Maciej Borzecki <email address hidden>

f41a400... by Philip Meulengracht on 2024-12-17

overlord: wait for snapd restart after requesting by undo of 'link-snap' (#14850)

wait for snapd restart after requesting by undo of 'link-snap'. otherwise we can end up using tools from the snapd we are reverting away from, causing issues or generation of wrong apparmor profiles

* overlord/ifacestate: correct the comment

* tests/core/snapd-refresh-undo: couple of linting issues

* tests,overlord: rectify comments, add a TODO for the restart request in undoUnlinkCurrentSnap, fix two unit tests

* overlord/devicestate: fix double locking in unit test

* overlord/snapstate: add sequence file check

* overlord/snapstate: add TODO for undo path relating to snap-failure

* tests/core/snapd-refresh-undo: revert snapd in end of test to fix restore

* overlord/devicestate: make unit test more robust

* overlord/snapstate,tests: use correct terminology for snapd restarts, and fix the description of the spread test

* wrappers: more logging

Signed-off-by: Maciej Borzecki <email address hidden>

* wrappers: snapd version specific quirk for < 2.62 versions

Introduce a version specific quirk which works around a problem present
in snapd in versions < 2.62. Prior to 2.622 the snapd.apparmor.service
did not carry a do-not-start tag. This could lead to a problem where
when executing the undo path of snapd, the snapd.apparmor.service is
restarted after unlinking the current version of snapd. This could cause
the snapd.apparmor to use either a potentially much older parser from
the host one from the previous version of snapd, where in either case,
the parser may not support features present in the profiles generated by
current version of snapd.

Signed-off-by: Maciej Borzecki <email address hidden>

---------

Signed-off-by: Maciej Borzecki <email address hidden>
Co-authored-by: Maciej Borzecki <email address hidden>

3e2d280... by Katie May <email address hidden> on 2024-12-18

interfaces: update template with new syscalls (#14861)

9ad08b8... by Maciej Borzecki on 2024-12-19

interfaces/seccomp/template: allow epoll_pwait2 in the base template

Add epoll_pwait2 in the base template. The syscall has been available
since 5.11 (early 2021).

Signed-off-by: Maciej Borzecki <email address hidden>

d249356... by Katie May <email address hidden> on 2025-01-07

cmd/snap-seccomp/syscalls: added new syscalls (#14886)

* cmd/snap-seccomp/syscalls: added new syscalls

* cmd/snap-seccomp/syscalls: update git revision

c983892... by Alfonso Sanchez-Beato on 2025-01-13

interfaces,overlord: allow access to kernel snap in profiles (#14899)

* interfaces: allow access to kernel snap in profiles

In UC24+ the kernel modules and firmware is accessed from symlinks in
/lib/{modules,firmware} that can point to different locations. Make
sure that the files can be read by any snap, as there are actions that
can trigger the automatic loading of modules or firmware from the
kernel. This is also needed so the kernel-modules-control can actually
work as expected.

* overlord: add kernel snap confinement option

This option is needed to generate apparmor profiles that allow
accessing kernel modules/firmware.

* o/ifacestate: pass task to buildConfinementOptions

so remodelling scenarios are handled properly.

* interfaces/apparmor: some test fixes

93c9e56... by Katie May <email address hidden> on 2025-01-08

interfaces/seccomp: added new at-variant syscalls to base template (#14902)

b72a847... by Ernest Lotter on 2024-12-02

release: 2.67