UbuntuUpdates.org

Package "snap-confine"

Name: snap-confine

Description:

Transitional package for snapd

Latest version: 2.65.3+20.04
Release: focal (20.04)
Level: updates
Repository: universe
Head package: snapd
Homepage: https://github.com/snapcore/snapd

Links


Download "snap-confine"


Other versions of "snap-confine" in Focal

Repository Area Version
base universe 2.44.3+20.04
security universe 2.63+20.04ubuntu0.1
proposed universe 2.66.1+20.04

Changelog

Version: 2.58+20.04.1 2023-05-31 04:10:41 UTC

  snapd (2.58+20.04.1) focal-security; urgency=medium

  * SECURITY UPDATE: possible sandbox escape via TIOCLINUX ioctl
    - interfaces/seccomp/template.go: block ioctl with TIOCLINUX. Patch
      from upstream. Graphical terminal emulators like xterm, gnome-terminal
      and others are not affected - this can only be exploited when snaps
      are run on a virtual console.
    - https://github.com/snapcore/snapd/pull/12849
    - CVE-2023-1523

 -- Alex Murray <email address hidden> Mon, 29 May 2023 21:39:27 +0930

Source diff to previous version

Version: 2.58+20.04 2023-01-30 18:07:10 UTC

  snapd (2.58+20.04) focal; urgency=medium

  * New upstream release, LP: #1998462
    - many: Use /tmp/snap-private-tmp for per-snap private tmps
    - data: Add systemd-tmpfiles configuration to create private tmp dir
    - cmd/snap: test allowed and forbidden refresh hold values
    - cmd/snap: be more consistent in --hold help and err messages
    - cmd/snap: error on refresh holds that are negative or too short
    - o/homedirs: make sure we do not write to /var on build time
    - image: make sure file customizations happen also when we have
      defaultscause
    - tests/fde-on-classic: set ubuntu-seed label in seed partitions
    - gadget: system-seed-null should also have fs label ubuntu-seed
    - many: gadget.HasRole, ubuntu-seed can come also from system-seed-
      null
    - o/devicestate: fix paths for retrieving recovery key on classic
    - cmd/snap-confine: do not discard const qualifier
    - interfaces: allow python3.10+ in the default template
    - o/restart: fix PendingForSystemRestart
    - interfaces: allow wayland slot snaps to access shm files created
      by Firefox
    - o/assertstate: add Sequence() to val set tracking
    - o/assertstate: set val set 'Current' to pinned sequence
    - tests: tweak the libvirt interface test to work on 22.10
    - tests: use system-seed-null role on classic with modes tests
    - boot: add directory for data on install
    - o/devicestate: change some names from esp to seed/seed-null
    - gadget: add system-seed-null role
    - o/devicestate: really add error to new error message
    - restart,snapstate: implement reboot-required notifications on
      classic
    - many: avoid automatic system restarts on classic through new
      overlord/restart logic
    - release: Fix WSL detection in LXD
    - o/state: introduce WaitStatus
    - interfaces: Fix desktop interface rules for document portal
    - client: remove classic check for `snap recovery --show-
      keys`
    - many: create snapd.mounts targets to schedule mount units
    - image: enable sysfs overlay for UC preseeding
    - i/b/network-control: add permissions for using AF_XDP
    - i/apparmor: move mocking of home and overlay conditions to osutil
    - tests/main/degraded: ignore man-db update failures in CentOS
    - cmd/snap: fix panic when running snap w/ flag but w/o subcommand
    - tests: save snaps generated during image preaparation
    - tests: skip building snapd based on new env var
    - client: remove misleading comments in ValidateApplyOptions
    - boot/seal: add debug traces for bootchains
    - bootloader/assets: fix grub.cfg when there are no labels
    - cmd/snap: improve refresh hold's output
    - packaging: enable BPF in RHEL9
    - packaging: do not traverse filesystems in postrm script
    - tests: get microk8s from another branch
    - bootloader: do not specify Core version in grub entry
    - many: refresh --hold follow-up
    - many: support refresh hold/unhold to API and CLI
    - many: expand fully handling links mapping in all components, in
      the API and in snap info
    - snap/system_usernames,tests: Azure IoT Edge system usernames
    - interface: Allow access to
      org.freedesktop.DBus.ListActivatableNames via system-observe
      interface
    - o/devicestate,daemon: use the expiration date from the assertion
      in user-state and REST api (user-removal 4/n)
    - gadget: add unit tests for new install functions for FDE on
      classic
    - cmd/snap-seccomp: fix typo in AF_XDP value
    - tests/connected-after-reboot-revert: run also on UC16
    - kvm: allow read of AMD-SEV parameters
    - data: tweak apt integration config var
    - o/c/configcore: add faillock configuration
    - tests: use dbus-daemon instead of dbus-launch
    - packaging: remove unclean debian-sid patch
    - asserts: add keyword 'user-presence' keyword in system-user
      assertion (auto-removal 3/n)
    - interfaces: steam-support allow pivot /run/media and /etc/nvidia
      mount
    - aspects: initial code
    - overlord: process auto-import assertion at first boot
    - release, snapd-apparmor, syscheck: distinguish WSL1 and WSL2
    - tests: fix lxd-mount-units in ubuntu kinetic
    - tests: new variable used to configure the kernel command line in
      nested tests
    - go.mod: update to newer secboot/uc22 branch
    - autopkgtests: fix running autopkgtest on kinetic
    - tests: remove squashfs leftovers in fakeinstaller
    - tests: create partition table in fakeinstaller
    - o/ifacestate: introduce DebugAutoConnectCheck hook
    - tests: use test-snapd-swtpm instead of swtpm-mvo snap in nested
      helper
    - interfaces/polkit: do not require polkit directory if no file is
      needed
    - o/snapstate: be consistent not creating per-snap save dirs for
      classic models
    - inhibit: use hintFile()
    - tests: use `snap prepare-image` in fde-on-classic mk-image.sh
    - interfaces: add microceph interface
    - seccomp: allow opening XDP sockets
    - interfaces: allow access to icon subdirectories
    - tests: add minimal-smoke test for UC22 and increase minimal RAM
    - overlord: introduce hold levels in the snapstate.Hold* API
    - o/devicestate: support mounting ubuntu-save also on classic with
      modes
    - interfaces: steam-support allow additional mounts
    - fakeinstaller: format SystemDetails result with %+v
    - cmd/libsnap-confine-private: do not panic on chmod failure
    - tests: ensure that fakeinstaller put the seed into the right place
    - many: add stub services for prompting
    - tests: add libfwupd and libfwupdplugin5 to openSUSE dependencies
    - o/snapstate: fix snaps-hold pruning/reset in the presence of
      system holding
    - many: add support for setting up encryption from installer
    - many: support classic snaps in the context of classic and extended
      models
    - cmd/snap,daemon: allow zero values from client to daemon for
      journal rate limit
    - boot,o/devices

Source diff to previous version
1998462 [SRU] 2.58

Version: 2.57.5+20.04ubuntu0.1 2022-12-01 04:06:30 UTC

  snapd (2.57.5+20.04ubuntu0.1) focal-security; urgency=medium

  * SECURITY UPDATE: Local privilege escalation
    - snap-confine: Fix race condition in snap-confine when preparing a
      private tmp mount namespace for a snap
    - CVE-2022-3328

 -- Alex Murray <email address hidden> Mon, 28 Nov 2022 15:25:10 +1030

Source diff to previous version

Version: 2.57.5+20.04 2022-10-25 19:07:22 UTC

  snapd (2.57.5+20.04) focal; urgency=medium

  * New upstream release, LP: #1983035
    - image: clean snapd mount after preseeding
    - wrappers,snap/quota: clear LogsDirectory= in the service unit
      for journal namespaces
    - cmd/snap,daemon: allow zero values from client to daemon for
      journal rate-limit
    - interfaces: steam-support allow pivot /run/media and /etc/nvidia
      mount
    - o/ifacestate: introduce DebugAutoConnectCheck hook
    - release, snapd-apparmor, syscheck: distinguish WSL1 and WSL2
    - autopkgtests: fix running autopkgtest on kinetic
    - interfaces: add microceph interface
    - interfaces: steam-support allow additional mounts
    - many: add stub services
    - interfaces: add kconfig paths to system-observe
    - i/b/system_observe: honour root dir when checking for
      /boot/config-*
    - interfaces: grant access to speech-dispatcher socket
    - interfaces: rework logic of unclashMountEntries

 -- Michael Vogt <email address hidden> Mon, 17 Oct 2022 18:25:18 +0200

Source diff to previous version
1983035 [SRU] 2.57

Version: 2.55.5+20.04 2022-06-29 07:06:22 UTC

  snapd (2.55.5+20.04) focal; urgency=medium

  * New upstream release, LP: #1965808
    - snapstate: do not auto-migrate to ~/Snap for core22 just yet
    - cmd/snap-seccomp: add copy_file_range to
      syscallsWithNegArgsMaskHi32
    - cmd/snap-update-ns: correctly set sticky bit on created
      directories where applicable
    - .github: Skip misspell and ineffassign on go 1.13
    - tests: add lz4 dependency for jammy to avoid issues repacking
      kernel
    - interfaces: posix-mq: add new interface

 -- Michael Vogt <email address hidden> Wed, 11 May 2022 06:38:24 +0200

1965808 [SRU] 2.55.5



About   -   Send Feedback to @ubuntu_updates