UbuntuUpdates.org

Package "snap-confine"

Name: snap-confine

Description:

Transitional package for snapd

Latest version: 2.66.1+20.04
Release: focal (20.04)
Level: updates
Repository: universe
Head package: snapd
Homepage: https://github.com/snapcore/snapd

Links


Download "snap-confine"


Other versions of "snap-confine" in Focal

Repository Area Version
base universe 2.44.3+20.04
security universe 2.63+20.04ubuntu0.1

Changelog

Version: 2.66.1+20.04 2024-11-26 17:06:58 UTC

  snapd (2.66.1+20.04) focal; urgency=medium

  * New upstream release, LP: #2083490
    - AppArmor prompting (experimental): Fix kernel prompting support
      check
    - Allow kernel snaps to have content slots
    - Fix ignoring snaps in try mode when amending

Source diff to previous version
2083490 [SRU] 2.66.1

Version: 2.65.3+20.04 2024-10-15 18:11:30 UTC

  snapd (2.65.3+20.04) focal; urgency=medium

  * New upstream release, LP: #2077473
    - Fix missing aux info from store on snap setup

Source diff to previous version
2077473 [SRU] 2.65.1

Version: 2.63+20.04ubuntu0.1 2024-08-01 10:07:13 UTC

  snapd (2.63+20.04ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: sandbox escape via $HOME/bin
    - interfaces/builtin/home: explicitly deny writing to @{HOME}/bin
    - CVE-2024-1724
  * SECURITY UPDATE: denial-of-service via crafted files in squashfs image
    - snap, snapdir, squashfs: improve validation of target file
      mode/types
    - CVE-2024-29068
  * SECURITY UPDATE: information disclosure via crafted symlinks in
    squashfs image
    - snap, snapdir, squashfs: improve external symlink validation
    - CVE-2024-29069
  * Fix FTBFS due to missing systemd from Build-Depends
    - debian/control: add systemd to Build-Depends to ensure pkg-config
      can find the systemdutildir to install into

 -- Alex Murray <email address hidden> Fri, 26 Jul 2024 12:28:53 +0930

Source diff to previous version
CVE-2024-1724 In snapd versions prior to 2.62, when using AppArmor for enforcement of sandbox permissions, snapd failed to restrict writes to the $HOME/bin path.
CVE-2024-29068 In snapd versions prior to 2.62, snapd failed to properly check the file type when extracting a snap. The snap format is a squashfs file-system image
CVE-2024-29069 In snapd versions prior to 2.62, snapd failed to properly check the destination of symbolic links when extracting a snap. The snap format is a squas

Version: 2.63+20.04 2024-06-13 15:07:00 UTC

  snapd (2.63+20.04) focal; urgency=medium

  * New upstream release, LP: #2061179
    - Support for snap services to show the current status of user
      services (experimental)
    - Refresh app awareness: record snap-run-inhibit notice when
      starting app from snap that is busy with refresh (experimental)
    - Refresh app awareness: use warnings as fallback for desktop
      notifications (experimental)
    - Aspect based configuration: make request fields in the aspect-
      bundle's rules optional (experimental)
    - Aspect based configuration: make map keys conform to the same
      format as path sub-keys (experimental)
    - Aspect based configuration: make unset and set behaviour similar
      to configuration options (experimental)
    - Aspect based configuration: limit nesting level for setting value
      (experimental)
    - Components: use symlinks to point active snap component revisions
    - Components: add model assertion support for components
    - Components: fix to ensure local component installation always gets
      a new revision number
    - Add basic support for a CIFS remote filesystem-based home
      directory
    - Add support for AppArmor profile kill mode to avoid snap-confine
      error
    - Allow more than one interface to grant access to the same API
      endpoint or notice type
    - Allow all snapd service's control group processes to send systemd
      notifications to prevent warnings flooding the log
    - Enable not preseeded single boot install
    - Update secboot to handle new sbatlevel
    - Fix to not use cgroup for non-strict confined snaps (devmode,
      classic)
    - Fix two race conditions relating to freedesktop notifications
    - Fix missing tunables in snap-update-ns AppArmor template
    - Fix rejection of snapd snap udev command line by older host snap-
      device-helper
    - Rework seccomp allow/deny list
    - Clean up files removed by gadgets
    - Remove non-viable boot chains to avoid secboot failure
    - posix_mq interface: add support for missing time64 mqueue syscalls
      mq_timedreceive_time64 and mq_timedsend_time64
    - password-manager-service interface: allow kwalletd version 6
    - kubernetes-support interface: allow SOCK_SEQPACKET sockets
    - system-observe interface: allow listing systemd units and their
      properties
    - opengl interface: enable use of nvidia container toolkit CDI
      config generation

 -- Ernest Lotter <email address hidden> Wed, 24 Apr 2024 02:00:39 +0200

Source diff to previous version
2061179 [SRU] 2.63

Version: 2.62+20.04 2024-05-08 03:07:05 UTC

  snapd (2.62+20.04) focal; urgency=medium

  * New upstream release, LP: #2058277
    - Aspects based configuration schema support (experimental)
    - Refresh app awareness support for UI (experimental)
    - Support for user daemons by introducing new control switches
      --user/--system/--users for service start/stop/restart
      (experimental)
    - Add AppArmor prompting experimental flag (feature currently
      unsupported)
    - Installation of local snap components of type test
    - Packaging of components with snap pack
    - Expose experimental features supported/enabled in snapd REST API
      endpoint /v2/system-info
    - Support creating and removing recovery systems for use by factory
      reset
    - Enable API route for creating and removing recovery systems using
      /v2/systems with action create and /v2/systems/{label} with action
      remove
    - Lift requirements for fde-setup hook for single boot install
    - Enable single reboot gadget update for UC20+
    - Allow core to be removed on classic systems
    - Support for remodeling on hybrid systems
    - Install desktop files on Ubuntu Core and update after snapd
      upgrade
    - Upgrade sandbox features to account for cgroup v2 device filtering
    - Support snaps to manage their own cgroups
    - Add support for AppArmor 4.0 unconfined profile mode
    - Add AppArmor based read access to /etc/default/keyboard
    - Upgrade to squashfuse 0.5.0
    - Support useradd utility to enable removing Perl dependency for
      UC24+
    - Support for recovery-chooser to use console-conf snap
    - Add support for --uid/--gid using strace-static
    - Add support for notices (from pebble) and expose via the snapd
      REST API endpoints /v2/notices and /v2/notice
    - Add polkit authentication for snapd REST API endpoints
      /v2/snaps/{snap}/conf and /v2/apps
    - Add refresh-inhibit field to snapd REST API endpoint /v2/snaps
    - Add refresh-inhibited select query to REST API endpoint /v2/snaps
    - Take into account validation sets during remodeling
    - Improve offline remodeling to use installed revisions of snaps to
      fulfill the remodel revision requirement
    - Add rpi configuration option sdtv_mode
    - When snapd snap is not installed, pin policy ABI to 4.0 or 3.0 if
      present on host
    - Fix gadget zero-sized disk mapping caused by not ignoring zero
      sized storage traits
    - Fix gadget install case where size of existing partition was not
      correctly taken into account
    - Fix trying to unmount early kernel mount if it does not exist
    - Fix restarting mount units on snapd start
    - Fix call to udev in preseed mode
    - Fix to ensure always setting up the device cgroup for base bare
      and core24+
    - Fix not copying data from newly set homedirs on revision change
    - Fix leaving behind empty snap home directories after snap is
      removed (resulting in broken symlink)
    - Fix to avoid using libzstd from host by adding to snapd snap
    - Fix autorefresh to correctly handle forever refresh hold
    - Fix username regex allowed for system-user assertion to not allow
      '+'
    - Fix incorrect application icon for notification after autorefresh
      completion
    - Fix to restart mount units when changed
    - Fix to support AppArmor running under incus
    - Fix case of snap-update-ns dropping synthetic mounts due to
      failure to match desired mount dependencies
    - Fix parsing of base snap version to enable pre-seeding of Ubuntu
      Core Desktop
    - Fix packaging and tests for various distributions
    - Add remoteproc interface to allow developers to interact with
      Remote Processor Framework which enables snaps to load firmware to
      ARM Cortex microcontrollers
    - Add kernel-control interface to enable controlling the kernel
      firmware search path
    - Add nfs-mount interface to allow mounting of NFS shares
    - Add ros-opt-data interface to allow snaps to access the host
      /opt/ros/ paths
    - Add snap-refresh-observe interface that provides refresh-app-
      awareness clients access to relevant snapd API endpoints
    - steam-support interface: generalize Pressure Vessel root paths and
      allow access to driver information, features and container
      versions
    - steam-support interface: make implicit on Ubuntu Core Desktop
    - desktop interface: improved support for Ubuntu Core Desktop and
      limit autoconnection to implicit slots
    - cups-control interface: make autoconnect depend on presence of
      cupsd on host to ensure it works on classic systems
    - opengl interface: allow read access to /usr/share/nvidia
    - personal-files interface: extend to support automatic creation of
      missing parent directories in write paths
    - network-control interface: allow creating /run/resolveconf
    - network-setup-control and network-setup-observe interfaces: allow
      busctl bind as required for systemd 254+
    - libvirt interface: allow r/w access to /run/libvirt/libvirt-sock-
      ro and read access to /var/lib/libvirt/dnsmasq/**
    - fwupd interface: allow access to IMPI devices (including locking
      of device nodes), sysfs attributes needed by amdgpu and the COD
      capsule update directory
    - uio interface: allow configuring UIO drivers from userspace
      libraries
    - serial-port interface: add support for NXP Layerscape SoC
    - lxd-support interface: add attribute enable-unconfined-mode to
      require LXD to opt-in to run unconfined
    - block-devices interface: add support for ZFS volumes
    - system-packages-doc interface: add support for reading jquery and
      sphinx documentation
    - system-packages-doc interface: workaround to prevent autoconnect
      failure for snaps using base bare
    - microceph-support interface: allow more types of block devices to
      be added as an OSD
    - mount-observe interface: allow read access to
      /proc/{pid}/task

2058277 [SRU] 2.62



About   -   Send Feedback to @ubuntu_updates