Package "snap-confine"
Name: |
snap-confine
|
Description: |
Transitional package for snapd
|
Latest version: |
2.66.1+20.04 |
Release: |
focal (20.04) |
Level: |
updates |
Repository: |
universe |
Head package: |
snapd |
Homepage: |
https://github.com/snapcore/snapd |
Links
Download "snap-confine"
Other versions of "snap-confine" in Focal
Changelog
snapd (2.66.1+20.04) focal; urgency=medium
* New upstream release, LP: #2083490
- AppArmor prompting (experimental): Fix kernel prompting support
check
- Allow kernel snaps to have content slots
- Fix ignoring snaps in try mode when amending
|
Source diff to previous version |
|
snapd (2.65.3+20.04) focal; urgency=medium
* New upstream release, LP: #2077473
- Fix missing aux info from store on snap setup
|
Source diff to previous version |
|
snapd (2.63+20.04ubuntu0.1) focal-security; urgency=medium
* SECURITY UPDATE: sandbox escape via $HOME/bin
- interfaces/builtin/home: explicitly deny writing to @{HOME}/bin
- CVE-2024-1724
* SECURITY UPDATE: denial-of-service via crafted files in squashfs image
- snap, snapdir, squashfs: improve validation of target file
mode/types
- CVE-2024-29068
* SECURITY UPDATE: information disclosure via crafted symlinks in
squashfs image
- snap, snapdir, squashfs: improve external symlink validation
- CVE-2024-29069
* Fix FTBFS due to missing systemd from Build-Depends
- debian/control: add systemd to Build-Depends to ensure pkg-config
can find the systemdutildir to install into
-- Alex Murray <email address hidden> Fri, 26 Jul 2024 12:28:53 +0930
|
Source diff to previous version |
CVE-2024-1724 |
In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path. |
CVE-2024-29068 |
In snapd versions prior to 2.62, snapd failed to properly check the file type when extracting a snap. The snap format is a squashfs file-system image |
CVE-2024-29069 |
In snapd versions prior to 2.62, snapd failed to properly check the destination of symbolic links when extracting a snap. The snap format is a squas |
|
snapd (2.63+20.04) focal; urgency=medium
* New upstream release, LP: #2061179
- Support for snap services to show the current status of user
services (experimental)
- Refresh app awareness: record snap-run-inhibit notice when
starting app from snap that is busy with refresh (experimental)
- Refresh app awareness: use warnings as fallback for desktop
notifications (experimental)
- Aspect based configuration: make request fields in the aspect-
bundle's rules optional (experimental)
- Aspect based configuration: make map keys conform to the same
format as path sub-keys (experimental)
- Aspect based configuration: make unset and set behaviour similar
to configuration options (experimental)
- Aspect based configuration: limit nesting level for setting value
(experimental)
- Components: use symlinks to point active snap component revisions
- Components: add model assertion support for components
- Components: fix to ensure local component installation always gets
a new revision number
- Add basic support for a CIFS remote filesystem-based home
directory
- Add support for AppArmor profile kill mode to avoid snap-confine
error
- Allow more than one interface to grant access to the same API
endpoint or notice type
- Allow all snapd service's control group processes to send systemd
notifications to prevent warnings flooding the log
- Enable not preseeded single boot install
- Update secboot to handle new sbatlevel
- Fix to not use cgroup for non-strict confined snaps (devmode,
classic)
- Fix two race conditions relating to freedesktop notifications
- Fix missing tunables in snap-update-ns AppArmor template
- Fix rejection of snapd snap udev command line by older host snap-
device-helper
- Rework seccomp allow/deny list
- Clean up files removed by gadgets
- Remove non-viable boot chains to avoid secboot failure
- posix_mq interface: add support for missing time64 mqueue syscalls
mq_timedreceive_time64 and mq_timedsend_time64
- password-manager-service interface: allow kwalletd version 6
- kubernetes-support interface: allow SOCK_SEQPACKET sockets
- system-observe interface: allow listing systemd units and their
properties
- opengl interface: enable use of nvidia container toolkit CDI
config generation
-- Ernest Lotter <email address hidden> Wed, 24 Apr 2024 02:00:39 +0200
|
Source diff to previous version |
|
snapd (2.62+20.04) focal; urgency=medium
* New upstream release, LP: #2058277
- Aspects based configuration schema support (experimental)
- Refresh app awareness support for UI (experimental)
- Support for user daemons by introducing new control switches
--user/--system/--users for service start/stop/restart
(experimental)
- Add AppArmor prompting experimental flag (feature currently
unsupported)
- Installation of local snap components of type test
- Packaging of components with snap pack
- Expose experimental features supported/enabled in snapd REST API
endpoint /v2/system-info
- Support creating and removing recovery systems for use by factory
reset
- Enable API route for creating and removing recovery systems using
/v2/systems with action create and /v2/systems/{label} with action
remove
- Lift requirements for fde-setup hook for single boot install
- Enable single reboot gadget update for UC20+
- Allow core to be removed on classic systems
- Support for remodeling on hybrid systems
- Install desktop files on Ubuntu Core and update after snapd
upgrade
- Upgrade sandbox features to account for cgroup v2 device filtering
- Support snaps to manage their own cgroups
- Add support for AppArmor 4.0 unconfined profile mode
- Add AppArmor based read access to /etc/default/keyboard
- Upgrade to squashfuse 0.5.0
- Support useradd utility to enable removing Perl dependency for
UC24+
- Support for recovery-chooser to use console-conf snap
- Add support for --uid/--gid using strace-static
- Add support for notices (from pebble) and expose via the snapd
REST API endpoints /v2/notices and /v2/notice
- Add polkit authentication for snapd REST API endpoints
/v2/snaps/{snap}/conf and /v2/apps
- Add refresh-inhibit field to snapd REST API endpoint /v2/snaps
- Add refresh-inhibited select query to REST API endpoint /v2/snaps
- Take into account validation sets during remodeling
- Improve offline remodeling to use installed revisions of snaps to
fulfill the remodel revision requirement
- Add rpi configuration option sdtv_mode
- When snapd snap is not installed, pin policy ABI to 4.0 or 3.0 if
present on host
- Fix gadget zero-sized disk mapping caused by not ignoring zero
sized storage traits
- Fix gadget install case where size of existing partition was not
correctly taken into account
- Fix trying to unmount early kernel mount if it does not exist
- Fix restarting mount units on snapd start
- Fix call to udev in preseed mode
- Fix to ensure always setting up the device cgroup for base bare
and core24+
- Fix not copying data from newly set homedirs on revision change
- Fix leaving behind empty snap home directories after snap is
removed (resulting in broken symlink)
- Fix to avoid using libzstd from host by adding to snapd snap
- Fix autorefresh to correctly handle forever refresh hold
- Fix username regex allowed for system-user assertion to not allow
'+'
- Fix incorrect application icon for notification after autorefresh
completion
- Fix to restart mount units when changed
- Fix to support AppArmor running under incus
- Fix case of snap-update-ns dropping synthetic mounts due to
failure to match desired mount dependencies
- Fix parsing of base snap version to enable pre-seeding of Ubuntu
Core Desktop
- Fix packaging and tests for various distributions
- Add remoteproc interface to allow developers to interact with
Remote Processor Framework which enables snaps to load firmware to
ARM Cortex microcontrollers
- Add kernel-control interface to enable controlling the kernel
firmware search path
- Add nfs-mount interface to allow mounting of NFS shares
- Add ros-opt-data interface to allow snaps to access the host
/opt/ros/ paths
- Add snap-refresh-observe interface that provides refresh-app-
awareness clients access to relevant snapd API endpoints
- steam-support interface: generalize Pressure Vessel root paths and
allow access to driver information, features and container
versions
- steam-support interface: make implicit on Ubuntu Core Desktop
- desktop interface: improved support for Ubuntu Core Desktop and
limit autoconnection to implicit slots
- cups-control interface: make autoconnect depend on presence of
cupsd on host to ensure it works on classic systems
- opengl interface: allow read access to /usr/share/nvidia
- personal-files interface: extend to support automatic creation of
missing parent directories in write paths
- network-control interface: allow creating /run/resolveconf
- network-setup-control and network-setup-observe interfaces: allow
busctl bind as required for systemd 254+
- libvirt interface: allow r/w access to /run/libvirt/libvirt-sock-
ro and read access to /var/lib/libvirt/dnsmasq/**
- fwupd interface: allow access to IMPI devices (including locking
of device nodes), sysfs attributes needed by amdgpu and the COD
capsule update directory
- uio interface: allow configuring UIO drivers from userspace
libraries
- serial-port interface: add support for NXP Layerscape SoC
- lxd-support interface: add attribute enable-unconfined-mode to
require LXD to opt-in to run unconfined
- block-devices interface: add support for ZFS volumes
- system-packages-doc interface: add support for reading jquery and
sphinx documentation
- system-packages-doc interface: workaround to prevent autoconnect
failure for snaps using base bare
- microceph-support interface: allow more types of block devices to
be added as an OSD
- mount-observe interface: allow read access to
/proc/{pid}/task
|
|
About
-
Send Feedback to @ubuntu_updates