Last commit made on 2018-06-25
Get this branch:
git clone -b release/2.33

Branch merges

Branch information


Recent commits

060257b... by snowman5454 on 2018-06-25

Update SELinux policy

Update SELinux policy to remove denial messages and add a dontaudit
rule for unneeded read access on lost+found.

d690478... by Michael Vogt on 2018-06-21

releasing package snapd version 2.33.1

e15dbe7... by Michael Vogt on 2018-06-21

Merge pull request #5372 from mvo5/improve-udev-trigger-on-refresh-experience-2.33

many: improve udev trigger on refresh experience (2.33)

8f915af... by Jamie Strandboge on 2018-06-20

interfaces/udev,misc: only trigger udev events on input subsystem as needed

* interfaces/udev,misc: only trigger udev events on input subsystem as needed

In at least desktop environments, running 'udevadm trigger' can cause input to
be blocked as input device events are handled. Since snapd will do this for
each install and refresh, the behavior is annoying for users (especially users
with many snaps installed when snap refresh happens in the background). Instead
of unconditionally calling 'udevadm trigger', instead call:

 udevadm trigger --subsystem-nomatch=input

This will trigger events for everything except the input subsystem. Interfaces
like mir, wayland and x11 which actually need to tag input subsystem devices
now use spec.TriggerSubsystem("input") to flag that the following should also
be called:

 udevadm trigger --subsystem-match=input

The joystick interface uses spec.TriggerSubsystem("input/joystick") to do a
separate trigger specific to joystick events since they do not cause keyboard
and mouse input to be blocked:

 udevadm trigger --property-match=ID_INPUT_JOYSTICK=1

At this time there doesn't seem to be a way to call TriggerSubsystem() during
interface disconnect, so we temporarily unconditionally call trigger for
joysticks. Because of this limitation, TriggerSubsystem() should otherwise only
by used in UDevPermanentSlot() since that policy is permanent and the tagging
won't be removed until snap removal.

* gather up different subsystems to trigger. Thanks for the suggestion zyga

* add some comments for disconnect/joystick workaround

* update comment for udev calls

* update comment harder

* tests/lib/snaps/test-snapd-udev-input-subsystem: add excutable permission bits

Signed-off-by: Maciej Borzecki <email address hidden>

* fix spread test for event access when device cgroup is in effect

* cd to $SNAP to fix non-fatal but confusing AppArmor denials with find command

* disable security-udev-input-subsystem on Debian 9

* backend.go: don't use global for subsystemTriggers

* rename GetTriggeredSubsystems to TriggeredSubsystems. Thanks to zyga

* return a copy of udevadmSubsystemTriggers. Thanks to zyga

* use strutil.ListContains. Thanks to zyga

* use iface.commonInterface.UDevConnectedPlug(spec, plug, slot). Thanks to zyga

* address review feedback from zyga

8a71859... by Paweł Stołowski on 2018-06-21

systemd: require snapd.socket in snapd.seeded.service; make sure snapd.seeded

* Require snapd.socket in snapd.seeded.service; make sure snapd.seeded.service succeeded in spread tests.
* Start start snapd.seeded.service in the test. Modified service status check per review comments.

004b56c... by Kyle Fazzari on 2018-06-11

snap: don't include newline in hook environment

Currently, both hooks and apps use the global `environment`, if
specified. However, they both use slightly different mechanisms of
interpreting the environment: hooks append a newline, apps do not. The
newline causes problems when the variable is used in the shell.

Fix this issue by creating a new function to evaluate the environment
(that doesn't append a newline), and have both apps and hooks use it.

Signed-off-by: Kyle Fazzari <email address hidden>

ff95c57... by Zygmunt Krynicki on 2018-06-12

interfaces/apparmor: allow killing snap-update-ns

This patch adds a signal reception rule that allows signals delivery to
snap-update-ns processes when dispatched from the unconfined world.

This fixes the following denial

[Mon Jun 11 13:21:08 2018] audit: type=1400 audit(1528723268.368:2393): apparmor="DENIED" operation="signal" profile="snap-update-ns.test-snapd-service-watchdog" pid=1 comm="systemd" requested_mask="receive" denied_mask="receive" signal=abrt peer="unconfined"

Signed-off-by: Zygmunt Krynicki <email address hidden>

235fadc... by Michael Vogt on 2018-06-12

tests: skip "try" test on s390x

The s390x virtualization does not allow access to /dev/kmsg so
our test fails there.

2205cbe... by snowman5454 on 2018-06-11

Update SELinux Policy

Update the SELinux policy to resolve error messages on a Fedora
28 system.

7c284d0... by Michael Vogt on 2018-06-11

tests: skip security-dev-input-event-denied when /dev/input/by-path/ is missing