snappy:revert-15046-remodel-fix-kernel-swapping

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

Related rock recipes

7addbce... by Ernest Lotter on 2025-02-26

Revert "many: fix swapping back and forth between kernels with components dur…"

This reverts commit 72cb774eb3127f70089d94e4553e6c71039b205b.

4211a2d... by Maciej Borzecki on 2025-02-26

secboot: bump secboot to rev e07f4ae48e98 (#15127)

* go.mod: bump secboot to rev e07f4ae48e98

Bump secboot to include a fix from
https://github.com/canonical/secboot/pull/384

Signed-off-by: Maciej Borzecki <email address hidden>

* secboot: update to match canonical/secboot API changes

Signed-off-by: Maciej Borzecki <email address hidden>

---------

Signed-off-by: Maciej Borzecki <email address hidden>

72cb774... by Andrew Phelps <email address hidden> on 2025-02-26

many: fix swapping back and forth between kernels with components during remodeling (#15046)

* o/snapstate, o/devicestate, tests: support components in snapstate.LinkNewBaseOrKernel and snapstate.AddLinkNewBaseOrKernel

* o/snapstate: fix unused slice in test setup that is not being used

* o/devicestate: add test for case where we swap back to already installed kernel during remodel

* o/snapstate: make doc comments on (Add)LinkNewBaseOrKernel a bit better

* tests: add back cp in build_kernel_with_comps.sh

* tests: make some tabbing consistent

* fixup! tests: add back cp in build_kernel_with_comps.sh

a2d2031... by Samuele Pedroni on 2025-02-26

boot: have a separate mutex for the sections writing a fresh modeenv (#15116)

* boot: drive-by: fix typo in isModeenvLocked

* boot: have a separate mutex for the sections writing a fresh modeenv

when we write a fresh modeenv and seal we are operating on the modeenv
of not the current system, so it was wrong to use the same mutext

this now mostly avoid overlapping operations of this kind, which shouldn't
happen, but is the most conservative change

we need to rethink the modeenv mutexes as naively releasing the
state lock while holding them can create deadlocks when we try
to reacquire the former

3ee39fd... by Valentin David on 2025-02-26

image, seed: check snap-bootstrap compatibility for FDE (#15106)

* image, seed: check snap-bootstrap compatibility for FDE

Snapd 2.68 or later is not compatible in the same seed as
snap-boostrap 2.67 or before. We need to make it a bit more obvious to
image builders by forbidding that combination.

* image,seed: tweak error message, fail on snap-bootstrap issue and allow controlling the behaviour of the erroring out with a cli switch and environmental variable (for easier testing in spread)

---------

Co-authored-by: Philip Meulengracht <email address hidden>

2b3fe17... by Zeyad Gouda on 2025-02-26

tests/muinstaller: move to 24.04.2 release (#15125)

Signed-off-by: Zeyad Gouda <email address hidden>

f964152... by Zygmunt Krynicki on 2025-02-26

interfaces: grant posix-mq attr permissions automatically

Those attributes mediate ability to access data exposed and manipulated by
mq_getsetattr system call - the configuration of the queue as well as the
non-blocking flag.

Historically those were implicitly granted by the kernel, as a consequence of
the file access rules (mqueue is present in both file and policy DFAs) but with
the introduction of separate getattr/setattr mediation patches this is no
longer the case.

Presence of read auto-grants getattr, the same is done for setattr and write.
This is to ensure continuity should the kernel change behavior and require
providing those permissions explicitly.

Note that slots which grant all the permissions possible, are now also
permission-extended to include attribute permissions.

Signed-off-by: Zygmunt Krynicki <email address hidden>

b4fa975... by Zygmunt Krynicki on 2025-02-24

interfaces: fix clobbering posixMQDefaultPlugPerms

It was possible to have snapd extend the posixMQDefaultPlugPerms, []string
value that was meant to be constant, to contain the "open" permission.

A plug connected to a slot without explicit permissions is granted
the default permissions but then any set of permissions without the
open permission is extended, by appending to the slice, to ensure that
open is always allowed.

This might allow an attacker to trick snapd into granting the open
permission incorrectly.

Signed-off-by: Zygmunt Krynicki <email address hidden>

1046c70... by Zygmunt Krynicki on 2025-02-24

interfaces: constrain posix-mq to type=posix

The interface was emitting apparmor mqueue rules that allow both posix and sysv
message queues. It was always the documented intent to allow posix message
queues only. Change the verified apparmor feature to our self-named
mqueue-posix.

Signed-off-by: Zygmunt Krynicki <email address hidden>

c486d45... by Zygmunt Krynicki on 2025-02-25

sandbox: add probe for mqueue type=posix

We want to be more precise when controlling the posix-mq interface. Since the
apparmor side implements both posix and sysv mediation we want to be extra
careful about using the type qualifier correctly in the posix-mqueue interface.
At present that is bound to generic mqueue rule. With this type-aware probe we
should be able to switch that to POSIX-only.

Signed-off-by: Zygmunt Krynicki <email address hidden>