snappy:release/2.49

Last commit made on 2021-03-30
Get this branch:
git clone -b release/2.49 https://git.launchpad.net/snappy

Branch merges

Branch information

Name:
release/2.49
Repository:
lp:snappy

Recent commits

fc55a44... by Ian Johnson on 2021-03-02

packaging/ubuntu-16.04/rules: turn modules off explicitly

We already set GO111MODULE=off in spread.yaml, but for some reason that's not
sufficient when building the deb in hirsute, which now has Go 1.16 and defaults
to using modules. So explicitly disable it for all the manual go commands we run
here.

Signed-off-by: Ian Johnson <email address hidden>

398a9f3... by Michael Vogt on 2021-03-26

releasing package snapd version 2.49.2

3a1b111... by Oliver Grawert on 2021-03-19

interfaces/tee: add TEE/OPTEE interface (#9307)

To access the TEE (Trusted Execution Environment) subsystem in Linux access to /dev/tee0 and /dev/teepriv0 is necessary for client applications. This PR adds a new "tee" interface that grants access to these devices to client applications that have the interface connected (this is for example required for ARM devices using ARM Trusted Firmware with a secure watchdog timer. If the timer does not get triggered on a regular schedule from a secure-wdt user space daemon, the system will hard-reboot after a certain time defined in the bootloader code at build time).

More details and other use-cases of TEE are documented at:
https://www.kernel.org/doc/Documentation/tee.txt

009145d... by Michael Vogt on 2021-03-26

snap-seccomp: fix seccomp test on ppc64el

The "socket" syscall on ppc64el needs to be de-multiplexed with
recent versions of libseccomp. This is similar to what we need
to do on i386 and s390x.

This fixes the build failure on hirsute:
https://launchpad.net/ubuntu/+source/snapd/2.49+21.04ubuntu1/+build/21197477

177fd5b... by Maciej Borzecki on 2021-03-26

interfaces, interfaces/apparmor, overlord/snapstate: late removal of snap-confine apparmor profiles

* interfaces/apparmor: leave snap confine profile around

Signed-off-by: Maciej Borzecki <email address hidden>

* overlord/snapstate: fill the snap setup type for inactive revision removal

Make sure that the snapsetup of tasks removing inactive snap revision, carries
the snap type information.

Signed-off-by: Maciej Borzecki <email address hidden>

* interfaces, interfaces/apparmor: introduce security backend which can discard profiles late

Signed-off-by: Maciej Borzecki <email address hidden>

* overlord/snapstate: call out to late discard of security profiles

Signed-off-by: Maciej Borzecki <email address hidden>

* interfaces: tweak comments

Signed-off-by: Maciej Borzecki <email address hidden>

a06f440... by Maciej Borzecki on 2021-03-26

overlord/snapstate, wrappers: add dependency on usr-lib-snapd.mount for services on core with snapd snap

* snapdtool: add helper for checking whether the current process runs from the snapd snap

Add a helper that checks whether the currently process binary is running form
the snapd snap.

Signed-off-by: Maciej Borzecki <email address hidden>

* wrappers: add dependency on usr-lib-snapd.mount for services on core with snapd snap

In a core system with snapd snap, the contents of <snapd-snap>/usr/lib/snapd are
exported to the host via a bind mount of done by usr-lib-snapd.mount unit. The
mount unit implicitly depends on the snap mount to be present. By adding that
tooling mount as a dependency for all services on core where snapd is present we
gain some confidence that by the time the unit is started:
- /usr/lib/snapd contains the right tooling
- /snap/snapd/<rev> is mounted

Signed-off-by: Maciej Borzecki <email address hidden>

* Revert "snapdtool: add helper for checking whether the current process runs from the snapd snap"

This reverts commit 93fa5a3f0c91860cd5e0a54f0d364c7a3d73e0a0.

* wrappers: add flag for expressing a dependency on the snapd tooling

Add a flag to the add services helper that indicates the services require
additional dependency on the snapd tooling provided by the snapd snap.

Signed-off-by: Maciej Borzecki <email address hidden>

* overlord/snapstate: pass flags to require snapd tooling when linking a snap on UC with base

When linking a snap on an Ubuntu Core system which uses one of core* bases, set
the additional flags that require dependency on the snapd tooling mount.

Signed-off-by: Maciej Borzecki <email address hidden>

* overlord/snapstate, wrappers: tweak naming

Signed-off-by: Maciej Borzecki <email address hidden>

* overlord/snapstate: comments and test tweaks

Signed-off-by: Maciej Borzecki <email address hidden>

28cebad... by Paweł Stołowski on 2021-03-25

o/configstate: deal with no longer valid refresh.timer=managed

* Deal with no longer valid refresh.timer=managed / refresh.schedule=managed in
the state when validating refresh config option of core. This option may
become invalid if the snap managing refreshes is not signed anymore
(i.e. devicestate.CanManageRefreshes returns false).
Fixes LP #1899992.

* Unset refresh.schedule and refresh.timer before testing reject behavior.

8cd382b... by Kyle Nitzsche on 2021-03-24

udisks2 2.8.4 needs to also lock /run/mount/utab

d2cb5fa... by Maciej Borzecki on 2021-03-24

overlord/snapstate: tweaks, extend unit tests to cover more scenarios

Signed-off-by: Maciej Borzecki <email address hidden>

e8a99d6... by Maciej Borzecki on 2021-03-23

overlord/snapstate: make sure that snapd current symlink is not removed during refresh

When snap is refreshed, the current symlink would briefly go away between
unlink-current-snap and link-snap tasks. If the system gets rebooted at this
time, during startup all services from snaps will fail to start. This is caused
by the fact that /usr/bin/snap, which on Core is linked to
/snap/snapd/current/usr/bin/snap will be dangling, as /snap/snapd/current was
removed.

Address the problem by not removing current of the snapd snap, unless unlinking
is called during removal for the first install of the snapd snap on core or a
general snapd snap removal. In the snapd on core scenario, the /usr/bin/snap
will be invoked from the core snap anyway.

Signed-off-by: Maciej Borzecki <email address hidden>