snapd:release/2.35

Branch merges

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related charm recipes

f663d73... by Michael Vogt on 2018-10-16

tests: do not run degraded test in autopkgtest env

The autopkgtest environment sometimes has failing services. This
means that our degraded test leads to false positivies here. This
PR disables the test in the autopkgtest environment because we
have no control over the images in autopkgtest (unlike in our
spread CI) so the test is not useful here.

083d7b9... by Michael Vogt on 2018-10-15

releasing package snapd version 2.35.5

3c8487a... by Zygmunt Krynicki on 2018-10-15

Merge pull request #5983 from mvo5/fix/home-bin-2.35

interfaces/home: don't allow snaps to write to $HOME/bin (2.35)

0075610... by Zygmunt Krynicki on 2018-10-15

osutil: workaround overlayfs on ubuntu 18.10

* osutil: workaround overlayfs on ubuntu 18.10

This patch adds a workaround for apparmor and overlayfs not playing
together on the ephemeral Ubuntu 18.10 server images. On such images
there's an overlayfs mounted over / with the upper directory in
/media/root-rw/overlay. Snapd detects this and generates a directive
with read access to said directory. At runtime we get a denial, however,
one that looks like this:

    [ 1588.858154] audit: type=1400 audit(1539338016.165:576):
    apparmor="DENIED" operation="open" profile="/usr/lib/snapd/snap-confine"
    name="/overlay/" pid=8735 comm="snap-confine"
    profile="/usr/lib/snapd/snap-confine" requested_mask="r"
    denied_mask="r" fsuid=0 ouid=0

As we can see apparmor decided to resolve the path to "/overlay/" (which
notably does not exist in the filesystem at all). The reason for that is
not understood but as a special-case workaround we detect this and
return "/overlay" instead.

Bug-Link: https://bugs.launchpad.net/ubuntu/+source/snapd/+bug/1797218
Signed-off-by: Zygmunt Krynicki <email address hidden>

d683006... by Zygmunt Krynicki on 2018-10-12

tests: tweak greps, run only with strict confinement

The greps needed tweaking because the logged denial differs across
kernel versions. The move away from sandbox-features is mandatory
because on opensuse 43.2 we run with classic confinement instead,
even though parts of apparmor are available in the kernel.

Signed-off-by: Zygmunt Krynicki <email address hidden>

e1bf50b... by Zygmunt Krynicki on 2018-10-12

tests: fix incorrect regression test

Also enable auditing of such attempts and ensure those are logged

Signed-off-by: Zygmunt Krynicki <email address hidden>

6bbca82... by Zygmunt Krynicki on 2018-10-12

interfaes: deny hard-linking into $HOME/bin

Signed-off-by: Zygmunt Krynicki <email address hidden>

cd933d6... by Zygmunt Krynicki on 2018-10-12

interfaces: don't allow snaps to write to $HOME/bin

The $HOME/bin directory is added to default PATH on some systems. To
prevent sandbox escape in this specific case deny writing to this
directory.

Signed-off-by: Zygmunt Krynicki <email address hidden>

4098b8d... by Michael Vogt on 2018-10-05

releasing package snapd version 2.35.4

f941bd8... by Michael Vogt on 2018-10-05

releasing package snapd version 2.35.3