snapd:release/2.34

Last commit made on 2018-08-13
Get this branch:
git clone -b release/2.34 https://git.launchpad.net/snapd

Branch merges

Branch information

Name:
release/2.34
Repository:
lp:snapd

Recent commits

625cb7c... by Tony Espy on 2018-08-11

interfaces/builtin: network-manager resolved DBus changes

Extend networkManagerPermanentSlotAppArmor to allow
NetworkManager to use systemd-resolved's SetLinkDNS and
SetLinkDomains DBus methods. NetworkManager 1.6.x added
support to allow systemd-resolved to be used for managing
system DNS configuration, and this is used by default in
network-manager 1.10.x, as shipped in Ubuntu 18.04 LTS.

d545ea2... by Michael Vogt on 2018-08-02

configstate: accept refresh.timer=managed

The previous PR to fix this was incomplete and it did not include
a required update for the configstate code. This is fixed now and
the spread test is updated to include the new setting.

de24f94... by Maciej Borzecki on 2018-07-30

timeutil: fix first weekday of the month schedule

Given a schedule with first weekday of the month (eg. wed1 - first Wednesday),
if a matching weekday happens on the first day of the month, it will be skipped
and instead the schedule will fall on the next same weekday of the month.

Consider the calendar:
    August 2018
Su Mo Tu We Th Fr Sa
          1 2 3 4
 5 6 7 8 9 10 11
12 13 14 15 16 17 18
19 20 21 22 23 24 25
26 27 28 29 30 31

In case the schedule is on wed1, we are expecting the next window on 2018.08.01,
but instead the next window is scheduled for 2018.08.08.

The patch fixes buggy nth-weekday-of-the-month calculation for this edge case.

Signed-off-by: Maciej Borzecki <email address hidden>

23bdb9e... by Alfonso Sanchez-Beato on 2018-08-01

interfaces: match all possible tty but console (#5572)

* interfaces: match all possible tty but console

Some interfaces matched only ttys that started with capital
letter, leaving interfaces like ttymxc* out of them. Change this to
a more general case where only console devices are excluded.

* interface/builtin: change [^0-9] to more specific [a-zA-z]

d8d1abe... by Maciej Borzecki on 2018-07-31

tests/lib/prepare-restore: update Arch Linux kernel LOCALVERSION handling

Since 2018.07.30 the kernel localversion is set by scripts/setlocalversion in
the kernel tree and no longer matches the package version as seen in `pacman -Qi
linux` output. What before was eg. 4.16.13-2-ARCH with package version 4.16.13-2
is now changed to 4.17.11-arch1, package version 4.17.11-1.

Refactor the check look at the contents of the linux package instead and match
that with the running kernel. This will make us immune to any future package
versioning changes.

Signed-off-by: Maciej Borzecki <email address hidden>

7ef3443... by Michael Vogt on 2018-07-31

Merge pull request #5579 from jdstrand/add-ptrace-read-for-4.18-2.34

(2.34) cmd/snap-confine: allow ptrace read for 4.18 kernels

7921783... by Jamie Strandboge on 2018-07-30

cmd/snap-confine: allow ptrace read for 4.18 kernels

Kernels < 4.18 incorrectly require 'ptrace trace' to read /proc/1/ns/mnt and
this was correctly to only require 'ptrace read'. This commit simply adds
'ptrace read peer=unconfined,', leaving the old 'trace' rule. A future commit
will remove the 'trace' rule by default and interrogate the kernel to
conditionally add it back when needed.

Reference:
https://forum.snapcraft.io/t/custom-kernel-error-on-readlinkat-in-mount-namespace/6097/19

8b5e8f9... by Michael Vogt on 2018-07-27

releasing package snapd version 2.34.3

858e20c... by Michael Vogt on 2018-07-27

Merge pull request #5568 from mvo5/apparmor-mtime-resiliency-2.34

interfaces/apparmor: use the cache in mtime-resilient way (2.34)

38c17fc... by Zygmunt Krynicki on 2018-07-26

interfaces/apparmor: use the cache in mtime-resilient way

This patch changes how we invoke apparmor_parser (along with the set of
options we pass for cache control). In the past we would just ask
apparmor to parse, compile, load into the kernel and write the cache,
for any profiles (changed or unchanged) we know about, for a given snap.

This was a safe default, we delegate the task of making this fast to
apparmor_parser and just ask it to load _all_ of the profiles, period.

On devices like the Raspberry Pi, that don't have a battery backed
real-time clock, we ran into an issue where on early boot, before NTP
had a chance to correct it, the time was essentially stuck in some form
of 2016. Here all the source profiles were correct (after being
re-written by snapd on system key change in the early boot), the cache
was however from the future (since the device wrote the cache on prior
boot when it was NTP-synced into 2018).

When the cache is from the future it is used, regardless of the contents
of the source files. This resulted in apparmor profiles from the
previous boot (and old system key) to apply to the freshly booted
system, with catastrophic effects.

While we wait for apparmor to improve its caching in apparmor 2.13 and
beyond we can do a simple workaround. Whenever we detect that an
apparmor profile has _really_ changed on disk (and this is simple thanks
to the ensure-dir-state approach that we use) we call apparmor_parser
with an extra command line argument, --skip-cache-read, that totally
ignores the cache (and its perhaps-futuristic mtime), parsers, compiles,
load the profile and _writes a new cache_

This way, while our booting device may think it is 2016, it will at
least generate and _load_ the updated security profiles correctly.

Signed-off-by: Zygmunt Krynicki <email address hidden>